It’s funny how four little letters can wreak such havoc across the web. You’ll no doubt have heard about the EU’s sweeping General Data Protection Regulation (GDPR)...

In May 2018, to protect EU citizens from the unauthorised use of their personal data. But as a web design agency, you might not yet realise GDPR’s impact on your work.

Let’s start with some small-print. Strictly speaking, if your web design agency is working on a site that will merely be accessed by EU citizens, it’s not bound by the GDPR. But if that site sells goods, provides any free or paid-for service, or tracks a visitor’s online behaviour – and, realistically, that means most of them – then it becomes subject to the legislation.

You’ll find full details of GDPR here. But for now, here’s a quick eight-point checklist to help your client stay legal – and avoid the eye-watering fines that are already being handed out to rule-breakers.

1. As a web design agency, it’s your job to ensure the website’s privacy policy is prominently displayed, easily accessed, up-to-date and clear on points including cookie usage and how the operators will process visitors’ personal data.
2. If a visitor requests to see their personal data, the website operator must promptly supply it. Online visitors also have the right to rectify errors or missing information, and to ask for non-relevant personal data to be removed.
3. Visitors might allow you to store their data – but not process it – so be clear on the distinction. They can also legally refuse the use of their personal data for research or marketing purposes.
4. Make sure you include a feature in the website that actively requests consent for the collection and use of data: it’s not enough to simply assume a visitor is happy unless they opt out. Be aware, too, that many plugins collect data, so be sure they’re not sending it somewhere they shouldn’t.
5. Tightening up a client’s security should be a priority for any good web design agency. This might include, for example, using encrypted databases and limiting access controls to those with a right to see the data.
6. Be familiar with the file formats used for supplying personal data, like CSV, as you’ll need to move fast if a client requests to see it. And that brings us onto…
7. If a data breach does occur, you have 72 hours to report it to the individual affected and the Information Commissioner’s Office (ICO). Make written, legally watertight plans for your processing procedure – including how you will detect and deal with a data breach – and be ready to show these to officials if requested.
8. Finally, remember that if your client is wary of taking on the responsibilities of GDPR themselves, your web design agency could act as their data protection officer.

For more crucial insights into GDPR and preparing for 25th May 2018, read another from SOZO’s Blog:

• GDPR 2018: Consent and SOZO’s advice
• GDPR 2018: Data Breaches and Data Security
• GDPR 2018: The 8 Rights for Individuals

Disclaimer: The information in this article is for your general guidance only and is not and shall not constitute legal advice. If you need advice on your rights or responsibilities or any legal advice around data protection matters, please obtain specific legal advice and contact an adviser or solicitor, or consult the Information Commissioner’s Office (ICO – https://ico.org.uk/)