Website GDPR Compliant: Where Are We Now?
An introduction to GDPR and what it means for your website
Two years into GDPR
Two years have passed since the implementation of the General Data Protection Regulation.
Generally, however, regulators have found that only one in three organisations to be fully compliant with the legislation. The UK’s information commissioner’s office had issued a record fine of £183m to British Airways which was the result of hackers stealing almost half a million records of customer data.
Especially in the technology sector, businesses face the biggest challenge to align their landscape to the complexities of GDPR. Many not only find it to be time consuming but posing high financial impacts to maintain. However, non-compliance can lead to potential data breaches and accumulate fines up to 20 million euros or 4% percent of the company’s global turnover (whichever is higher).
So, what is it exactly?
The General Data Protection Regulation is an enforced law designed to protect the collection and management of personal data. The policy aims to harmonise the data privacy laws across Europe with the hopes to provide better protection to individuals rights and data accuracy.
The Seven Principles:
- Lawfulness, fairness and transparency: User’s data is processed in a lawful manner whilst keeping the user fully informed on what data is collected.
- Purpose limitation: User’s data must be collected with a clearly stated purpose.
- Data minimisation: The user’s data must be collected to a minimum where relevant and limited to the purpose. Justification to the amount is required under GDPR.
- Data accuracy: User’s data must be stored with accuracy and kept up to date without retaining older information.
- Storage limitation: The user’s data must be kept for a signified limited period and justification is required for each retention policies.
- Integrity and confidentiality (security): User’s data must be handled with the appropriate security measures to protect it from unlawful processing or accidental loss. Standards such as the ISO 27001 is considered acceptable.
- Accountability: Your business is liable to be compliant with the principles of GDPR. Each step taken towards data collection should be clearly documented.
How to approach making your website GDPR compliant
Know the Philosophy
When it comes to ensuring your website is GDPR compliant, you must account for all departments in your business that interact with data. Implementations need to consider both legal and technological standpoints.
This is an essential step to begin with in regards to mapping data flows between websites and applications. The source of truth (master data) and internal/external maps need be documented well especially in the cases of audits.
Ensuring your departments are well informed of the changes is considered an organisational change project. Employees should receive training from the responsible teams and be informed well in advance to avoid any project conflicts.
Data controllers should be collaborating with supervisory authorities on a regular basis. Data breaches should have reporting mechanisms in place as well as a safeguards for data transfers outside the EU.
Enabling ‘opt-in’ forms in your admin dashboard will require you to adjust all online form submissions. Another component to enable is the ‘cookie consent’ feature, informing your users the purpose for tracking their web session.
- In all cases of data transfers outside the EU, you must ensure a mechanism that requires approval from your designated data controllers.
- Data Protection Impact Assessments (DPIA) are not only useful for pre-project implementations, but also for auditing purposes where businesses are at high risk – for example, large scale databases of personal data; user profiles, SSN and addressees.
- A designated data protection officer (DPO) is mainly required for larger companies to ensure compliance is thoroughly monitored and implemented across the company infrastructure.
While this may sound too much to consider, attaining compliance challenges even large firms, and the ICO has indicated that their enforcement will be lenient where businesses have clearly put in place common-sense protections and systems to improve data processing and security. The objective should always be to remain as compliant as possible, and schedule regular maintenance checks of your systems whether you have DPO or not.
Tight on time? Consider a SaaS Platform
For those preparing to initiate a business change project into GDPR, it might be worthwhile to look into SaaS solutions. Upon the introduction of the regulation, the market blew up with a number of services aiming to ease the maintenance, reporting and auditing processes of users’ data.
Here are two great options; with one more budget-friendly and the other for the larger enterprises.
- Visualize Compliance: Collaborate with multiple users to review submitted documentation and get a high level view of stakeholders, status, risks and owners.
- Breach Management: Assess the severity of associated risks with automated breach notifications to supervisory management. Breach flow logs allow you to view history, events and mitigated actions.
- Data Mapping: Create visio-like data flows within the dashboard of all your applications. This in turn creates an automated report ready to be handed to regulators.
The platform is targeted at a wide audience such as employees, team members, regulators, processors and clients. Starting at $56/month, this is a perfect budget friendly option compared to its competitors.
- Privacy Program Management: Benchmark where the organisation stands against other companies. Automate the distributions of PIA/DIAP to achieve ‘privacy by design’. It also comes with a central repository containing the latest compliance information and best practices.
- Third Party Risk Management: Identify and mitigate vendor risks based on key use cases and standards. Report on key contract terms and manage a single vendor repository. Get vendor alerts on critical security & privacy changes, incidents & breaches
As you can tell, the OneTrust platform has a vast number of enterprise grade modules covering not only GDPR but CCPA, LGPD and many more global regulations. This fairly new startup offers pricing plans starting at $165 per module.