Is your website GDPR ready?

5 Website Considerations for GDPR

The 25^th of May is fast approaching, are you ready for the changes?

Most of you will be aware that General Data Protection Regulation, GDPR is an update of the 1998 Data Protection Act addressing how businesses store and handle personal data. From sole traders to blue chip companies the rules apply. GDPR requires full transparency with your customers informing them of exactly what they are signing up to, what and how their data is being used, stored and secured. Failure to meet with the new rules could result with penalties of up to 4% of your annual turnover.

As web designers and developers, we’ve been making sure we are ready for the changes and want to share the main considerations for your website.

Safe, Securely Stored & Updated,

If you have a website collecting consumer data or selling products online there are a few key things you need to consider;

1. Data Audit
2. Is your website secure?
3. Is your software up to date?
4. Have you updated your privacy policy?
5. Are your consent and sign up forms GDPR compliant?
6. How is your data stored?

Data Audit

Security applies to every aspect of your website including your data processors. If for example your MailChimp and Hubspot accounts are linked with your CMS, they are processing data. The first step should be to audit your data processors. For each one establish the following;

• How did you collect it?
• Is the third party data processor GDPR compliant?
• What is being stored
• How it’s being stored
• Why it’s being stored

For example, storing names and email addressed collected from sign up forms, clearly document, how the information was obtained, why it was obtained, how you plan to use it and how you plan to keep it secure. Once you’ve established the above you need to make sure this is transparent clearly stating the reasons for collecting the data, how you plan to use it, how you secure it and how it can be removed from your system. This can be done via your privacy policy and consent forms.

Keeping Data Secure

You are responsible for the data you collect. Having a secure website is essential to meeting the obligations of GDPR. This can be achieved with a few simple steps and regular procedures. This includes,

• Having an SSL certificate
• Having Anti-Virus software & Firewalls
• Secure passwords & emails

Most businesses will have the above in place as standard, however it’s important to review and maintain the security of your website on a regular basis. In addition, anyone who is an admin of CMS should make sure that the email they use to access the website is different to those given on the contact pages, avoiding phishing. If you are storing information on backup drives, the cloud or for example on a USB you will also need procedures in place for this. For example, USB’s remain in the office, locked in a drawer and kept safe by the designated data controller.

 More detailed information on how to secure your IT systems is available in the ICO guide. https://ico.org.uk/media/for-organisations/documents/1575/it_security_practical_guide.pdf

Privacy Policy

Make sure you’ve updated the privacy policy on your website outlining following key information,

• Who you are,
• What you are going to do with the information you collect
• Who (if anyone) will it be shared with
• Who your data controller is
• Contact information for the data controller
• Informing users of the rights they have under GDPR (with regards to accessing their own data)
• Whether users are required to provide personal data, and what happens if they don’t (put simply, if they don’t provide an email address it may mean they are unable to login to their account)
• Whether you transfer data internationally
• What your legal basis is for processing data

More information is available on the ICO website https://ico.org.uk/for-organisations/guide-to-data-protection/privacy-notices-transparency-and-control/what-should-you-include-in-your-privacy-notice/

Matters of Consent

Under the new rules, transparency is key. Make sure you are clearly outlining each individual activity, why you require the data and how you plan to use it. For businesses like us this means segmenting the activities e.g. if we want to communicate with our customers and contacts via e-news we need to tell them what we intend to communicate and why. We need to ask, if they wish to receive the information and ask them to opt in, agree, give their consent for us to use the information for this purpose only. In other words, we need to give them all the relevant information they need to make a choice; If your consent mechanism consists solely of an “I agree” box with no supporting information then users are unlikely to be fully informed and the consent cannot be considered valid.

The box below contains standard wording the ICO tested with members of the public and, which constitutes good practice when seeking consent for direct marketing.

Here at [organisation name] we take your privacy seriously and will only use your personal information to administer 
your account and to provide the products and services you have requested from us.

However, from time to time we would like to contact you 
with details of other [specify products]/ [offers]/[services]/[competitions] we provide. 
If you consent to us contacting you for this purpose please tick to say how you would like us to contact you:

Post ☐    Email ☐    Telephone ☐    

Text message ☐    Automated call ☐

We would also like to pass your details onto other [name of company/companies who you will pass information to]/[well defined category of companies], so that 
they can contact you by post with details of [specify products]/ [offers]/[services]/[competitions] that they provide. 
If you consent to us passing on your details for that purpose please tick to confirm:

I agree ☐

Taking Responsibility

You are responsible for the data you collect, store and manage. This means having reporting systems in place in case of data breaches. Should you encounter a breach, you must report it to the relevant authority within 72 hours of discovery, informing the individuals involved if necessary e.g. the breach is likely to adversely affect the rights and freedom of the individual.

What’s Next

If you need any help getting ready for GDPR we can point you in the right direction. Working with our network of experts and professionals we can put you in touch with the right people and would be happy to talk through creative methods of marketing and data capture.

Call us on 01507 607783 or email hello@firstmedia.co.uk          

*in this blog piece we are talking specifically about websites however any activity where you are collecting, storing and processing data you will need to ensure you are GDPR compliant for further and more detailed information please visit ico.org.uk

https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/