Next year, a new data protection law called GDPR (General Data Protection Regulation ) is being implemented across the EU. The new law is a lot tougher on businesses and how they manage personal data with serious fines for those who do not comply.
Although the regulation may seem not to apply to businesses with under 250 employees, beware of making incorrect assumptions that your company is exempt. Any company that stores, collects, or uses data must still abide by it should this data fall into certain categories, such as information that relates to genetics and biometrics, health, racial or ethnic origin.
Virtual Dream Team is already registered as Data Protection Officer, in line with the Data Protection Law (Bulgaria) 2002. In order to be proactive, we checked our website is GDPR compliant and we suggest you do the same, following the practical steps we outline below.
1: HTTP or HTTPS – do you really need SSL?
SSL (Secure Sockets Layer) establishes an encrypted link between a web server and a browser. This link ensures that all data passed between the web server and browsers remain private and integral.
In Google Chrome, all pages where your website visitors enter data – not only forms, but even search boxes, are now loading as “Not Secure”.
Given Chrome is the most used desktop browser (current statistics show 72% market share) there is no doubt that you should implement SSL on your website as soon as possible.
And yes, the SSL security layer helps with your website’s GDPR compliance too.
Easiest way to get your website showing as “Secure” is to contact your hosting provider and discuss the SSL options they provide.
Alternatively, if you are just starting your website, or your website is small, you can consider alternative options. CDN (Content Delivery Network) that amongst other benefits provide a free SSL.
3: Create a plan in case of a breach
Outline what steps will be taken in the event of a breach. Your plan should include:
What data your business collects qualifies as ‘personal’? Personal is any data that can be used to identify a living person directly or indirectly, for example name, email, address, phone number.
Who has access to it?
Where is the information kept – locally, on a web server, in the cloud?
Who a breach should be reported to? In UK that’s ICO and in Denmark for example that’s Datatilsynet.
As you see, it is not that hard to ensure your website is GDPR compliant. After all, your website security is important to you, but also to your website visitors. They need to feel secure when giving you their name and email address.
If you need more information or help with your website GDPR compliance, feel free to contact us today to see how we can help you.