On 25th May 2018, the Data Protection Act in the UK will be changing to the EU’s General Data Protection Regulation (known as GDPR). The changes pose much stricter rules around the handling and storage of personal data and tougher punishments for those who do not comply. Whereas previous fines were capped at £500,000, the new legislation can fine companies up to 4 per cent of worldwide annual revenue or around 20 million euros.
For online lead websites, this will pose quite a significant change to how they process and handle data. For several comparison websites, they rely on receiving data and being able to resell this for commercial gain. The likes of Quotezone, Simply Business and GoCompare will have to take drastic measures to refine their user journey, storage of data and language on site.
What information do users need to know?
GDPR requires websites to state what data is being processed and for what reasons. For instance, those looking for a car insurance quote or business loan will be accustomed to filling in details – but now there requires greater transparency over what these details are for. Websites will be taking advice from compliance over whether it is sufficient to include this information in the privacy policy or mention it clearly within an online form or on the ‘thank you page.’
A strong privacy policy
Each website should produce a strong and compliant privacy policy in time for the new regulation. This should clearly inform subjects how long the data will be stored for and who they should contact if they have any questions regarding their data. To be compliant, websites can give users a simple way to request their data and receive a copy.
Mailing lists and deletion
Some important changes to data protection now mean that someone who applies for a financial product cannot automatically be added to your mailing list. In fact, some rulings suggest that existing subscribers must opt-in again to continue to receive your email newsletters, meaning that some websites will likely lose enormous chunks of their databases.
In addition, someone that requests for their data to be removed, must literally have their details and all information without a trace left.
Encryption is recommended
The GDPR brings to list the role of pseudonomisation. This is concept of making each individual’s data unique by giving them a reference number or ID, rather than using their name. This means that in the event of a data breach, the potential hackers will not have access to the user’s name and this limit the damage that they can do.
Whilst this might require some serious back-end reconstruction for many leading websites, a short-term recommended is to add extra encryption to your website by adding an SSL layer, making the site https. The cost of this is usually a one-off fee of around £100 and is rarely more than £500 for added layers, as demonstrated by Quick Loans Express.
Having a data breach process
Not only must you have a designated data controller in your organisation, there must also be a formal process in place if a data breach occurs. By law, you are now required to inform the industry regulator and other relevant authorities of a data breach within 72 hours. Your processes must therefore be prepared to include a way of reporting this to the regulator and making it clear to them and the victim on how you are going to resolve the issue.
Becoming GDPR compliant will be very costly for online businesses, especially in terms of changing their website, compliance, training and adjusting internal processes. However, given the costs involved of a potential fine, it is an expense worth incurring and certainly offers more security to individuals and their data.