In May this year, the UK’s data protection act will be changed to the General Data Protection Regulation, known as GDPR. This new law places much tougher restrictions on how companies, schools and any business uses personal customer data.
The development of this reform has emerged following the hacking of major organisations including Linkedin and eBay. The number of data breaches against companies and individuals is rising year-on-year and GDPR is set to punish websites and business owners that do not look after data seriously and put people at risk. In accordance with the new laws, we look at some of the ways to get your website ready.
Be careful with mailing lists
Some important changes to data protection now mean that you cannot add people to your mailing list without them physically opting in. This has been the case for several years but now potential penalties have been increased from £500,000 to £20 million euros, making it a real game changer.
A common tactic by websites is to automatically subscribe you if you have made an enquiry, comment or purchase. This is not the same as being subscribed and now websites have to be more careful. This can be achieved my making much stronger opt-ins and making the messaging much clearer.
There is an ongoing debate as to whether businesses should ask all their users to opt in again from scratch, and this could cause companies to lose thousands and millions of subscribers overnight if users are unresponsive.
Have a strong privacy policy
If they do not already, each website should have a strong and detailed privacy policy in place for May 2018. This page should clearly inform subjects how long the data will be stored for and who they should contact if they have any questions relating to their data.
To be compliant, websites should give users a simple way to request their data and receive a copy by email or post and some companies are willing to send the customer’s data in a USP stick.
Add encryption
Websites are strongly encouraged to add extra encryption to their website to avoid the threat of hackers or data breaches. Again, this is something that has been recommended for some time but GDPR means it could be compulsory.
Websites can purchase an SSL certificate which makes the site start with https instead of http and this adds a layer of encryption, making it harder for hackers to access the back of the site. The average cost of an SSL certificate is around £100 from the likes of GoDaddy and Heart Internet, although some packages will include this for free.
Other encryptions include the development of specific IDs for customers. So in the event that data is stolen, the names of customers will not be available since it will be under a number or ID. Websites that hold databases are encouraged to tighten up their security and can use companies such as Mongodb and Grakn AI to be effective.
Allow deletion of customer information
Internally, a company must now create a way for someone’s data to be fully removed from their system. This is not just opting someone out of weekly newsletters. It is a case of completing wiping the person’s information off the system if they have requested this.
Handle submissions and applications with care
GDPR requires websites to state what data is being processed and for what purposes. For instance, those looking for a car insurance quote or loan will be accustomed to filling in details – but now there requires greater transparency over what these details are for.
Websites will need to take advice from compliance as to whether it is sufficient to include this information in the privacy policy or mention it clearly within an online form or on the ‘thank you page.’