Five ways to prepare your website for GDPR compliance
Mike Blackburn, managing director of I-COM
GDPR is on the horizon and is one of the top priorities for recruiters in 2018, although there still remains a concerning lack of clarity on exactly what it means for the sector. While some business owners are awaiting further guidance before taking action, there are steps that you can take now to make sure your website is ready for this game-changing legislation before the 25th May enforcement deadline. Here are five key things you should check to determine if your website platform can support your GDPR processes.
1) Control access
The first step to being GDPR compliant is to control who has access to personal data logged on your website. Your content management system is likely to be open to many people, containing data submitted from enquiries, CV uploads and contact forms. Any files containing sensitive or personal information should be protected and access to such files must be limited to those who genuinely require it. Ensure you can set permissions to control who has access to the data your admin system holds, establish a process for deleting data that is no longer needed and make sure files uploaded to the site by users (e.g. CVs) are not openly visible.
2) Encrypt data
Any data that is submitted on your website must be encrypted, which prevents it from being hijacked. An SSL certificate will ensure your site is encrypted, so if you do not have one already, ask your web developer to assist with this. If you are unsure whether or not you have an SSL certificate, take a look at the address bar of your browser when you are visiting your site. There should be a padlock symbol and a message stating that the site is secure and encrypted. If this is not present, get in touch with your web developer.
3) Confirm consent
All websites that collect personal data from visitors must have express permission for using this data. That does not just mean a blanket approval, there must be evidence that visitors have given their consent for each activity that relates to the use of data. For example, if a candidate has provided their email address to receive job alerts, they must give separate permissions to be contacted with marketing information that does not relate to job alerts. You need to amend the forms you use on your website to enable this collection of consent data.
4) Prepare your privacy notices
Privacy notices are nothing new, and most businesses already have them on their websites to outline the terms and conditions of use. GDPR means that these must be simple to understand and cannot be lengthy chunks of jargon. The same goes with cookie notices, which must clearly identify what kind of data your website will capture in an easy to understand format. Recruiters should ask their web developers to complete a cookie audit for inclusion in privacy statements and examine all notices that are currently on the site to determine if they are fit for purpose.
5) Assess your agencies
If you outsource some of your operations to other companies (such as a marketing agency) you will need to ensure they are processing the data you provide them with in a way that complies with GDPR. It is not enough to say that it is out of your hands as you are still responsible for the data you control. Ask all agencies you work with to explain how they manage the security of your data and be especially clear on where your data is stored and processed.
For further reading around GDPR and the important role of a data protection officer, download I-COM’s free whitepaper by following this link: www.i-com.net/blog/gdpr-appointing-data-protection-officer
Picture courtesy of Pixabay