5 Website Considerations for GDPR
The 25th of May is fast approaching, are you ready for the changes?
Most of you will be aware that General Data Protection Regulation, GDPR is an update of the 1998 Data Protection Act addressing how businesses store and handle personal data. From sole traders to blue chip companies the rules apply. GDPR requires full transparency with your customers informing them of exactly what they are signing up to, what and how their data is being used, stored and secured. Failure to meet with the new rules could result with penalties of up to 4% of your annual turnover.
As web designers and developers, we’ve been making sure we are ready for the changes and want to share the main considerations for your website.
Safe, Securely Stored & Updated,
If you have a website collecting consumer data or selling products online there are a few key things you need to consider;
- Data Audit
- Is your website secure?
- Is your software up to date?
- Are your consent and sign up forms GDPR compliant?
- How is your data stored?
Security applies to every aspect of your website including your data processors. If for example your MailChimp and Hubspot accounts are linked with your CMS, they are processing data. The first step should be to audit your data processors. For each one establish the following;
- How did you collect it?
- Is the third party data processor GDPR compliant?
- What is being stored
- How it’s being stored
- Why it’s being stored
Keeping Data Secure
You are responsible for the data you collect. Having a secure website is essential to meeting the obligations of GDPR. This can be achieved with a few simple steps and regular procedures. This includes,
- Having an SSL certificate
- Having Anti-Virus software & Firewalls
- Secure passwords & emails
Most businesses will have the above in place as standard, however it’s important to review and maintain the security of your website on a regular basis. In addition, anyone who is an admin of CMS should make sure that the email they use to access the website is different to those given on the contact pages, avoiding phishing. If you are storing information on backup drives, the cloud or for example on a USB you will also need procedures in place for this. For example, USB’s remain in the office, locked in a drawer and kept safe by the designated data controller.
More detailed information on how to secure your IT systems is available in the ICO guide. https://ico.org.uk/media/for-organisations/documents/1575/it_security_practical_guide.pdf
- Who you are,
- What you are going to do with the information you collect
- Who (if anyone) will it be shared with
- Who your data controller is
- Contact information for the data controller
- Informing users of the rights they have under GDPR (with regards to accessing their own data)
- Whether users are required to provide personal data, and what happens if they don’t (put simply, if they don’t provide an email address it may mean they are unable to login to their account)
- Whether you transfer data internationally
- What your legal basis is for processing data
More information is available on the ICO website https://ico.org.uk/for-organisations/guide-to-data-protection/privacy-notices-transparency-and-control/what-should-you-include-in-your-privacy-notice/
Matters of Consent
Under the new rules, transparency is key. Make sure you are clearly outlining each individual activity, why you require the data and how you plan to use it. For businesses like us this means segmenting the activities e.g. if we want to communicate with our customers and contacts via e-news we need to tell them what we intend to communicate and why. We need to ask, if they wish to receive the information and ask them to opt in, agree, give their consent for us to use the information for this purpose only. In other words, we need to give them all the relevant information they need to make a choice; If your consent mechanism consists solely of an “I agree” box with no supporting information then users are unlikely to be fully informed and the consent cannot be considered valid.
The box below contains standard wording the ICO tested with members of the public and, which constitutes good practice when seeking consent for direct marketing.
Here at [organisation name] we take your privacy seriously and will only use your personal information to administer
your account and to provide the products and services you have requested from us.
However, from time to time we would like to contact you
with details of other [specify products]/ [offers]/[services]/[competitions] we provide.
If you consent to us contacting you for this purpose please tick to say how you would like us to contact you:
Post ☐ Email ☐ Telephone ☐
Text message ☐ Automated call ☐
We would also like to pass your details onto other [name of company/companies who you will pass information to]/[well defined category of companies], so that
they can contact you by post with details of [specify products]/ [offers]/[services]/[competitions] that they provide.
If you consent to us passing on your details for that purpose please tick to confirm:
I agree ☐
You are responsible for the data you collect, store and manage. This means having reporting systems in place in case of data breaches. Should you encounter a breach, you must report it to the relevant authority within 72 hours of discovery, informing the individuals involved if necessary e.g. the breach is likely to adversely affect the rights and freedom of the individual.
If you need any help getting ready for GDPR we can point you in the right direction. Working with our network of experts and professionals we can put you in touch with the right people and would be happy to talk through creative methods of marketing and data capture.
Call us on 01507 607783 or email firstname.lastname@example.org
*in this blog piece we are talking specifically about websites however any activity where you are collecting, storing and processing data you will need to ensure you are GDPR compliant for further and more detailed information please visit ico.org.uk