Who did you use to get your website GDPR compliance right?
In my last article, I looked at why it is important that your website is GDPR compliant, and if it’s something that you have looked into yourself and received adequate training for then that’s excellent news. But on the other hand, GDPR might not be something that you want to spend the time or energy on, so you may choose to delegate it to someone else. If you do this, who might you use?
Perhaps you relied on your web developer to ensure your website is GDPR compliant, but I’m afraid that might not have been a good move. In my experience, web development companies usually do not have someone with GDPR expertise on board. But this isn’t their fault. They’re technicians, who understand how to make a website work well and look good, and GDPR isn’t something that they have thought about in any detail. They may know that a website has to have a Privacy Notice and cookie banner, and be digitally secure, but it’s quicker and easier for them to use an ‘off the shelf’ product to put together something that looks good but doesn’t actually do all that it’s supposed to do. Knowing this, if you used your web developer and didn’t check what they produced, are you confident that what you have is actually GDPR compliant?
Perhaps you relied on your Compliance Officer to ensure that your website is GDPR compliant. If you did, what GDPR training did they receive? Was it an on-line training module or face to face training? Are you satisfied that it was sufficient and accurate in terms of information it provided? Did it go into specific details or was it only a general overview course? Did it give you real-life scenarios to work from so they had something that they could bring back to your business, or was it just a load of jargon and theory? I have found that many general training companies only give an overview of GDPR, and sometimes not a very good one. You need to find training that is easy to understand without lots of jargon, and that gives you lots of practical ideas to take back to your company.
Maybe you have a designated Data Protection Officer within your company. It’s great that you do, but what training have they received? Have they received a two-day introduction course or have you paid for them to become a certified GDPR Practitioner? This additional level of training will give you, and your DPO, the confidence that they have all the knowledge they need to comply with GDPR, including your website’s compliance.
And finally, you may rely on your network or an external company to ensure you’re GDPR compliant. For many, this is an attractive option as it reduces your risk, but have you researched them to check their qualifications? They should have received adequate, verifiable training that is suitable for their role, preferably to GDPR Practitioner level. And do you have the same person designated to your company, or could your enquiry be dealt with by anyone from a team? It must be better to have a single-contact with a back-up, so that you can be confident that they truly understand your business and can advise appropriately.
Having read this, are you confident that you or someone you have delegated to is fully competent to check that your website is GDPR compliant?
Sarah Hodgkin-Bates is a qualified GDPR Practitioner and director of Morgan Armstrong Limited www.morgan-armstrong.com If you have any comments or questions about this article or GDPR in general, please email her at firstname.lastname@example.org
Published: 26 August 2021