Is your website compliant?
What Is GDPR?
The GDPR is a piece of EU legislation that applied from 2018. It aims to create identical data privacy laws across all EU countries. Its purpose is to give people more control over how organisations use their personal information, or data. It still .applies even though the UK will leave the EU
The GDPR says:
That customers need to actively opt in.
You will need to use language that is easy to understand, and tell people that they can withdraw their consent at any time.
You must also report any data breaches to authorities within 72 hours.
Individuals will be able to request information about how a company your business might be using their data, what data you collect, and why.
Individuals will also be entitled to the “Right To Be Forgotten”.
In the UK, the GDPR will replace the Data Protection Act 1998. The GDPR was created to bring data protection rules up to date with how much data we produce, and how companies are using it.
What Is Personal Data?
The GDPR applies to all personal data. That means any information that could identify a living person, directly or indirectly.
This could include their name, location or their phone number. Some personal information is classed as sensitive by the GDPR and needs more protection. That could include ethnic origin, sexual orientation, religious belief, trade union membership and more.
What Is The Right To Be Forgotten?
People can also ask for their personal data to be deleted at any time - if it's no longer relevant. This is known as the right to be forgotten.
This right also applies online. Someone could ask a company that has made their personal data available online to delete it, for example.
Those companies are obligated to inform others that the owner of the personal data has requested the right to be forgotten. The data, links to it and copies of it, must be deleted.
How Will GDPR Affect My Business?
Companies with more than 250 employees must document all of the data they are processing, including why, how customers opted in, who can see the data, and a description of their security measures. Smaller companies might need only to document data they process on a regular basis, or data they process that is sensitive. The Information Commissioner's Office (ICO) is responsible for enforcing the GDPR in the UK.
Where Do I Start?
You should carry out a Data Audit to help you identify all of your data processors and whether they are first or third party processors. We used a spreadsheet to collate the information for our business. For each lot of data being processed you need to define:
What the data is being used for
Where the data is being stored
Do you need the data - if it not essential to your business operations, then delete it.
Third Party Data Processors
For each of the third party data processors you should check their privacy policies and make sure that:
EU-based data processors are GDPR Compliant.
US-based data processors should be Privacy Shield Compliant.
Add this information to your spreadsheet.
What If They’re Not Compliant?
If the third party is not yet compliant with GDPR or Privacy Shield:
Contact them and find out if and when they plan on becoming compliant.
In the unlikely situation where a third party data processor is not compliant and has no plans to become compliant, you should seek to replace them with a compliant provider.
In this situation you should also ask the current provider for a copy of the data that they hold for you and then insist that they securely delete your data from all of their digital systems including backups.
Remove The Weakest Links
During the data audit any weak aspects of your website should come to light. An example could be the non-compliant third party data processor as described above. Other examples could be insecure (unencrypted) email accounts or website traffic. Another example might be contact form submissions that have been saved to your website’s database. Whatever the weak links are, you should aim to strengthen or remove them. Again, keep notes on the spreadsheet.
Designate a Data Protection Officer (DPO)
A DPO is an individual or individuals designated by the Data Controller (your business) to be responsible for monitoring internal compliance of the GDPR within your organisation. This could be a specifically trained employee within the organisation or a position that is out-sourced – depending on the size of your business. Unless you are carrying out large scale processing of personal data a suitably informed in-house member of staff should be perfectly sufficient for this role.
It is vital to communicate to your users how and why you’re collecting and using their data.
Be clear and concise and give them a way to request a copy of it or have it deleted if they wish.
You will need to make it transparent what you will do with the information once you’ve received it, and how long you will retain this information both on your website and also by your office systems.
You will also need to communicate how and why you are collecting data.
Your will need to detail applications that you are using to track user interaction.
Update Your Terms & Conditions
You will also need to update the Terms and Conditions on your website to reference GDPR.
Review Company Email Accounts
Are email accounts secure and encrypted? How long are emails stored before they are deleted?
Email Marketing Sign Up Forms
Forms that invite users to subscribe to newsletters or indicate contact preferences must default to “no” or be blank. You will need to check all your forms to ensure this is the case. How much information do you really need to request? Is the data encrypted? Have you asked permission to use and store this information? Have you explained how you will use the data and given them the option to agree to each specific process? Where will you store it and for how long. How does the user remove themselves?
The consent you are asking for should be set out separately for accepting terms and conditions, and acceptance of consent for other ways of using data.
Users should be able to provide separate consent for different types of processing. Therefore, your website needs to ask for specific permission for each type of processing your will do with the data and for each method of processing (email, SMS & post) and also asking what can be shared with 3rd parties.
Easy to Withdraw Permission or Opt-Out
It must be just as easy to remove consent as it was to grant it. Individuals always need to know they have the right to withdraw their consent. In terms of your web user experience, this means unsubscribing could consist of selectively withdrawing consent to specific streams of communication. It should also be easy to change the frequency of communication, or stop all communications entirely.
Your web forms must clearly identify each party for which the consent is being granted. It isn’t enough to say specifically defined categories of third-party organisations. They need to be named.
If you are an e-commerce business, then you are likely to be using a payment gateway for financial transactions. Your own website may be collecting personal data before passing the details onto the payment gateway. If this is the case, and your website is storing these personal details after the information has been passed along, then you will need to modify your web processes to remove any personal information after a reasonable period, for example, 60 days. The GDPR legislation is not explicit about the number of days, it is your own judgement as to what can be defended as reasonable and necessary.
Is the data stored securely and how long will you store it for? Who has access to the data stored. The first step to compliance is to understand exactly who these people are and compile a list. You should then examine the list and ask whether all those people genuinely require access to this data. If the answer is no, their permission should be revoked and measures must be implemented to control future access. This applies to internal and external parties access. Agencies should be able to explain clearly what measures they have taken to maintain maximum security of the data you provide them with.
Data Deletion Process
There must also be a robust process in place for deleting data that is no longer relevant or required, as companies are not allowed to hold on to this for any longer than is absolutely necessary.
Any data that is submitted to your website must be encrypted in order to comply with GDPR. This will stop people from hijacking the data; you should install the necessary measures to ensure this is the case. An SSL certificate should be fitted to your site to encrypt the data.
Website Cookies & Third Party Tracking Software
Carry out an audit of cookies and ensure that all notices comply with GDPR best practice. Be especially aware of third-party tracking software (Leadfeeder, Lead Forensics or CANNDI). The use of these tracking applications raise some very interesting questions in terms of GDPR compliance is a grey area. As a result, you need to review your contract with such software providers carefully.
The Whole Business
The changes being introduced with GDPR will permeate your entire business not just your website or digital marketing activities. You should consider the following:
You probably have lots of personal data stored in various places around the business. Do you have a good understanding, and documented record of the data you hold?
Do you need to either gain or refresh consent for the data you hold?
Do you have a defined policy for how long you retain personal data, so you don’t retain it unnecessarily.
Is your data being held securely?
Whether you are a data controller or data processor (or both), do you have the correct legal arrangements in place?
Need Some Help?
There are still people who have NOT implemented GDPR policy into their websites.