Changes to Data Protection Legislation: How does this affect my website?
The internet today is a repository of information with nearly 2 billion websites and counting. The General Data Protection Regulation (GDPR) aims to strengthen individual’s rights regarding the collection, use and storage of their personal data. The focus is on making the information flow more transparent for the data subject. All organisations who process personal data of EU citizens must be GDPR compliant by 25th May 2018.
A web hosting platform provides you with the necessary tools to build and maintain a website. Every computer or device linked with the internet has an IP (internet protocol) address through which it can be tracked or identified. It is very easy to pinpoint a computer’s location and the user with an IP address. Therefore, an IP address is included in the definition of personal data within GDPR. Thus, it is very important to find out if your hosting platform is GDPR compliant.
It is common for websites to include employees’ photographs and profiles of (together with details about their qualifications, work experience and sometimes life experience or outside interests) to demonstrate their achievements or role within the organisation. It is vital that an employer seeks an employee’s consent for placing their photograph and personal information on their website. They must be careful to ensure that the employee is informed that they do not have to consent and that there will be no implications for not giving consent. They must also check that the employee does not feel obliged to give consent. In our opinion, it should never be a term of an employee’s contract of employment for the employee to appear on the employer’s website.
Another very unique feature of websites is how you can undertake customer profiling by using cookies and heat maps (applications which provide data analytics for the website). These applications can provide you with answers to questions such as which product gets more views, which section of the website is visited most frequently, what links on the website are used and which payment method is preferred by customers. As the user’s IP address cannot be hidden, the information can then be used to target the user with specific marketing material or other communications based on their usage of the website.
So, if you are a business with an online presence you should be asking yourself the following questions:
- Do you know who is your website hosting platform, and if it is GDPR compliant?
- What type of data is being captured and processed?
- For how long will the data be stored?
- What is the legal basis for its use?
- Have you notified the website user of their rights?
- Does your website use a payment gateway? If so, does it have the features of pseudonymisation?
- If you are using cloud service for data storage (which might be based inside or outside of the EU), are your suppliers GDPR compliant?
The answers to these questions are important as being GDPR compliant will not only increase your customer confidence in your business, but also help you market a positive brand image. A privacy notice on a website gives the user an assurance of how their personal data will be processed and notification of their rights.
We at Ordered can help you create policies and procedures for your business (for example Privacy Notices, Data Protection Policies, Information Security Policies and Data Protection Impact Assessment Procedures), as well as providing staff and management training.