In case you’re not aware the data protection act is being replaced by the General Data Protection Regulation (GDPR) on 25th May 2018.
This page gives you brief indication of what changes you need to make in terms of your relationship with Sitekit and also what changes you may need to make to your website to make it compliant.
Your relationship with Sitekit
Sitekit operate as a data processor for you, with you as the data controller. Under the revised legislation this relationship needs to be formalised in a Data processing Agreement (DPA). Sitekit have produced a template for use as a DPA, which is available here. If you would prefer to use your own, you can create your own and submit for Sitekit to review and sign (where suitable). The key thing is that our relationship should be formalised in a Data Processing Agreement.
Your relationship with your site's visitors
As a data controller you may need to make some changes to your web site(s). You may also need to be able to provide evidence you are doing the following:
- Carry out a Privacy Impact Assessment (PIA) for your site if you are working with data classified as confidential and sensitive, e.g. health information or any information that could be used to discriminate. The PIA must identify privacy risks arising from the site and the actions to mitigate them.
- If you are processing data about individuals, you must publish a Privacy Statement that gives the user your contact details, a summary of the information collected and how it will be used.
- If you use Consent as a legal basis for processing, consent must be freely given, must be obtained by positive action (not implied by omission) and presented in a manner clearly distinguishable from other matters in an intelligible and easily accessible form. Consent must be as easy to withdraw as it is to give.
- The granting and revocation of consent must be recorded.
- You must also provide mechanisms to allow individuals to object to processing, to change their details, to obtain a copy of their details, to withdraw consent for automated processing (profiling), to make a complaint, to request deletion of their data, or to request the sources of data that you hold. This can be as simple as giving people contact details to request changes. It does not necessarily need to be automated unless you anticipate a high volume of requests.
In the coming month the CMS will be upgraded to provide some tools to assist you with some of these items. These tools are outlined here