Make Your Website GDPR Compliant
WHAT IS THE GDPR?
The General Data Protection Regulation (GDPR) is a new EU regulation aimed at helping to strengthen data protection for EU citizens and residents both within the EU and the wider world.
Anyone who collects and processes personal data (defined by the GDPR as a Data Controller) will be required to comply with the new regulations to a certain degree. As well as organisations who run websites or apps, this also includes any organisations who use internal databases, CRMs or even just email.
1)What data is being captured and held?
2)When and where is it captured?
3)How long will the data be stored?
4)How is it being used?
5)Do you have explicit consent from the user to have and use the data?
6)Do you display who to contact to find out what data is held about a user and request how it’s being used?
7)Do you display the process for a user to ask to have all the data you hold about them permanently removed from your system? (AKA The Right to be Forgotten)
1) You must be able to prove an intended purpose for the data you hold. For Example you cannot add someone to an email marketing list for a different service that they have enquired about through a webform. In other words if they specifically ask for AdWords services and we started sending information on website building, this is not what they consented to. Unless the enquiry form has a checkbox that allows you to send them offers about other services.
2) The user must be able to withdraw their consent for you holding their information at any stage.
1) Breach of Data˘
2) Appoint a Data Protection Officer. Just someone who is always available to answer GDPR related questions about your site and data that is held.
3) Have a process where users can request that their data be removed from the site.
Take a data audit
List all the places where you know you capture users’ data and then mark each one with either with a 1 or a 3 to help you track which are first (your organisation) and which are third party data processors.
For each data processor consider the following:
- What are you using the data for?
- Where is the data being stored?
- Do you still need to hold the data?
Data processors for the purpose of this article is anything you use to send/receive information from or about users of your website.
2. Cookie & Privacy Popup Notice
4. SSL Certificate
5. Newsletter Signups
6. User Account Creation
If your website offers eCommerce transactions or allows a user to set up an access to services behind a login area, you will need to ensure that you have both the SSL installed (as referred to in point 6) and also work towards the data being stored using pseudonyms. Recent headline examples (Uber, TalkTalk, Experian) have shown that even major internet giants aren’t doing this so better to talk to your web developer about how you can move towards this process.
7. Payment gateways
8. Enquiry & Contact form
If your website has an enquiry form where people submit messages to you, ensure you adhere to the following:
The website has an SSL.
The details are not stored in the website’s SQL database unless stored encrypted.
If they are sent to you by email, your email service provider adheres to GDPR rules and that the email is stored and sent according to GDPR secure methods. Many email service providers, like Googlemail and Outlook 365 are updating their terms of service in accordance with GDPR – it’s worth checking their policies to make sure your email provider complies. Email is one of the most common places private data gets abused and lost or misused.
9. Live Chats
10. Connected Email
Whilst not strictly website-related, all email services and the storage of email from all with whom you are connected, must be stored in accordance with DPA (Data Protection Act) & GDPR guidelines. In short, make sure you store your email data securely, use good anti-virus applications and archive and delete unnecessary email completely. And have a Data Retention policy – a statement by which your organisation follows in terms of how you store data and for how long before it is deleted. Typical business data retention policies are 2 years – anything older than that is usually out of date anyway. The exception to the rule here are regulated industries – Financial Services, Medical, Governmental, HMRC etc – where you may be required you to keep data records longer, particularly when it comes to accounting and finance. You’ll need to check with your regulator if you fall into this bracket.
11. Social Media Account Connection
Using social media sites for your organisation also falls under GDPR. Whilst you do not need to seek permission from each person who ‘likes’ your page or ‘follows’ you, you do need to ensure that any information gathered directly from people with whom you interact on these sites is handled in accordance with the GDPR privacy guidelines.
12. Google Analytics (and other user tracking systems)
You must enable the anonymisation option in Google Analytics to properly conform to GDPR. Google Analytics records user’s IP addresses in visitor reports and this is deemed as ‘identifiable information’. You don’t really need it so turn it off. What’s not fully clear right now is how this will affect geographic reports. We’ll update on this in the coming months.
13. CRM Connection
We suggest that you carry out a review for your own business and your website.