GDPR 101: How To Make Sure Your Website Is Ready For The General Data Protection Regulation
Published on 9th April 2018
With not long to go until GDPR comes into effect, it’s time to ensure that you’re up to speed with what will be changing, and that your website fully complies with the new regulations.
Before we dive in to how your website will be affected, let’s start with a quick refresher on the basics of GDPR.
Disclaimer: Please note that this post does not constitute legal advice, nor is it an exhaustive list of what you need to do to ensure full GDPR compliance. If you have any concerns about legislation that affects your business, we would advise that you consult a solicitor or a certified GDPR practitioner.
What is GDPR?
The General Data Protection Regulation (GDPR) is a new set of rules concerning the privacy and security of personal data for EU citizens.
These rules aim to improve the control people have over their data – this means new rights for anyone wanting to access the information businesses hold about them, an increased level of accountability for businesses managing data, and greater fines for any businesses that don’t comply.
GDPR will replace the EU’s existing data protection act – the outdated Data Protection Directive from 1995.
When does GDPR come into place?
25th May 2018.
Who does GDPR apply to?
Think GDPR won’t affect your business? Think again. The changes apply to all EU citizens, as well as all businesses and organisations operating within the EU.
This means that if you hold any personal data (such as names, addresses, email addresses, or bank details) belonging to an EU citizen, you can be held accountable under these new rules for how you handle this information.
Even if you operate a strictly B2B company, it is likely you will hold personal data in the form of work email addresses containing an individual’s full name, e.g. joe.bloggs@businessname.com.
And no, Brexit doesn’t change anything – the UK government will be implementing new data protection legislation that incorporates the vast majority of GDPR. This will be enforced by the Information Commissioner’s Office (ICO).
How will GDPR affect my business?
At its core, GDPR is all about safeguarding personal data, which is why it gives individuals the right to access, correct, delete, and restrict the use of any information that could be used to identify them.
As a business, it is your responsibility to protect the personal data of customers, employees, patients, and anyone else who you hold information about. You must also gain someone’s explicit consent before you can use their data in specific ways, especially for marketing purposes.
The scope of these changes will obviously vary from business to business and will impact each organisation differently, but you can find plenty of information about GDPR and what it means for the various aspects of your business here.
As we mentioned above, there will be hefty fines for any business that fails to follow the new rules, but don’t panic! There’s been a lot of scaremongering concerning these fines, which can amount to either 4% of annual turnover or £17 million, but the ICO is keen to point out that they’re very much in favour of using the carrot over the stick.
What this means is that fines will always be a last resort and are more likely to be handed out to those that actively flout the law, rather than those who have tried to implement the necessary practices.
If you’ve not yet looked into how to make your business GDPR compliant, this 12 step document from the ICO outlines exactly what you need to do to make sure you’re covered.
Where do websites come in to all of this?
When you think about the personal data your business or organisation has access to, it’s easy to overlook your website. The truth is though, your website is gathering this information all the time.
It doesn’t matter what the purpose of your site is - whether you’re operating a small promotional website or selling online through a large ecommerce store, you may not realise it, but you are continuously processing data from anyone who visits your website, and this means you’re responsible for what happens to it.
Below, we look at the specific changes you need to be making to your website to protect your visitors’ privacy and security and ensure you're ready for GDPR.
1. Carry out a website data audit
Asking yourself the following questions can help you go about putting the right processes in place for GDPR:
What data am I collecting?
First things first, you need to identify what information you’re collecting through your website.
The most likely ways you’ll be collecting data are through contact forms, online payments, blog comments, or newsletter subscriptions.
It's important to remember though that personal data doesn’t have to be as explicit as a name and address – it can also be someone’s IP address, or even the cookies stored on their device. (Don’t worry - we’ll cover cookies in more detail later on.)
You also need to consider whether you collect personal data on your website through any third-party services. Typically, these will either accept information from your site – e.g. a payment gateway such as PayPal, or an email marketing platform such as MailChimp – or they’ll embed content into your site – e.g. YouTube.
Ultimately, it is your responsibility to make sure that any third-party providers you are using on your website are GDPR compliant, as it is your customers’ data that’s at stake.
Make sure you include these service providers in your audit, and then assess whether each one has the appropriate measures in place to comply with the new regulations. Many providers, such as MailChimp and Google, have already outlined exactly how they plan to implement GDPR compliant procedures across their services.
Once you’ve gone through your website and established exactly what data you’re collecting, you’ll be ready to start thinking about how and why you do so.
Where am I storing data?
It is likely that a lot of the personal information you’re collecting will be held in your website's database, but you may also be storing it in an external content management system (CMS) or customer relationship management system (CRM).
If this is the case, you'll need to check that these systems are also fully compliant.
Why do I need this data?
A good rule of thumb with GDPR is to only collect the data you absolutely need - if you're not going to use the information, then don't ask for it.
Decide what information is essential to your business, and what’s not. Then go through your website and alter any forms to remove unnecessary fields and delete any data you have saved that you no longer require.
Similarly, you’ll need to delete data that you don’t have permission to use for the purpose you intend.
How long should I store data?
The ICO states that you should retain personal data "no longer than is necessary for the purpose you obtained it for".
Set a reasonable time period for holding on to customer details and then remove any data from your website that's exceeded this limit.
Simply put - if you can’t think of a justifiable reason to keep data, then don’t keep it.
Who can access this data?
Lastly, you should review who has permission to see the personal information stored on your website - this could be anyone from staff members to external sources such as the marketing company you’ve hired to boost your website ranking.
Ask yourself whether these people still require access to this data. If not, you’ll need to take the necessary steps to revoke their access.
By limiting the amount of information your website collects and who has access to it, you’ll be able to limit the potential for any non-compliance issues.
2. Update your privacy policy
Once you've carried out a data audit on your website and have established how you'll be using personal data, you need to update your website's privacy policy to reflect this.
Your privacy policy needs to be fully transparent and easy to understand and must inform visitors of exactly what data you collect, what you use it for, how you store and protect it, how long you hold it for, and who you share it with.
You'll also need to make it clear through your privacy policy what the process is for any visitors wanting to access the information you hold on them, and for anyone who wants to have their data removed entirely from your systems. People are entitled to do so through the new 'right to be forgotten'.
3. Revise your website forms
Gaining valid consent to use personal data is a huge part of GDPR. Essentially, what this means is that you can no longer assume what your website visitors want you to use their data for, and this is especially true where forms are concerned.
Moving forwards, every time someone fills out a form on your website – be it a newsletter subscription form, an enquiry form, a job application form, a registration form, etc. – they must provide you with explicit consent before you can use their information.
Gone are the days when every email address that was entered into your website could be added to your mailing list. Instead, visitors must actively opt in to any kind of marketing communication, as "silence, pre-ticked boxes or inactivity" are no longer seen as valid forms of consent.
To make your website GDPR compliant, you'll need to update your forms to give visitors the chance to make their preferences known.
This means a separate tick box for every form of marketing communication - e.g. email, post, SMS, telephone - as well as separate tick boxes for any third parties you'd like to share their information with.
The ICO's example of GDPR compliant tick boxes
What’s more, the new rules on consent won’t just apply to personal data that you collect after May 25th. Once GDPR comes into effect, everyone that you currently market to must have granted you permission to contact them, and you must have a clear record of their consent.
If you’re unsure, you’ll need to audit your existing database to ensure that everyone has provided GDPR-compliant consent, and if they haven’t, you may want to consider either asking them to opt in again or removing their data from your marketing list.
4. Review your cookies notice
Almost all websites use cookies. Little data files that are stored in a person’s web browser every time they visit a website, cookies are used to improve user experience and collect statistical data about a person’s on-site behaviour.
If your website integrates with any kind of third party tool such as Google Analytics, Google AdWords, social media plugins, or embedded YouTube videos, these will all be generating cookies that are collecting personal data from your website visitors.
The different cookies that are used on your website should be outlined in your privacy policy, but you’ll also need to give users the ability to accept the use of cookies as they browse your website.
Again, this all comes down to consent – just because someone is using your website, you can’t assume that they agree to the use of cookies.
Instead, you’ll need to update your cookies notice so that users can either accept or decline cookie use through a clear, affirmative action.
5. Make sure your website is encrypted
An SSL certificate is an essential security measure to have in place for GDPR, especially if you have an ecommerce website.
This is because SSL encryption adds an extra layer of protection to your website by sending data – such as information submitted through a form, or payment details - over an encrypted connection. This makes the personal data unreadable and thus harder to access by potential hackers.
You’ll know if your website is protected by an SSL certificate if your web address begins with https://, or if a green padlock icon appears next to your web address in the address bar of your browser.
Having an SSL certificate can also increase your chances of ranking well in Google search results and will provide your customers with peace of mind when they visit your website.
How will GDPR affect it’seeze websites?
We take privacy and security seriously at it’seeze, which is why we’ve already started to put the appropriate measures in place to help our clients achieve GDPR compliance.
As well as this, the fully editable nature of our websites means that you have all the functionality you need to update your site to ensure it meets the new regulations.
For example, it’s easy to make your website forms compliant using either the confirmation component or the choice component - these allow you to create checkboxes which confirm your visitor’s consent.
Any data stored on your it’seeze website is also quick to find and delete. Both list records and blog comments are easily accessible through the ‘Panels’ menu, making it simple for you to keep on top of data management. We will also be updating the customer account section on all standard Commerce websites before the May 25th deadline, giving customers the ability to delete their data from your website.
Your website comes with a privacy policy page as standard, which you are able to update yourself in edit mode. We will be making some changes to this page to bring it in line with GDPR – this will include a section that details all the cookies in use on your website. It is your responsibility to add details to the privacy policy about how you use the data collected through your website, how long you keep the data, and who you share it with.
The cookies notice displayed on your it’seeze website is also in the process of being updated ahead of 25th May. The new version will give your visitors the option to opt in or out of cookie use, helping you to comply with the GDPR’s new rules on consent.
Lastly, as an it’seeze customer you’ll also benefit from free SSL encryption. We are currently rolling out SSL certificates to all clients who have a domain registered with us, ensuring that your site is even more secure in time for GDPR.
So, is GDPR bad for business?
In short, no.
Yes, a lot of things are about to change – and of course, these changes will impact your entire business, not just your website. This is where the ICO’s checklist comes in handy – make sure you take the time to work through each point and seek professional advice to ensure you are compliant.
However, although it may be a lot of work to implement, GDPR is also an opportunity. Remember - by complying with the new laws, you’re ultimately creating a better experience for your customers.
After all, greater transparency and improved security measures can only be beneficial, and when your customers are confident in your commitment to their privacy, you’ll enjoy a better business reputation, increased customer loyalty, and a clear competitive advantage.
Not only this, but by potentially reducing the number of people you are able to market to, GDPR could actually help to make your marketing efforts more effective.
By only targeting those individuals who have actively consented to be contacted by you, your time and resources will be better spent as you focus in on the people who are genuinely interested in your products and services.
GDPR also has the potential to streamline your business operations. With the correct processes in place, you may find that you are able to use data more efficiently and more accurately.
What’s more, these processes will help you minimise the risk of cybercrime and other security issues, and if anything does happen, you’ll be prepared to deal with the problem head on.
GDPR Jargon Buster
Consent – Permission granted by an individual through a clear, affirmative action that allows a business or organisation to process their personal data.
Cookies – Small files that are downloaded to an individual’s computer when they visit a website. As these can sometimes be used to identify an individual, they are counted as personal data.
Data Breach – A security breach that leads to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data.
Data Controller – The business or organisation that collects and uses personal data. They are responsible for the safe storage and use of the data.
Data Processor – The business or organisation that processes personal data on behalf of the controller, such as a payment gateway or an email marketing service.
Data Subject – The individual who the personal data relates to.
Encryption – The process of converting information into code to prevent unauthorised access.
ICO – The Information Commissioner’s Office, the UK’s independent body that deals with the legislation of GDPR and ensures that businesses and organisations comply.
Personal Data – Any information that can be used to directly or indirectly identify an individual, such as their name, address, date of birth, gender, IP address, email address, etc.
Privacy Policy – A statement or legal document that discloses the ways a business or organisation collects, uses, and manages personal data.
Processing – Anything that is done to personal data, including collection, storage, and analysis.
Right To Be Forgotten – The data subject’s right to request that any personal data held on them is deleted. Also referred to as data erasure.
Right To Be Informed – The data subject’s right to receive clear information about how their personal data is, will, or could be used.
Share this post: