GDPR and your website

I am sure you've heard that the EU's General Data Protection Regulations are in force, and the deadline for compliance is 25 May.

For any organisation offering services or products within the EU, compliance with the GDPR is essential.

I'm sure you have heard that the administrative fines for non-compliance have the potential to be considerable, and in addition it will be possible for data subjects — the people about whom you store data — to claim damages. Even though the UK is due to leave the EU, compliance before this happens is necessary and even after the UK leaves there is likely to be a similar law in place.

There are many implications on organisations: they need to conduct data protection impact assessments, a Data Protection Officer must be appointed, and staff must be trained in the handling of data. Furthermore, data breaches must be reported without undue delay.

How to start?

Most organisations will start their compliance process by looking at what data they've got: what personal data they hold currently, and what will be collected in future. The nature of the data needs to be understood, where it's stored, the processes for handling it, and what consents have been given to collect, store and process it.

"Legal basis" is important. You need to consider: Are you holding data in line with the permissions that were given when you collected it?

To accomplish this, you are likely to need a data flow audit, and to have a gap analysis to establish what you need to do to be compliant. Depending on the complexity, you may need a specialist to come into your organisation and look in detail at what measures you need to take.

Your website

Although you need to look at all aspects of your organisation's data handling, your web site or extranet site are likely to have particular considerations. These are in a prominent place online, and for many organisations are the primary point of contact for external people.

A particularly common entry point is a contact form, or a registration form for access to a password-protected, or extranet, site.

If you have a relatively simple website it can be tempting to think that you store and process little personal data. Even though you may only be interested in a customer's email address and name, the form may capture far more things silently, such as the user's IP address.

As well as storing data as a form response, the user's data may be sent by email (often to a sales function or website support person). Some forms may even insert the data into a CRM, such as Salesforce.

For extranet type sites, there is much greater potential more sensitive data being stored about individuals, such as date of birth, or health information.

What is Tribal doing to help?

Over the past year we have been paying close attention to developments around GDPR.
Although our clients' compliance is their responsibility, we believe we should do our best to support them. Almost all clients' sites run on our Zenario CMS platform, and so for the past several months we have developing new features in Zenario to help with compliance.

Zenario 8.1, just recently released, contains a number of features which make the handling of data be as transparent as possible. In Organizer's Site Settings area there is now a Data Protection panel. This tells you:

• what data is being permanently stored about your data subjects
• if the server sends emails that may contain personal data, how long these are logged for
• if the site has a contact or other form, how long responses are saved for
• if the site has an extranet, how long the sign-in log and content access log are saved
• what fields are stored in the users/contact table, and which ones are stored in an encrypted form.

The forthcoming Zenario 8.2 will build upon these with several more features, including:

• a new Consents table, to explicitly store a record of a data subject giving consent for their data to be processed
• asking existing users and newsletter contacts to reconfirm their consent (important for this transition period prior to May)
• an extended-delete feature (if an individual requests all of the data held about them to be removed)
• information about what backups exist (as they may also contain personal data).

We are presently rolling out Zenario 8.1 to our hosted customers so as to soon deliver the base level features, and we're aiming to roll out Zenario 8.2 with its more comprehensive feature set before the end of March.

The new Data Protection features in Zenario won't be a "silver bullet" for your GDPR compliance; but we believe they will give our customers the essential base level of website functionality.

The GDPR will have wide-reaching implications for all organisations storing personal data, and of course there are many other activities, such as data flow mapping, that organisations need to do. We aim to work with our customers to offer further assistance in this respect.

Please contact us if you have any questions.