At IBT Online we deliver innovative and high-quality websites and online marketing for international businesses. With offices in Europe and the US, helping companies navigate the European General Data Protection Regulation (GDPR) is fundamental to our business.
This blog post sets out how you can implement a DIY strategy for dealing with GDPR and how IBT Online can help you get ahead of the game in digital trustworthiness.The objective behind GDPR is to change mindsets. Facebook may be at the vanguard, but most companies today collect, store and use personal data online. The premise behind GDPR is that personal data belongs to individuals, who have rights over their online data. GDPR is therefore a process rather than a one-off security fix, and impacts internal corporate policies, as well as your website and marketing.
Your DIY GDPR Strategy
Here is a 7-step DIY strategy to help you get GDPR ready. Following these steps will take you most of the way to compliance. Don't have time for DIY? Go straight to IBT Online’s GDPR Compliant European Website Package
Quick Question – I have a US website; do I need to make this GDPR compliant?
Yes! If you collect and store data from European citizens, then you need to have a GDPR compliant website. One easy solution is to build European websites, directing your European traffic toward these and thus avoiding the need to make your US website GDPR compliant.
Step 1: Designate who is responsible and appoint a Data Protection Officer
Appoint someone in the company to take responsibility for your GDPR compliance. It should be someone senior, with a broad view of your corporate and online activities e.g. your CTO. This person will spearhead the GDPR compliance process. You may also need to appoint a ‘Data Protection Officer’. This can be the same person, or someone external to the company. The DPO is responsible for making sure you are up to date with GDPR and especially for any data breach.
Step 2: Map your data usage
IP addresses, personal details, preferences, survey information, client and supplier registration details, etc. - websites generate a lot of data.
What kind of data do you collect and store? Why do you collect it? How is it stored? Have people agreed to you storing their information? Do you have a lawful basis for the information you store and is it stored safely?
These are tricky questions as personal data has a habit of seeping into many aspects of business, so don’t just think sales and marketing, but also check out finance, customer servicing and after sales, as well as suppliers, partners and employees.
Step 3: Determine your company’s role. Are you a Controller or a Processor? Or possibly both? Your GDPR obligations depend on this
- Controller: “the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data”. As a controller you have extensive commitments toward your data subjects under GDPR.
- Processor: “a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller”. As a processor you have less extensive commitments toward your data subjects than controllers do.
Step 4: Inform your Processor(s) or Controller(s)
Get in touch with the organizations with which you share data links. These could include distributors, in-market partners, IT companies, storage providers etc. You should work to establish a written understanding of each organization’s obligations with regards the data you hold.
WE BUILD GDPR COMPLIANT WEBSITES
Step 5: Update your websites
All websites that Europeans interact with need to be GDPR compliant. You will need to update your Privacy and Cookies Policies to reflect GDPR, including the 'right to be forgotten', the 'right to amend data', and create an active consent policy for data gathered from the website and online marketing activities. A good idea is to add geolocation abilities to help identify and direct European data subjects.
You must also increase your website’s security levels and set up internal data encryption processes. In the event of a data breach, GDPR mandates that you inform authorities and those impacted within 72 hours. Make sure you have the external and internal capacities to handle this.
Step 6: Educate
Provide regular GDPR education sessions for employees. GDPR is an on-going process and concerns virtually all aspects of a company’s business. GDPR therefore needs to be widely understood and regularly refreshed across an organization.
Step 7: Shout about it!
Be proud of implementing GDPR across your organization – it means you care about your clients, your employees and your business partners. It reinforces the trust that makes good companies stand out.
Fast track your GDPR compliance with IBT Online
Not DIY-inclined? Let IBT Online help you get GDPR compliant by signing up for our GDPR Compliant European Website Package today.
What’s in the package?
We will work with you to build and manage your GDPR Compliant European Website, providing you with expert help, focused on your business needs. Sign up and you'll get:
- A European website built on a secure content management system, hosted on recognized secure servers with fully encrypted data.
- All forms and areas of data collection with explicit opt-in / opt-out clauses as well as other GDPR required data permission clauses (amend data, right to be forgotten...)
- GDPR-compliant privacy and cookie policies.
- Geolocation to identify and help re-direct any European data subjects.
- A dedicated online GDPR expert to help you implement the GDPR data processes and answer your GDPR related questions.
- Template documents you can adapt for GDPR compliance opt-in clauses, including privacy policies and controller - processor agreements.
We hope this blog as well as other resources on our website (check out www.ibt.onl/resources) are helpful. If you are looking for further help tackling GDPR compliance or website localization or online marketing, then please let us know!