GDPR Guide.key

Download PDF
5 downloads 307 Views 2MB Size Report
Comment
GDPR what is it? GDPR or the General Data Protection Regulation (EU) 2016/679 is a regulation in EU law .... Let's look
The Big Dog Digital GDPR Guide for small to medium sized website’s

GDPR what is it? GDPR or the General Data Protection Regulation (EU) 2016/679 is a regulation in EU law on data protection and privacy for all individuals within the European Union. It comes into effect on May 25th 2018 and as a website owner/operator - IT DOES AFFECT YOU.
 
 How does it affect you we hear you ask? Well, if your website requests and/or collects personal information from your user(s) that is how.
 
 The new regulation aims primarily to give greater control to citizens and residents over their personal data. At the centre of the law is the requirement for organisations and businesses to be fully transparent about how they are using and safeguarding personal data.
 
 As a website owner/operator you are possibly collecting personal data in the following ways:
 • Contact Form (such as contact us for more information ‘or’ request a call back) • Online Sales (Checkout) • Sign-up Forms • Mailing Lists (such as MailChimp) • Cookies


 Most website will certainly have a Contact Form and use Cookies therefore you do need to implement a solution to be GDPR compliant.

Yes, a contact form as simple as this falls under GDPR regulation.

Getting started . . . Ask yourself these following questions to become aware and accountable regarding the information you collect from your website users:
 • What personal information do you collect? • Why is it collected? • How it is stored? • What do you with it? • How long do you retain it?

The answers to the questions are in essence what you need to communicate to your website users. 
 
 Other key questions to ask yourself (because your website user will now be entitled to know) are as follows:
 • How secure is the information you have obtained? • What do you do if there is a data breach? • Do you ever share it with third parties?

Now that you have had time to sit down, ask yourself these questions and contemplate life its time to get STARTED.

The must have’s . . . So, we will assume you have now sat down in a zen-like-pose asked yourself the key questions (on the previous page) to become ‘aware and accountable’ and ready for the next task - edging ever close to becoming GDPR compliant.
 
 You now need to implement a number of policies, procedures and functions.
 
 POLICIES:
 This is at the heart of your GDPR compliancy plan. Most websites have a ‘Privacy Policy’ often they are just copied, edited and pasted from other sites. I am afraid that just wont do anymore :) 
 
 Your new shiny policy must be tailored to your website user and what you are asking from them - back to those questions again. What are you asking and why? When you are asking for data it must be relevant to the service you are offering — for example — Big Dog Digital offer website services. Therefore when people contact us about building a website we don’t need to know what colour socks they are wearing or even the name of their dog :)
 
 You must explain ‘simply and clearly’ why you require this information and what you are going to do with it. You must also make clear that the data you are collecting relates directly to the service you are providing and it not used for anything else or shared for any unrelated purposes. For example:
 
 “By completing this form you will be providing us with your Name, Company, Telephone, Email and any Comments you wish to make. This enables us to make contact with you to discuss our services and how we can help. The information you provide is only used for the purpose and is not shared with any other 3rd party.”

The must have’s . . . POLICIES CONTINUED: Now that you have explained what are you asking and why? You must now explain the long term plans. How long are you going to retain this information? In most case’s it is a good idea to have a ‘purge plan’ (i.e., after 6-months you delete any data on file). If you need to keep the data for longer — you must explain why!
 
 You must also explain where the data is kept and how secure it is. Again, in most cases — data will be kept on a server (database) and perhaps email. Lets take a look at that simple policy now:
 
 “By completing this form you will be providing us with your Name, Company, Telephone, Email and any Comments you wish to make. This enables us to make contact with you to discuss our services and how we can help. The information you provide is only used for the purpose and is not shared with any 3rd party.”
 
 This information will be kept on file for reference for a period of 6-months at which point it is deleted. The data you provide will be transmitted via SSL encryption (find out more about SSL HERE) and kept in a database on our server provided by WP-Engine. Our hosting partner has adopted the EU-US and Swiss-US Privacy Shield program and are themselves GDPR compliant - you can view their terms HERE.
 
 Only our staff have access to the personal data you have provided us with. Each staff member has a unique username and password to access this information. The access codes provided to our staff are complex and updated on a regular basis. We also keep automated log-in records. Finally we have implemented robust security tools to protect our website from potential threats such as malware, hacks, etc…”

“Starting to gather momentum now” I hear you say?

The must have’s . . . POLICIES CONTINUED: I’m afraid we are not quite finished yet. So, at this stage your draft policy should cover the following:
 
 What are you asking and why? 
 How long are you going to retain this information? 
 Where the data is kept and how secure it is
 Things you wont do like ‘share it or feed it to the dog’
 
 We will now touch upon another subject within our privacy policy ‘data-breach’. Under General Data Protection Regulation (EU) 2016/679 if personal data that you store has been compromised the breach must be reported to the DPC within 72 hours, unless the data was anonymised or encrypted.
 
 Breaches that are likely to bring harm to an individual — such as identity theft or breach of confidentiality — must also be reported to the individuals concerned.
 
 Finally, under GDPR we have ‘Personal Privacy Rights’. If someone has supplied you with data they now have certain rights (other than the ones we just covered). These include but are not limited to the following:
 • Right to access information (i.e. request the information you are storing) • Right to correct any inaccuracies in the data you are storing • Right to have information deleted • Object to direct marketing

How’s that policy looking? “By completing this form you will be providing us with your Name, Company, Telephone, Email and any Comments you wish to make. This enables us to make contact with you to discuss our services and how we can help. The information you provide is only used for the purpose and is not shared with any 3rd party.”
 
 This information will be kept on file for reference for a period of 6-months at which point it is deleted. The data you provide will be transmitted via SSL encryption (find out more about SSL HERE) and kept in a database on our server provided by WP-Engine. Our hosting partner has adopted the EU-US and Swiss-US Privacy Shield program and are themselves GDPR compliant - you can view their terms HERE.
 
 Only our staff have access to the personal data you have provided us with. Each staff member has a unique username and password to access this information. The access codes provided to our staff are complex and updated on a regular basis. We also keep automated log-in records. Finally we have implemented robust security tools to protect our website from potential threats such as malware attacks, DDoS attacks, hacking, etc…
 
 Under General Data Protection Regulation (EU) 2016/679 if the personal data that you store about you has been compromised in any form we will report the breach to the DPC (Data Protection Officer) within 72 hours. We have procedures in place to detect, report and investigate a personal data breach and will comply with these and review them on a regular basis. If a data breach is likely to bring harm to you the ‘individual’ (such as identity theft or breach of confidentiality) you will also be notified.
 
 You have a right under General Data Protection Regulation (EU) 2016/679 to contact us at anytime if you require assistance with the following. (1) request to access the information we are storing about you. (2) Correct any inaccuracies you may feel we have about your data on record/file. (3) Request us to delete any information that we have about you. (4) Opt In/Out or object to any direct marketing or contact we may make to you. To avail of any of these services please contact us at [email protected] or phone us on +353 1 234 5678. We endeavour to respond and carry out your request with X-days.
 
 This policy was last reviewed on DATE and will reviewed and updated (if required) on DATE. Finally you may be interested to review our policy on Mailing Lists and Cookies.

Yes, you may need more than one policy and we’ll come to that

Phew, now what?

Yep, your almost a GDPR Zen God or Goddess . . .

PROCEDURES: 
 
 There is no point having a policy if you don’t have the procedures to back it up, support your message and protect your users.
 
 It is best that your procedures are written down, adhered , reviewed on a regular basis and that all staff have read them and signed to say they understand them!
 
 Contrary to belief they do not need to be complex (unless you're running a data centre or an illegal gambling den). Let’s look at the basics: We have spoken about a ‘purge plan’ (i.e., after 6-months you delete any data on file) DO IT and keep a record of it. 
 
 We have also discussed ‘keeping data safe’ through means such as having an SSL cert on your website and implementing extra security measures. Ensuring staff members have unique usernames and passwords and that these are changed on a regular basis. Keeping automated log-in records. DO IT and keep a record of it.
 
 Also, review your policies on a regular basis (even 1-2 times a year). Don’t forget as time passes we add new elements and functions to our website — these changes could affect your policies. DO IT and keep a record of it.
 
 Always ensure your website platform (CMS/Content Management System like WordPress) is always up-to-date and availing of the latest security features (and your plugins). DO IT and keep a record of it.
 
 Finally, ENSURE you have a data-breach plan, a written document outline the procedure for informing the Data Protection Officer within 72 hours and the subsequent steps for investigation, etc… DO IT and keep a record of it.

The home stretch! FUNCTIONS: 
 
 All your hard work so far means nothing if you have not implemented a function to ensure your website user (who is sharing data with you) is aware of it. This is where you may need a little help from your website developer — hint-hint ;)
 
 When a user is about to share information with you — ensure they have access to the policy relating to the information they are about to give. Also include an ‘opt-in’ button to say they have read the policy, understand it and still want to share the information.
 
 Don’t have one of those sly ‘pre-ticked-boxes’ and make sure it is a compulsory field — those days are over my friends! 
 
 If you have more than one contact form (with different data being captured) you may need a separate policy to display. 


I have reviewed and understand the policy regarding the information 
 I am about to share. I content and wish to continue.


 If you are collecting email addresses for mailing lists and systems such as MailChimp - again you will need a policy for this.
 
 If you are collecting data for online purchases and shipping - yes, again you will need a policy for this.
 
 We completely understand this is somewhat of a pain in the bum! But its in your best interest and the interest of your website users, clients and customers.

We are almost done - we can hear the Zzz’s already!

Finally! Final thoughts from Big Dog Digital . . . Now is also the time to make sure you have brushed up on a few other areas — think of it as a Spring Clean.


IMPORTANT: 






COOKIES - Your website should display a Cookies Message (with a tick to understand). This should also lead to a policy (not again we hear you say). This policy should outline what cookies are being used, why and how to turn off cookies if the user wishes.


This guide was design by Big Dog Digital to help our clients prepare for General Data Protection Regulation (EU) 2016/679. 
 
 It is mainly aimed at small to medium sized websites and businesses. While the content may be light and jovial the sentiment is not. 



 PROFILES - If your website profiles people (like staff) photos, names, titles, bio, etc… make sure your GDPR compliance is water tight and that you have written permission from that staff member to display their information (because remember, a staff profile is still personal data).
 




While it may not be as bad as your ice cream falling, your BF/GF leaving you, or the dog actually eating your homework GDPR is serious and should be taken so. We advise all our clients to implement a solution and where possible have a ‘real professional’ review it.


OLD DATA - Also a good time to reach out to existing users and inform them that the General Data Protection Regulation (EU) 2016/679 applies to them also. OR delete them like a bad break-up and get drunk!
 
 Final ‘light’ Reading (not):
 
 http://gdprandyou.ie/
 https://www.eugdpr.org/
 https://www.dataprotection.ie/docs/GDPR/1623.htm
 https://en.wikipedia.org/wiki/General_Data_Protection_Regulation


 This document is purely for guidance, and does not constitute legal advice or legal analysis. All organisations that process data need to be aware that the General Data Protection Regulation will apply directly to them. The responsibility to understand the Regulation and comply with it from 25th May 2018 onwards lies with you.

The Big Dogs