GDPR, what the hell is it? Data Protection and your website, how safe is yours?
GDPR is in the news, but what is it all about? At Insite Web we take the matter of data security very seriously. When we work with new clients we often find that their existing websites don’t fully comply with current legislation.
We’re also hearing increasingly worried customers concerned about upcoming changes to data protection via the EU GDPR, and wanting to know how these changes will impact upon them. These worries are not eased by articles that often overstate the amount of work that businesses need to carry out to be compliant. In all honesty most of these seem to be written to frighten organisations into signing up to expensive training or buying costly services.
Having said that, the data protection landscape is a constantly changing one and it can be difficult for companies, especially SMEs with limited resources, to keep up.
We’ve put together this quick guide to the latest position in the UK with some tips to make sure you don’t find yourself on the wrong side of the law.
What’s personal data?
Personal data is any information that can be used to identify an individual, regardless of whether that data applies to purely personal information, or relates to personal information about individual in a business or company context.
The main change under GDPR is that the definition of what is considered personal information has been widened, to cover a range of data that reflects current and emerging technology. This means in certain circumstances digital data like an IP address, when combined with other pieces of data, may make information you’re storing personal.
We understand it can be very difficult for individuals and organisations to review their data, and determine whether it is personal. With the help of the ICO personal data guidelines, we’ve pulled together the flowchart below so you can review all your data against the relevant criteria.
The big change that you’re probably aware of is the General Data Protection Regulation (GDPR). This is the new European framework that outlines how businesses must collect and process personal data. Current regulations date from the mid-90s and when they were drawn up it was generally only larger companies who were collecting and storing customer details.
However, now many SMEs collect personal data, store it and move it. With Brexit on the horizon there’s a temptation to think that GDPR won’t apply, or at least not for long. However, businesses need to be compliant from 25th May 2018 – as we are obviously still in the EU. In addition the government has made it clear that GDPR will be integrated into UK law post-Brexit.
If you’ve not updated your business and site to be GDPR compliant you are now overdue by: –
Does it apply to me?
The GDPR data protection framework applies to any organisation that collects personal data. Even if you are a sole trader, if you collect personal information about your customers, you will need to audit how you do that.
In relation to websites this means taking a look at every stage of the data collection process to ensure that customers are clear about what you are using their data for and how they can request that you remove their data from your databases.
What can you do?
First of all don’t panic. You are in exactly the same position as hundreds, if not thousands of SMEs around the UK, and indeed Europe.
The first thing to do is to carry out an information audit. You need to do this across your business with a view to detailing what information you hold, where it came from, and how it is used and shared. Importantly this needs to be documented.
Insite Web can carry out this process for you. In terms of your online activity, take a look below for some of the steps you can take.
1. Make sure your website is secure
Regardless of the GDPR changes your website should be secure and this means having an SSL certificate. Besides security there’s also another reason for having an SSL certificate. If your website has the prefix http:// and has any kind of text input – including search boxes – your website visitors will see the following message:
As you can imagine this doesn’t really shout ‘trustworthy’ and prospective customers are likely to leave your site. An https:// site will also be ranked more favourably by Google in their search engine results. All Insite Web website builds come with an SSL certificate as standard.
2. No pre-ticked boxes
GDPR is concerned with giving customers the opportunity to give explicit consent for the use of their personal details. This means no more pre-ticked boxes. Forms on your website should allow people to opt-in to any marketing or other use of their data. They shouldn’t have to ‘untick’ a box to indicate that they don’t want their personal details to be stored by your organisation.
However GDPR also requires companies to have a trackable process for demonstrating how consent was acquired. A ‘2-step’ email process, whereby people respond to an email sent directly to them in order to be included on any list, is a quick and efficient way to achieve this.
3. Opt-in for every channel
This so-called granular opt-in is particularly relevant where you are collecting data for marketing purposes. Essentially it means consenting to each possible contact method separately. Your forms should outline each channel, email, telephone etc., and let customers pick the ones that they consent to be contacted through.
4. Separate consent for communications
Referred to in the GDPR as unbundled consent, this is concerned with separating out the different things that customers are signing up to.
Historically many websites have ‘bundled’ consent to use data within their broader terms and conditions, for examples with statements such as ‘by accepting these terms and conditions you consent to Example Ltd using your data for marketing purposes’. In future these should be clearly separated out so that customers are clear about how their data is going to be used.
5. Be clear how to withdraw consent
GDPR gives the specific right to withdraw consent. You must tell people that they have the right to withdraw their consent at any time.
There should be a transparent process for people to follow in order to have their data removed from any databases that you control. You could for example have a dedicated email address for people to contact to remove their data, e.g. [email protected], or you could have a form on your site for people to complete for removal of their data. Whatever your process you should make sure that data is removed completely.
6. Update your privacy notice and terms and conditions
These changes will require you to amend any privacy notices or terms and conditions to reflect the terminology of the General Data Protection Regulation. The ICO has produced a helpful and informative guide to help with this.
Our GDPR privacy and cookies policy example, covering personal details usage and a simple opt out process shown below: –
7. Keep online payments secure
Believe it or not we still see company websites taking online payments without an SSL. While it’s not a legal requirement to have an SSL, you are obliged to ensure that any information that you process is handled securely. As an SSL encrypts data, it provides companies with a quick and easy way of demonstrating that you have taken steps to ensure data is secure.
If you are using a payment gateway personal data may be collected on your website before details are passed on. In this case you will need to ensure that you have processes to remove this information. The GDPR states that this should be removed within a ‘reasonable period’ but doesn’t however specify what this period is. In reality you will need to show due diligence and have a process that protects your business; e.g. from fraud, but also respects personal data under GDPR.
8. Ensure third parties are compliant
Under GDPR it is your responsibility that any third parties that you work with to collect, store or move personal data are also compliant. Examples of third parties include online payment partners or companies that process your email marketing.
You will need to show that you have confirmed that they comply with GDPR. Also included within these third parties are companies providing onsite analytics, most notably Google analytics. For the most part these companies tend to have already indicated that they will be fully compliant.
What we do know is the last cookie law took a while to shake out into its final form, with little appetite to penalise websites who failed to comply in the early days. It does appear that there will at some stage be a requirement to rewrite cookie notices to draw them in line with the new ‘active consent’ focus of the regulation.
If all that seems too much for you why not contact the Insite Web team for a free data security consultation.