Are You Ready?
The new law comes into effect May 25th 2018.
In summary, the GDPR applies to any business that processes personal data by automated or manual processing (provided the data is organised according to the criteria).
Even if your business only processes data on behalf of other companies, you still need to abide by the rules.
The GDPR applies if:
- Your company processes personal data and is based in the EU, regardless of where the actual data processing takes place; or
- Your company is established outside the EU but offers goods or services to, or monitors the behaviour of, individuals within the EU.
In conjunction with the above, any organisation collecting and processing personal data from individuals within the EU must be compliant with the new rules. This not only means Magento & WordPress, but any third parties linked with your website, through its management and its enhancement; both through its functionality and the deliverability.
WHAT CAN ENVISAGE DIGITAL DO TO HELP?
To assist with your organisation’s compliance to GDPR, Envisage Digital will review your website’s internal processes to ensure that data can be captured both for the purpose of data portability (i.e passing a copy to the data subject or another controller) but also ensure that the data can be removed easily. This information will then form part of the Envisage Digital website management procedure.
Working with your organisation, Envisage Digital will conduct an audit of the personal data your organisation holds, understand how it is being used, to whom it is disclosed and where it is being transferred. This information will form part of a data map and security audit.
A simplified overview of Envisage Digital’s GDPR compliance website recommendations:
- Regularly review the website, ideally in the form of a website healthcheck
- Regularly update the formal website documentation; data map and security audits
WHAT DO YOU NEED TO DO?
Envisage Digital have provided full details of the preparation required in compliance of the GDPR on the document that can be downloaded on this page. In short, these are the main areas of concern:
- Inform decision makers and key people in your organisation that the law is changing to the GDPR
- Nominate someone to take responsibility of data protection compliance for your organisation, in the form of a Data Protection Officer
- Review current privacy notes and update privacy information
- Check or create procedures to ensure that all the rights individuals have, including how personal data could be deleted or provided electronically and in a commonly used format are outlined
- Complete a data mapping diagram to show the collection and movement of data
- Complete the information audit table to answer the who, what, where, why and how questions associated with GDPR compliance
- Complete a security audit and provide the information surmising why personal data is to be collected
- Disclose GDPR compliance from your website hosting company
- Document the procedure in case of finding a data breach
Key Points for Users
User browsing and transactions on your website (the Data Subjects), have certain rights under the new law regarding how their data is collected and processed. Any information, from cookies & IP addresses to phone numbers & a username, is described as Personal Data.
The rights of the Data Subjects under the new GDPR regulations include:
- The right to data correction.
- The right to be contacted and consulted on anything related to the use of their personal data
- The right to be forgotten.
- The right to be informed about whether their personal data is, or has been, at risk
- The right to opt-in, rather than opt-out, of email newsletters and further communication
Key Points for Businesses
As a result of the increased rights for the Data Subject, there are things that the Data Processor & the Data Controller need to do to be able to meet those rights.
The responsibilities of the Data Processor & Data Controller include (but are not limited to):
- Be accountable in the event of a violation or breach.
- Have knowledge of the security methods in place.
- Have a clear data map of how the customer data is processed
- Undertake a full information and security audit on your website
- Notify the Data Subjects of any data breach as soon as is practically possible