The new GDPR - General Data Protection Regulation - comes into effect on 25th May next year and replaces the current Data Protection laws across the UK and Europe. It's important that all businesses are aware of the changes, and what it potentially means for your business, as the consequences of not complying with the new regulations could be severe, with, worse case, fines of up to 20 million Euros for larger companies.
The GDPR aims to give individuals more control over the personal data held about them by businesses and organisations and ensures that those businesses/organisations are storing and using that data in a responsible and accountable manner.
Here at Adaptive, we are currently preparing information and guidance for each of our customers with regards to ensuring their Drupal websites are compliant with the GDPR and that any changes/additions required to their websites are in place by the deadline of 25th May 2018.
For some websites, this may simply be a case of ensuring that a clear data protection policy is visible on the website and is signposted from any key areas of the website where data is collected from users, such as contact forms, newsletter signups and other online forms.
For websites that collect and use visitor data in a more complex way, further provision may be needed on the website to ensure you remain compliant. Other key changes within the GDPR include the need to ensure any marketing opt ins on forms specifically require the user to tick to agree to communications - no more ticking to opt out, or having opt-in boxes which are pre-ticked.
Adaptive will be reviewing each of our customer's Drupal websites in the coming weeks and we will be in contact with each of our customers directly during October with more information as to how your Drupal website relates to the new GDPR and what recommendations we are making to ensure your website remains compliant beyond May next year.
Will my website be affected?
The details of the new GDPR effectively mean that almost every website will need to ensure they are compliant in one form or another. The definition of "personal data" in the GDPR includes any "online identifier" logged/stored by a website. For this, read "IP address". Drupal sites will typically capture and store a visitor's IP address for certain logging processes. Similarly, server logs will also record a visitor's IP address as will third party tools on a website such as Google Analytics. This means that, even if your website doesn't openly collect user data via user-submitted forms, the GDPR is still likely to apply if you are capturing visitor IP addresses, even though those IPs don't direct identify an individual.
GDPR is an EU regulation which applies to any organisation that collects data from EU residents. This therefore means that it will still be applicable to UK businesses post-Brexit as websites will still be accessible by EU residents, even if the UK population is no longer amongst them.
As part of the GDPR, Adaptive also has a certain degree of responsibility towards each website that we host or support so we will be strongly encouraging each of our customers to ensure that they are fully aware of the new regulations and implement our recommendations on their web site to avoid potential issues.
So what happens next?
Adaptive customers should look out for more GDPR information coming from the Adaptive team in the next few weeks. In the meantime, you can read more about the new regulations and what they potentially mean for your website in this excellent article from The Web Guild.