Just leading up to the 25th May 2018, there was much panic on and off-line about GDPR compliance. The deadline has passed now, and like most headlines, they have faded into the background. Does this mean we can be complacent about data protection? No!

GDPR is about your business, not just your website. It is reasonably straightforward for sole traders who should already have some sort of Data Protection policy in place if they deal with members of the public, processing personal information.

What does that mean? In a nutshell, you have a responsibility to keep any personally identifiable data that you are given secure.

How does this affect my website?

Many websites collect personally identifiable data, i.e. name, email, telephone when a customer fills in a contact form. GDPR states that the website owner needs to make it clear, to the user, how that data is collected, why it is collected and then how it is processed. For a straightforward contact form, the minimal requirement is for SSL (padlock in the browser) to show that all data collected is encrypted and sent over a secure connection. When a contact form is sent through to an email address, the encryption needs to be full - from the server to the user, and from the server to the website owner. The website owner is also responsible for ensuring that any hardware used to receive emails or process orders etc., is protected. This can be done through encryption, firewalls and passwords. This doesn't just apply to desktop email apps, but to mobiles and tablets as well. Backups and anything held in the cloud also needs to be encrypted and secure. Under GDPR the user has individual rights. For example, the right to ask to see the data that is held on them and the right to ask for that data to be removed. If their information is stored on a database, then you need to be able to provide them with an electronic download of their data.

It sounds super scary to a small business owner, but it isn't. GDPR is not out to get us, it is there to protect our information.

There is more to GDPR, and I work with my clients to make sure that an appropriate privacy policy is built covering the aspects needed to comply.