You are probably not familiar with the term GDPR. However, as a website owner these terms become very important to you! After all, from May 25 every EU website owner is obliged to adhere to the new GDPR (General Data Protection Regulation).
Also this website is not (yet) ready for the GDPR at the time of writing. However, it will be ready before 25 May. In this article we will discuss the practical details and preparation for the GDPR. We also offer a complete audit and preparation for your website.
Since 1995, the Dutch law Wet Bescherming Persoonsgegevens (WBP) protects us from the misuse of personal data. However, the world has been digitized in recent years and the 1995 the law has now become obsolete. The European Union therefore introduces the General Data Protection Regulation (GDPR) in order to keep up with the current developments taking place worldwide. In the Netherlands this law is called the “Algemene Verordening Persoonsgegevens” (AVG).
As an organization, you must inform consumers more clearly from May 25, 2018 about what happens to their personal data and who has access to these data. The consumer may object to the processing or use of his or her personal data at any time in the new law. After an objection, the data may no longer be used by the organization.
What should be done for the new AVG?
Personal data consists of the information with which you have identified someone or with whom you can identify a person. As a website owner, you soon have to deal with personal details of customers and non-customers. Just think of collecting the name, telephone number and e-mail address of your customers. In addition, an IP address or location data that you can read out (via Google Analytics, for example) when a consumer visits your website via his smartphone is also personal data.
The processing of personal data and the protection of privacy do not only apply to the reselling of privacy-sensitive information to third parties; the collection, viewing, storage or even destruction of personal data yourself are also included below. The AVG also applies to you if you do not resell personal data, but only collect name and address data to better serve your customers.
The Wet Bescherming Persoonsgegevens (WBP) already regulates a number of matters that you already have to comply with. However, with the introduction of this new legislation, it is a good idea to make a step in the right place and to re-interpret and review the privacy rules. The new AVG consists of a number of components:
- Know what data is stored and processed
- Having a privacy statement in clear language
- Having a processor agreement with every entity that processes and saves privacy-sensitive data
- The right to be forgotten
- Pro-active communication with data ranges
We will briefly review all these points.
Know what data is stored and processed
The first thing that matters is determining which data is stored and processed. In a “normal” website, this will normally consist of Google Analytics data and customer data that register in any way (think of a newsletter or a comment left behind on an article). However, many more details are registered, stored and processed at a web shop, such as address details and other preferences.
Now is the time to go through the website and see which customer data can go. If this customer has not ordered more than a year, you can delete it better. It is also important to verify whether these data are safe. An SSL certificate is therefore of increasing importance. The same applies to all third parties where this data is stored. Think of your hosting company, your newsletter provider or your Google Drive!
By using the fine comb through your website, you ensure that there is less privacy-sensitive data about where you can get problems.
Having a privacy statement in clear language
Every company needs a privacy statement. It must contain at least 11 points and must be clearly and clearly displayed. Do not have a privacy statement yet? Then it is really time. This must be clearly visible on the website and, in principle, communication with every customer is available. With web shops, it is important that the customer can actually read them while creating the account.
Having the declaration alone is not enough, you also have to act on it. For example, newsletter check marks should be turned off by default and your privacy statement should be clearly visible to your customers. The best thing is if they accept the statement when creating an account.
Having a processor agreement
In principle, there must be an agreement with every processor of privacy data. That is not only your web host, but also other service providers. Think of the newsletter provider, but also the cloud storage supplier or the mail provider. Most of them already have a processing statement incorporated in their terms and conditions or their user agreement and these will also be adapted in the coming period. Prevention is always better than cure and it is best if you contact your suppliers to discuss this.
You will also receive a processor agreement from Werkend Webdesign in the coming period, because we also inspect and process privacy-sensitive data for you. Think of your own data in our account, but also access to visitor data of your websites. This will have to be better registered and managed.
The right to be forgotten
A customer or visitor has the right to be forgotten. You are responsible for recording which and how you register that data. When a customer or visitor requests the erasure of data, you must comply with this and also prove that all data have indeed been erased. All this must be demonstrated by return and via email or paper.
This is new in the privacy legislation, because this was not well regulated in the law. Everyone has the right to view his or her data and have them removed if he or she so wishes.
Pro-active communication with data ranges
If a data line occurs in which privacy-sensitive data is (possibly) leaked, you must proactively inform all users of the website. This means not only a message on the website, but also a mailing to all people where you store or process data. Data readers must first be detected, so there is a possibility that checks on your website. Among other things, we offer the Website Security Package for this.
There are more laws in the AVG, but these are the most important parts of the new legislation.
Not compliant, fines!
Also new in the AVG is the mandatory compliancy. The legislator is entitled to carry out audits at every company that falls under AVG. And since all companies fall under AVG, everyone can fall into this. The fines for not complying with the AVG can increase considerably. The precise impact and frequency of these audits, the chance of chances and the strictness of the controls is not yet known when writing this article and will remain unclear around and after 25 May 2018. But the fact remains that there is indeed a check on compliance with the AVG, in contrast to the previous legislation.
The AVG Audit
That is why Werkend Webdesign offers the AVG Audit, a step-by-step plan in which we check with you a checklist based on all the above mentioned points. We also provide a standard privacy statement and we adapt your website to work as much as possible in accordance with AVG.
Much is not yet clear at the time of writing, but in the run up to May 25, 2018, more will be announced from both the government and the Website / WordPress community. Surely to be continued!