Three Initial Steps Towards GDPR Compliance

If you’re still struggling to get GDPR compliant, you’re not alone.

In fact, Gartner predicted that more than 50% of companies affected by GDPR wouldn’t be in full compliance at the start of this year.

This isn’t surprising since GDPR consists of 99 articles of regulation and most organisations simply aren’t aware of all the steps required to comply.

Never fear – we’re here to give you the lowdown.


What is the GDPR?

Put simply, the GDPR is a broad-reaching regulation designed to protect the private data of European people. It aims to ensure that people are aware of where their data sits and are allowed to have control over it, as well as ensure it’s protection.

Most companies are still asking, “Does the GDPR apply to us?” The answer is most likely to be yes – here are 3 simple questions that will help you to find out if this affects you and your business:

  • Do you have customers, employees or contractors who are EU citizens or are based in EU countries? (and yes, the UK counts)
  • Do you do business in Europe, even if your business is located elsewhere?
  • Do you have a website that’s available for Europeans to use and captures personal data?

Spending your resources on trying to exclude your company from GDPR isn’t the best use of your time. A better question to ask yourself is: “How do we get compliant?”

A large majority of the GDPR requirements are actually best practices and worth investing the time in.

With the plethora of information out there, it can be hard to know where to start. Here are three key actions that your organisation should take in order to make a start along the road towards GDPR compliance:

1. Update your Privacy Policy

One of the very first steps towards compliance is understanding what GDPR means for your Privacy Policy. Among other things, the key information to include is:

  • Exactly what kind of Personal Identifiable Data (PID) is going to be captured
  • A clear indication of where Personal Identifiable Data (PID) is being held on your systems
  • With whom Personal Identifiable Data (PID) is being shared. For example, if any third parties are involved these should be named

2. Put a process in place for individual requests

It is vital that your organisation introduces a process by which individual customers, job applicants and suppliers (as well as any other individual) are able to easily remove their data from your systems.

It needs to be as easy for people to be ‘forgotten’ as it is for their data to be captured. Discussions on this topic should be held at board level and procedure applied across your organisation.

3. Install and Maintain an SSL

This may seem like a ‘given’ to some people, but many websites still don’t sit under an SSL. Though the GDPR doesn’t contain a specific section on the use of SSL certificates, it has clear requirements that can only be addressed through encryption and digital certificates. 

SSL certificates have been the de facto encryption and authentication standard for all confidential web communications for more than 30 years. Not having an SSL certificate increases your risk of a data breach.

For example, if you have an eCommerce website that takes user payment information, having an SSL is a necessity. But, even if your site is a static HTML page that doesn’t sell anything and has no contact or signup forms, you still need an SSL certificate to avoid ‘Not Secure Browser’ warnings being shown to your visitors.

For more information on SSL certificates, click here to read our blog post from earlier this month.


JBi GDPR Advice & Security Consultancy

All of our clients’ websites are built with GDPR compliance in mind.

If you need help figuring out how to navigate the new regulations, or if you have a digital project that you’d like to discuss with us, please get in touch with our team at [email protected]