The new GDPR guidelines have been in play for a few months now and it is a good time to review you have everything covered. Perhaps there are a few elements that you put off initially and need to revisit, or some things that fell through the gaps completely?
To help, we have put together a few things to check that may have accidentally been missed the first time around.
1. Data hiding in your CMS
Many of you will have a contact form or 2 on your website, perhaps for visitors to subscribe to a newsletter, make a sales enquiry or apply for a job? When these forms are completed, the data is collected and saved in the backend of your website, which can be easy to forget about. As per the GDPR guidelines, this data must be deleted within a reasonable amount of time and not kept for longer than it is needed.
To find out how to remove saved data from your Content Management System (CMS), speak to your IT department or your web support provider and they should be able to help put a plan in place to ensure that you remove this data regularly, to comply with new GDPR guidelines.
2. Track your copies
We all know backup copies are a good idea. But when considering retention policies, paper and online copies need to be tracked and not forgotten about. They will also need to be deleted or destroyed once they are finished with.
For example, if you create a spreadsheet of data, if this is printed, backed up to a Google Drive account or moved onto an external memory source, all these versions will need to be removed or destroyed when you have finished with it. Under the new guidelines, customers can ask for all their personal information to be removed, being able to track all the data sources and their copies is essential to fulfil this request.
3. Hold the phone
Do you know what data your telephone system stores? It’s not uncommon for your phone to store inbound and outbound numbers for a certain period of time.
So you don’t unnecessarily keep unprotected data you should consider the following:
- Make sure you include your phone system in your data retention policy, as even a number without a name is considered personal information.
- Including your phone system in your process for managing the data, it’s deletion, or providing it as part of a subject access request.
4. Subject access requests
Within the new regulations, customers or potential customers you store information for, can request you provide them with all the data that you have on them, get confirmation on how their information is being processed and for access to other supplementary information, e.g. your privacy notice.
This data must be provided in a format that is easily accessible and transparent for them. So you have to ensure you in place an easy process for the customer to make this request, and a way of delivering this information efficiently and in an accessible format. One option is to streamline this process using a general export function within your software – we can help with this.
5. Delete requests
The new guidelines state that a person can request that you delete all data in relation to them. This is known as ‘the right to be forgotten’. The individual can do this verbally or in writing and you have a month to respond to this wish. The request to erase data can be made to any part of the company, so it is important that you have a process in place to ensure mistakes aren’t made.
However, if you must delete a person who has placed an order, then all information about them must be removed to make them anonymous, but enough information must be kept for reporting purposes. If this is something you need help with, get in touch.
6. Do you have a taste for your cookies policy?
Cookies are something we stumble across every day on websites that we have to ‘accept’ to continue. This message created by the web server allows the visitor to be tracked as they navigate the website. They can be used to identify a person via their device, making this a personal data source. As per the GDPR guidelines, you need to ensure that:
- You get clear consent from the visitor, for example via an obvious “ accept and continue” tick box.
- Visitors can easily withdraw their consent and opt-out of entirely if they change their mind.
If you don’t have a cookies policy set up, it is essential to do so as soon as possible. If you need help, get in touch as this is something we can help you with.
7. Google Analytics
Your organisation is the Controller, so you decide how and why data you collect is processed. However, Google becomes the processor, the entity that handles, stores and analyses information, when you start sending them your web page visitors data.
Cookies will start recording visitors IP addresses and track behaviour as soon as the web page loads, this will then be sent to Google to analyse. But, it is important not to send them any data that can identify someone. One option to avoid this is to enable IP Anonymisation, a tool that hides any identifying information.
Within Google Analytics, the default retention of data, including IP addresses, is set to ‘forever’. It is a good idea to review your policy and change the retention period to only what is necessary, the minimum being 14 months.
Get in touch!
If you have any questions or need help in complying with any of the policies above, please get in contact. Anything from streamlining Subject Access Requests to managing data, we are here to help.