The General Data Protection Regulation (GDPR) is on the horizon, and by May 25, 2018, every organization that processes the private data of European citizens must be ready to comply. In a nutshell, the EU is tightening the rules on what personal data is and how it's handled. And when it comes to your website, chances are there is a lot more personal data floating around than you may realize—think forgotten web pages, image meta data, PDFs, etc.
While becoming GDPR compliant is truly a cross-departmental effort, what can web teams do to protect the data of their users? (Not to mention their own organization from potential fines.)
1. Understand Your Role and That of Your Vendors
When it comes to GDPR, it’s important to know the differences between being a data processor and a data controller—and where you and your third party vendors fall.
A data controller determines what data is collected and how it’s used—often times, this is your organization. You as a website manager may decide what goes on a landing page form, for instance, but it’s important to remember that those choices ultimately lead back to your organization.
A data processor is a person or team that is not an employee of the data controller, but who processes the data on behalf of the data controller—think third party vendors that help you organize the personal data you want to store in the form of things like email lists, medical records, and so on.
For example, if you’re a bank that collects the personal data of online customers, that makes you the controller. But if you insert that client data into a third party software, the software company will process this data on your behalf, making them the data processor. Both of you will need to become—and continue to stay—GDPR compliant.
Check in with all your third party processors to find out if they are already or have plans to become GDPR compliant. If not, consider replacing them with someone who is.
2. Perform a Data Audit
Under GDPR, it’s mandatory for organizations to keep data processing registries of all personal data they and their third parties keep, including the lifecycle of that data.
Don’t be overwhelmed. If your team collects things like IP addresses or cookies, performing an audit of all the personal data you collect from EU citizens is an excellent place to start. (This includes names, email addresses, phone numbers, IP addresses, etc.) Then, you can decide which data to keep and which to toss. Becoming fully aware of the scope of your data will also make it easier if citizens reach out and ask you to delete their personal information.
Keep in mind that GDPR is putting a large emphasis on the processing of children's data, so consider taking special note of that information throughout the audit.
If you were working with websites during the "EU Cookie Directive" a few years ago, you remember the scramble to openly inform visitors that you were collecting cookies and what you planned to do with them—GDPR is simply taking it one step further.
Then consider compiling the following into one central hub:
- Your users' preference center (or a direct link to it), so they can easily opt in or out of certain communication
- Contact information at your organization so users can request changes or deletions of their personal data (This a clear requirement of GDPR.)
4. Find an Automated Solution
Finally, consider using a tool that automatically detects personal data and all of your website domains. The bigger your organization, the chances are you have a looser grip on the data you possess—and even how many domains you really have.
Using an automated solution could save you weeks, or even months, of combing through your digital assets.
Achieving GDPR compliance on your website is a cross-departmental effort. Ready to get other teams on board? Download the free e-book, GDPR: Working Together for a Compliant Website, for a collection of tips for web, IT, and marketing teams.