GDPR (General Data Protection Regulation) is new legislation coming into effect from 25th May 2018 which gives you as an individual more rights and protection over your personal data.
Companies will have to be transparent about what data they hold about you and why, will no longer be able to spam you with unwanted marketing material, nor share your data with third parties without your knowledge. In our opinion this is a hugely positive step forward for the rights of the individual in the context of the current multi-billion dollar data industry and wake of the Facebook/ Cambridge Analytica scandal.
GDPR affects all businesses operating within the EU in terms of how they collect, use, share and store personally identifiable data such as names, addresses, phone numbers and emails. There is a misconception that GDPR only affects B2C businesses. GDPR also affects B2B businesses because client and employee names, emails and job roles can all be used to personally identify individuals.
How Will Businesses Need To Change?
Businesses will need to have new policies, processes, documentation and contracts in place by 25th May 2018. As part of this, your website will need to be GDPR compliant. However, it’s important to note that your website is largely a reflection of your internal policies and processes; you can’t update your website without first looking at your business. So before we jump into how to get your website GDPR compliant, let’s start with reviewing some of the key aspects your business will need to consider in light of GDPR.
Going forward, you must be up front and honest about how you will use personal data e.g. letting individuals know why you’re collecting it and what you will do with it. You must ensure that all data you collect is lawfully processed e.g. if you’re an accounting firm, you can’t collect data about your clients’ political beliefs as it’s simply not relevant. You must also specifically name any third parties with whom you’re sharing personal data, and have new contracts in place with them as data processors.
You must always give individuals the option to opt-in rather than opt-out of direct marketing – that means no more pre-ticked boxes saying ‘I want to receive promotions and updates’; and you should check that any individuals currently on your mailing lists have consented to receiving updates from you.
You must have adequate measures to securely store and protect personal data and can only store it for a valid time frame – this means you can’t keep data on your ex-clients years after they’ve ceased being your client. Upon request, you must also be able to give an individual a breakdown of all the data you hold about them and delete it permanently if they so wish.To see how ready your company is for GDPR, complete the governing body ISO’s checklist for getting ready for GDPR.
How To Be Sure Your Website Is GDPR Compliant
2. Cookie & Privacy Popup Notice
The policy pages state what cookies are used (both yours and third-party ones) and that you have to agree to the terms in order to fully use the site. It is very possible that, as some cookies are purely functional and not data gathering tools, that the site won’t work properly for you. You will, of course, have the right to request to the website owner to disclose what information you hold about the user and it be permanently deleted.
4. SSL certificate
Secure Sockets Layer certificate – it’s the encryption code process that sits on the hosting space of your website. It the thing that makes the browser bar display a secure notice and sometimes go green and show a padlock symbol. The purpose is to securely encrypt all the details that are entered into any forms or fields on a website. A variety of SSL certificates are available.
5. Pseudonymization or Anonymization
– This one’s harder to resolve.
Most websites that have user accounts and store information about its users (like your Amazon account storing your name, address, date of birth etc) store that data in an SQL database. This is a web-based database that the website calls to, queries and delivers your details when you sign in. In most instances, unless it’s online banking, these details will not be stored encrypted and so if the SQL file was accessed the content could be clearly read.
It’s very hard to both store and retrieve data in an encrypted way and is why most sites don’t. However, as part of GDPR, ‘pseudonymization’ means that websites will need to start moving towards the users being identified by a username only and that the rest of the data is encrypted so that there is no possible connection between the user and the stored details. You will need to speak to your website developer and host about planning this change as it will take time, planning and require a budget.
6. Newsletter Signups And Other Forms
If you have the facility for users to sign up on your website to receive a newsletter from you, you need to make sure the user has opted in to receive that subscription and you can ONLY send them what they signed up to receive.
You need to seek consent for each method you plan to email them, indicating how it is to be used and how you can unsubscribe. You cannot automatically assign users to receive information they did not consent to. There must be separate opt-in boxes for each type of subscription/email content you wish to send.
E.g If a user signs up to a service they buy on your website, they will have to check a box to accept the terms of that service. If you offer a monthly marketing newsletter there will need to be a separate check box for them to select. It cannot be a ‘required’ field. You’ll also need to provide another separate check box if you also give the user’s details to another party.
Easy To Withdraw Consent
GDPR states that it must be just as easy to withdraw as it was to sign up. Make sure you keep your contact preferences page easy to find. In addition, you may consider segmenting topics of interest and providing an opt-out checkbox for each one. Including easily identifiable opt-out links in all marketing emails can also help to remain GDPR compliant.
7. User Account Creation
If your website is an eCommerce one or allows a user to set up an account for access to services behind a login area, you will need to ensure that you have both the SSL installed and also work towards the data being stored using pseudonyms. Recent headline examples (Uber, TalkTalk, Experian) have shown that even major internet giants aren’t doing this so better to talk to your web developer about how you can move towards this process.
8. Payment Gateways
9. Enquiry & Contact Form
If your website has an enquiry form for people to send you messages, you need to ensure the following are adhered to:
- The website has an SSL
- The details are not stored in the website’s SQL database unless stored encrypted
- If they are sent to you by email, your email service provider adheres to GDPR rules and that the email is stored and sent according to GDPR secure methods. Many email service providers, like Googlemail and Outlook 365 are updating their terms of service in accordance with GDPR – it’s worth checking their policies to make sure your email provider complies. Email is one of the most common places private data gets abused and lost or misused.
- Do you print out the email with the enquiry details on? If you do, this is also a data risk. Ensure you have a shredding process in place to make sure that emails with user’s private details aren’t just put in the bin!
- No pre-checked boxes to automatically sign the enquirer up to a newsletter.
The enquiry is explicit to that instance. You cannot then add the user’s details to your marketing database unless they have explicitly agreed to it using a separate check box.
10. Live Chats
11. Connected Email
While not strictly website-related, all email services and the storage of email from all with whom you are connected, must be stored in accordance with DPA (Data Protection Act) & GDPR guidelines. In short, make sure you store your email data securely, use good anti-virus applications and archive and delete unnecessary email completely. And have a Data Retention policy – a statement by which your organization follows in terms of how you store data and for how long before it is deleted.
12. Social Media Account Connection
Using social media sites for your organization also falls under GDPR. While you do not need to seek permission from each person who ‘likes’ your page or ‘follows’ you, you do need to ensure that any information gathered directly from people with whom you interact on these sites is handled in accordance with the GDPR privacy guidelines. If you’ve had a chat using Facebook Messenger with someone about an enquiry, make sure the chat history is completely deleted when it’s done. Get the person to email you so that you can hold the formal connection outside of a social media channel.
13. Google Analytics And Other User Tracking Systems
You must enable the anonymization option in Google Analytics to properly conform to GDPR. Google Analytics records user’s IP addresses in visitor reports and this is deemed as ‘identifiable information’. You don’t really need it so turn it off. What’s not fully clear right now is how this will affect geographic reports. We’ll update on this in the coming months.
14. CRM Connection
The Information Commissioner’s Office (ICO) has actually launched a dedicated advice line to help small organizations prepare for the new data protection laws (GDPR). The service is aimed at people running small businesses or charities and recognizes the particular problems they face getting ready for the new law.
Organizations Need To Make Sure They:
Have a Data Breach Process
The GDPR requires the data controller to have suitable processes defined and in place in case of a data breach. Depending on the severity of the breach, the data controller has a legal obligation to report a data breach (of identifiable or un-pseudonimised data) within 72 hours. Further information on the reporting of a data breach can be found on the Information Commissioner’s Office website.
Appoint a Data Protection Officer (DPO)
All public authorities and any organization that processes personal data (the data controller) on a significant scale must appoint a Data Protection Officer (DPO) responsible for monitoring internal compliance of the GDPR regulations within the organization. Even if you don’t feel that your organization falls into this category we think that it is a good idea to appoint a DPO for your organization. This person can keep data protection high on the organization’s agenda and ensure that GPDR compliance is achieved and then maintained.
Have a ‘Right to be Forgotten’ Process
Have Good Default Privacy Settings
If your website captures any sort of user data or details, such as an eCommerce website or one that allows the user to have an account with some sort of profile that identifies them, make sure the website is set to the highest level of privacy for the user by default and that there are settings the user can choose to downgrade their settings if they wish – a bit like your privacy settings in your social media apps. DPOs should be checking that only data that is absolutely essential be captured.
Improve Data Encryption and Work Towards Storing User Profiles As Pseudonyms
Basically, if you’re storing personally identifiable data on your website (user accounts that have their names, email, shipping/billing addresses etc) you need to be working towards getting that data stored so that it is stored encrypted. Peudonymization is also something that should be considered. This basically means that account profiles have usernames or login methods that are not visibly connected to the actual individual – usually this is done by having two databases for the website – one for the pseudonym and that database connects to the actual account details so that the whole profile does exist in one place. This reduces the exposure of PII (personally identifiable information) becoming exposed in the event of a data breach or hack.
The first step is having an SSL (secure sockets layer) certificate on your website that encrypts all the data entered into a website through form fields (like when you set up an account, buy something online or sign up to a newsletter etc. However, the data is most likely not stored encrypted. Most CMS systems, like WordPress, Drupal and Joomla don’t do this and you’ll need to have some customization done to your site to make the data get stored encrypted so that in the event of a breach, the data is useless and cannot show identifiable information to individuals.