What General Data Protection Regulation Means For You

GDPR (General Data Protection Regulation) is legislation that went into effect in May of 2018 which gives you as an individual more rights and protection over your personal data.

Companies will have to be transparent about what data they hold about you and why, and will no longer be able to spam you with unwanted marketing material or share your data with third parties without your knowledge. In our opinion, this is a hugely positive step forward for the rights of the individual in the context of the current multi-billion dollar data industry and the wake of the Facebook/ Cambridge Analytica scandal.

GDPR affects all businesses operating within the EU in terms of how they collect, use, share and store personally identifiable data such as names, addresses, phone numbers and emails. There is a misconception that GDPR only affects B2C businesses. GDPR also affects B2B businesses because client and employee names, emails and job roles can all be used to personally identify individuals.

How Will Businesses Need To Change?

Businesses require new procedures, contracts, rules, and other paperwork that was in place by May 25, 2018.  As part of this, your website will need to be GDPR compliant. However, it’s important to note that your website is largely a reflection of your internal policies and processes; you can’t update your website without first looking at your business. So before we jump into how to get your website GDPR compliant, let’s start with reviewing some of the key aspects your business will need to consider in light of GDPR.

Going forward, you must be upfront and honest about how you will use personal data e.g. letting individuals know why you’re collecting it and what you will do with it. You must ensure that all data you collect is lawfully processed e.g. if you’re an accounting firm, you can’t collect data about your clients’ political beliefs as it’s simply not relevant. You must also specifically name any third parties with whom you’re sharing personal data, and have new contracts in place with them as data processors.

Additionally, you must always give individuals the option to opt-in rather than opt-out of direct marketing – that means no more pre-ticked boxes saying ‘I want to receive promotions and updates, and you should check that any individuals currently on your mailing lists have consented to receive updates from you.

You must have adequate measures to securely store and protect personal data and can only store it for a valid time frame – this means you can’t keep data on your ex-clients years after they’ve ceased being your client. Upon request, you must also be able to give an individual a breakdown of all the data you hold about them and delete it permanently if they so wish. To see how ready your company is for GDPR, complete the governing body ISO’s checklist for getting ready for GDPR.

How To Be Sure Your Website Is General Data Protection Regulation Compliant

A page on your website that states what cookies are used on the site, both yours and from third parties and what data you capture with them and what you do with it. An example of a typical compliant cookie policy can be seen here on our website: Privacy Policy

You don’t need to have one but you do need to state what cookies are used and what the privacy policy is at the first point of arriving at the website – so a pop-up is the most logical and well-established solution. It needs to state that cookies are used on the site and that the user needs to agree to the use of the data as set out in the privacy and cookie policy.

The policy pages state what cookies are used (both yours and third-party ones) and that you have to agree to the terms in order to fully use the site. It is very possible that, as some cookies are purely functional and not data gathering tools, the site won’t work properly for you. You will, of course, have the right to request the website owner to disclose what information you hold about the user and it is permanently deleted.

The use of the website must not be limited to those who accept the use of the cookies. The user must be given the option to use the site without the use of cookies and decline the use of cookies for their session. It must be explained to them the cookie notice that if they decline the cookies the site may lose some functionality.

3. Privacy Policy

A privacy policy is a more thorough document that states the website owner’s full statement of what data is captured, when it was captured, what the data is used for, the third party’s details and the process, including the DPOs (Data Protection Officer) details as well as the process of requesting the user’s details and request that they be permanently deleted.

4. SSL certificate

Secure Sockets Layer certificate – it’s the encryption code process that sits on the hosting space of your website. It is the thing that makes the browser bar display a secure notice and sometimes go green and show a padlock symbol. The purpose is to securely encrypt all the details that are entered into any forms or fields on a website. A variety of SSL certificates are available.

5. Pseudonymization or Anonymization

– This one’s harder to resolve.

General Data Protection Regulation

Most websites that have user accounts and store information about their users (like your Amazon account storing your name, address, date of birth etc) store that data in an SQL database. This is a web-based database that the website calls to, queries and delivers your details when you sign in. In most instances, unless it’s online banking, these details will not be stored encrypted and so if the SQL file was accessed the content could be clearly read.

It’s very hard to both store and retrieve data in an encrypted way and that is why most sites don’t. However, as part of GDPR, ‘pseudonymization’ means that websites will need to start moving towards the users being identified by a username only and that the rest of the data is encrypted so that there is no possible connection between the user and the stored details. You will need to speak to your website developer and host about planning this change as it will take time, and planning and require a budget.

6. Newsletter Signups And Other Forms

If you have the facility for users to sign up on your website to receive a newsletter from you, you need to make sure the user has opted in to receive that subscription and you can ONLY send them what they signed up to receive.

You need to seek consent for each method you plan to email them, indicating how it is to be used and how you can unsubscribe. You cannot automatically assign users to receive the information they did not consent to. There must be separate opt-in boxes for each type of subscription/email content you wish to send.

E.g If a user signs up for a service they buy on your website, they will have to check a box to accept the terms of that service. If you offer a monthly marketing newsletter there will need to be a separate check box for them to select. It cannot be a ‘required’ field. You’ll also need to provide another separate check box if you also give the user’s details to another party. 

Read our article: Choosing HubSpot CRM As Your CRM Solution

General Data Protection Regulation states that it must be just as easy to withdraw as it was to sign up. Make sure you keep your contact preferences page easy to find. In addition, you may consider segmenting topics of interest and providing an opt-out checkbox for each one. Including easily identifiable opt-out links in all marketing emails can also help to remain GDPR compliant.

7. User Account Creation

If your website is an eCommerce one or allows a user to set up an account for access to services behind a login area, you will need to ensure that you have both the SSL installed and also work towards the data being stored using pseudonyms. Recent headline examples (Uber, TalkTalk, Experian) have shown that even major internet giants aren’t doing this so better to talk to your web developer about how you can move towards this process.

8. Payment GatewaysGeneral Data Protection Regulation

If you have an eCommerce website and use one of the popular payment gateways, such as PayPal, Sagepay, Worldpay or Stripe, you need to make sure that (as well as ensuring the processes are followed in line with the above points) the payment gateway privacy policies are checked and referenced in your own privacy policy. If they are UK (or European) based, they will need to be GDPR compliant, if US-based, Privacy Shield compliant. The storage of actual payment details on a website falls under and is regulated by PCI compliance.

9. Enquiry & Contact Form

If your website has an enquiry form for people to send you messages, you need to ensure the following are adhered to:

  • The website has an SSL
  • The details are not stored in the website’s SQL database unless stored encrypted
  • If they are sent to you by email, your email service provider adheres to GDPR rules and that the email is stored and sent according to GDPR secure methods. Many email service providers, like Google email and Outlook 365 are updating their terms of service in accordance with GDPR – it’s worth checking their policies to make sure your email provider complies. Email is one of the most common places private data gets abused and lost or misused.
  • Do you print out the email with the enquiry details? If you do, this is also a data risk. Ensure you have a shredding process in place to make sure that emails with users’ private details aren’t just put in the bin!
  • No pre-checked boxes to automatically sign the enquirer up to a newsletter.

The enquiry is explicit to that instance. You cannot then add the user’s details to your marketing database unless they have explicitly agreed to it using a separate check box.

10. Live Chats

If you have a live chat service on your website, you need to make sure that you refer to this third-party service in your cookie policy and privacy policy and that you review their GDPR/Privacy Shield policy. You may think the data isn’t being stored anywhere, but it is – very often the transcript of the chat is emailed to both parties once completed. The above principles of storage and use apply here, too.

11. Connected Email

While not strictly website-related, all email services and the storage of email from all with whom you are connected must be stored in accordance with DPA (Data Protection Act) & GDPR guidelines. In short, make sure you store your email data securely, use good anti-virus applications and archive and delete unnecessary emails completely. And have a Data Retention policy – a statement by your organization follows in terms of how you store data and for how long before it is deleted.

12. Social Media Account Connection

Using social media sites for your organization also falls under GDPR. While you do not need to seek permission from each person who ‘likes’ your page or ‘follows’ you, you do need to ensure that any information gathered directly from people with whom you interact on these sites is handled in accordance with the GDPR privacy guidelines. If you’ve had a chat using Facebook Messenger with someone about an enquiry, make sure the chat history is completely deleted when it’s done. Get the person to email you so that you can hold the formal connection outside of a social media channel.

You also need to make sure that your privacy policy refers to these third-party data controllers, especially as people use SSO (Single Sign-on) for logging into sites and also using their social media account logins for convenience. You also need to ensure that, if you use the details of your customers or connections on your social media page to promote your business you have their consent to do so.

General Data Protection Regulation

13. Google Analytics And Other User Tracking Systems

If you run Google Analytics on your site (or any other tracking service) you will need to make sure that it is referred to in the cookie policy and the privacy policy and that you ensure you check the third party’s own privacy policy to ensure they comply. While we know that Google Analytics will be both GDPR and Privacy Shield compliant, other, lesser-known tracking services may not be.

You must enable the anonymization option in Google Analytics to properly conform to GDPR. Google Analytics records users’ IP addresses in visitor reports and this is deemed as ‘identifiable information. You don’t really need it so turn it off. What’s not fully clear right now is how this will affect geographic reports. We’ll update you on this in the coming months.

14. CRM Connection

Related to points 6, 7, 8, 9 & 10. If your website captures a user’s data and then writes it into a CRM, such as Salesforce or Pardot, you need to make sure that the data collection process is secure, as previously referred, and that you refer to the third-party service in your privacy policy. Additionally, if your website automatically sends the enquiry directly into the CRM, the date, time, reason for capture and consent details are also captured. As a user, they have the legal right to ask you where you captured their details, when, was it explicit how the data will be used and how the details can be permanently deleted (also known as ‘request to be forgotten).

The Information Commissioner’s Office (ICO) has actually launched a dedicated advice line to help small organizations prepare for the new data protection laws (GDPR). The service is aimed at people running small businesses or charities and recognizes the particular problems they face getting ready for the new law.

Organizations Need To Make Sure They:

Have a Data Breach Process

The General Data Protection Regulation requires the data controller to have suitable processes defined and in place in case of a data breach. Depending on the severity of the breach, the data controller has a legal obligation to report a data breach (of identifiable or un-pseudonimised data) within 72 hours. Further information on the reporting of a data breach can be found on the Information Commissioner’s Office website.

Appoint a Data Protection Officer (DPO)General Data Protection Regulation

All public authorities and any organization that processes personal data (the data controller) on a significant scale must appoint a Data Protection Officer (DPO) responsible for monitoring internal compliance of the GDPR regulations within the organization. Even if you don’t feel that your organization falls into this category we think that it is a good idea to appoint a DPO for your organization. This person can keep data protection high on the organization’s agenda and ensure that GPDR compliance is achieved and then maintained.

Have a ‘Right to be Forgotten’ Process

An organization must have a Privacy Policy statement on their website. This statement, amongst other things, must include what data is captured about the user, what it is used for, how long it is stored, whether it will be shared with anyone (and detailing who), and the process for a user to request to be provided with full exposure of what data is held about the user and the process for them to request it is completely removed from the organization’s system – aka ‘the Right to be Forgotten.

Have Good Default Privacy Settings

If your website captures any sort of user data or details, such as an eCommerce website or one that allows the user to have an account with some sort of profile that identifies them, make sure the website is set to the highest level of privacy for the user by default and that there are settings the user can choose to downgrade their settings if they wish – a bit like your privacy settings in your social media apps. DPOs should be checking that only data that is absolutely essential be captured.

Improve Data Encryption and Work Towards Storing User Profiles As Pseudonyms

Basically, if you’re storing personally identifiable data on your website (user accounts that have their names, email, shipping/billing addresses etc) you need to be working towards getting that data stored so that it is stored encrypted. Peudonymization is also something that should be considered. This basically means that account profiles have usernames or login methods that are not visibly connected to the actual individual – usually, this is done by having two databases for the website – one for the pseudonym and that database connects to the actual account details so that the whole profile does exist in one place. This reduces the exposure of PII (personally identifiable information) becoming exposed in the event of a data breach or hack.

The first step is having an SSL (secure sockets layer) certificate on your website that encrypts all the data entered into a website through form fields (like when you set up an account, buy something online or sign up to a newsletter etc. However, the data is most likely not stored encrypted. Most CMS systems, like WordPress, Drupal and Joomla don’t do this and you’ll need to have some customization done to your site to make the data get stored encrypted so that in the event of a breach, the data is useless and cannot show identifiable information to individuals.

Inbound marketing will help you grow your business by attracting website visitors, converting them into leads and closing leads into customers