Ensure Your Website Is GDPR Compliant

There are 14 points in total first 5 points must be followed by every website. The other 9 points are followed according to the nature and requirements of the website.

1. Cookie Policy
2. Cookie & Privacy Popup Notice
3. Privacy Policy
4. SSL Certificate
5. Inquiry & Contact Form
6. Newsletter Signups
7. Payment Gateways
8. Pseudonymisation or Anonymisation
9. User Account Creation
10. Live Chats
11. Connected Email
12. Social Media Account Connection
13. Google Analytics (Tracking Systems)
14. CRM connection

1. Cookie Policy

A page on your website that states what cookies are used on the site, the purpose of the cookies, both yours and from third parties, and what data you capture with them, and what you do with it. All the information must be shown to the user of the website.

This leads us on to the infamous ‘cookie pop up’, ‘cookie top/bottom bar.’

2. Cookie & Privacy Popup Notice

You will need to convey what cookies are employed and what the privacy policy is at the very first point of arriving at the website.

The absolute most logical and well-established solution is a pop-up. It should explain that cookies are used on the site and that the user has to accept the use of the data as explained in the privacy and cookie policy.

The policy pages state which cookies are employed (both yours and third-party ones) and that you have to accept the terms to be able to fully utilize the site. It is possible that since some cookies are purely functional and not data gathering tools, that the website won’t work correctly for you. You will have to request the website owner to disclose what information you hold about the user and make it deleted permanently.

The use of the website mustn’t be restricted to people who accept the use of cookies. The user should be given the choice to use the site without the use of the cookies and decline the use of cookies for their session. It has to be explained to them the cookie notices that if they decline the cookies the website may lose some functionality.

3. Privacy Policy

A privacy policy is a more thorough document that states the internet site owner’s full statement of what data is captured when it had been captured, what the data is useful for, the 3rd party’s details, and the method. This includes the DPO’s details as well as the method of requesting the user’s details and requesting that they be permanently deleted.

4. SSL Certificate

Secure Sockets Layer certificate – this is the encryption code process that sits on the hosting space of your website. Its improvements make the browser bar display a security notice and sometimes go green and show a padlock symbol. The purpose is to securely encrypt the information that is entered into any forms or fields on a website. They can be purchased and installed for £99 per year. Several different SSL certificates are available, all encrypting the data to the same level (256 bit – 2048) but some have further protection and insurance. There are free ones being offered with regard to a project called ‘Let’s Encrypt’ but it’s doubtful this offer will last long and doesn’t come with any assurances.

5. Enquiry & Contact Form

So if your website has an inquiry form for people to send you messages, it is advisable to ensure the following are adhered to:

The website has an SSL

The details are not stored in the website’s SQL database unless stored encrypted

Whenever any data is sent to you by email, your email service provider must follow GDPR rules, and the email has to be stored and sent according to GDPR Compliant secure ways. Many email service providers are there over the internet like Google mail and Outlook 365 are updating their terms of service according to GDPR Compliant. It is worth checking their policies to be certain your email provider complies. Emails are the most common places where private data gets abused and misused or lost.

So Do you print out the email with the inquiry details on it? If your company undertakes this, it can be another data risk. Ensure you have got a shredding process in place to safeguard emails with users’ private details and prevent them from just going into the bin!

No pre-ticked boxes to automatically sign the enquirer up to and including the newsletter.

The inquiry is explicit in that instance. You can’t add the user’s details to your marketing database unless they have fully agreed to it by using a separate tick box.

6. Newsletter Signups

Have you got the facility for users to subscribe to your website to receive a newsletter from you? Whether you send that out individually from your desktop email app or from a system like Mailchimp, Mizmoz, e-Shot, Communicator, etc, you must make sure the tick box that handles this subscription is set to the user has to OPT-IN and not opt-out.

So you need to seek consent for each method you plan to email them, indicating how it is going to be used and tips on how to unsubscribe. You cannot roll onto your website’s standard terms of use/business the automatic sign-up and agree to the newsletter service. There have to be separate opt-in tick boxes for each place you gather the data on the site. E.g. If a user signs up for a service to buy on your website, they will have to tick a box to accept the terms of that service.

If you offer a monthly marketing newsletter, there must be a separate tick box to enable them to select. It cannot be a ‘required’ field. You will also have to provide another separate tick box if you give the user’s details to another party. Make sure that the emails you send out all have an unsubscribe link too.

7. Payment Gateways

If you possess an E-commerce website and you use the payment gateways, such as PayPal, Sagepay, Worldpay, or Stripe, you will need to ensure that (as well as ensuring the processes are followed depending on the above points) the payment gateway privacy policies are checked and referenced to your privacy policy. So When they are UK (or European) based, they will have to be GDPR compliant, if US-based, Privacy Shield compliant. The storage of actual payment details online falls under and is regulated by PCI compliance.

8. Pseudonymisation or Anonymisation

This one is the most difficult to resolve.

Most websites that have user accounts and store information about their users (like your Amazon account storing your name, address, birth date, etc) store the data in an SQL database. This is usually a web-based database that the website calls to, queries, and delivers your details when you sign in. More often than not, unless it’s online banking, these details will never be stored encrypted and so if the SQL file was accessed, the content could be clearly read.

It is very difficult to both store and retrieve data in an encrypted way and is why most sites don’t. However, together with GDPR Compliant, ‘pseudonymization’ means that websites will have to start moving towards the users being identified by a username only and that all of those other data is encrypted so that there’s no possible connection between the user and the stored details. You will have to confer with your website developer and host about planning this change as it will require time, planning, and require a budget.

9. User Account Creation

If your site is an E-commerce one or allows a user to create an account for access to services behind a login area, you will have to ensure you have both the SSL installed (as referred to in point 6) and also work towards the data being stored using pseudonyms. Recent headline examples (Uber, TalkTalk, Experian) have shown that even major internet giants aren’t doing this, so better approach to your web developer for tips on how to move towards this process.

10. Live Chats

For those who have a live chat service on their website, they have to ensure that they refer to this third-party service in their cookie policy and privacy policy and they review their GDPR Compliant/Privacy Shield policy. It may seem the data isn’t being stored anywhere, but it is often the transcript of the chat that is emailed to both parties once completed. The above principles of storage and use apply here, too.

11. Connected Email

All email services in the market and the storage of email from all with whom you are connected, data must be stored according to DPA (Data Protection Act) & GDPR guidelines and instructions. Briefly, be sure you store and save your email data securely, must use good anti-virus applications, and archive and delete unnecessary emails completely. Ensure you have a Data Retention policy – a statement that your organization follows when it comes to how you store data and for how long prior to it being deleted.

Typical business data retention policies are 2 years – anything older than that is usually out of date anyway. The list of regulated industries that are excepted to the rule here is – financial services, medical, Governmental, HMRC, etc – these businesses may need you to keep data records longer, particularly with regard to accounting and finance. You will need to check with your regulated body if you fall into this bracket.

12. Social Media Account Connection

Social media sites that are used for your organization also fall under GDPR Compliant. Whilst you don’t need to seek permission from each person who ‘likes’ your page or ‘follows’ you, ensure that any information gathered directly from people with whom you interact on these sites is handled relative to the GDPR privacy guidelines. If you’ve had a chat using Facebook Messenger with someone about an inquiry, ensure the chat history is completely deleted when it’s done. Get the person to email you to enable you to hold the formal connection outside of a social media channel.
So you also needs to ensure that your privacy policy refers to these third-party data controllers, especially as people use SSO (Single Sign-on) for logging into sites and also using their social media account logins for convenience. You also need to make sure that, if you apply the details of your customers or connections on your social media page to promote your business you have their consent to do so.

13. Google Analytics (Tracking Systems)

If you run Google Analytics on your site (or any other tracking service) you will have to make sure that it’s referred to in the cookie policy and the privacy policy and you ensure you check the third party’s own privacy policy to ensure they comply. Although we know that Google Analytics will be both GDPR Compliant and Privacy-Shield compliant, other, lesser-known tracking services may not be.

You must enable the anonymization option in Google Analytics to properly conform to GDPR Compliant. Google Analytics records users’ IP addresses in visitor reports and this is deemed as ‘identifiable information ‘. You don’t really need it so turn it off. What’s not fully clear right now is how this will affect geographic reports. We’ll update you on this in the coming months.

14. CRM connection

Points related to 6, 7, 8, 9 & 10. If your website captures the user’s data and then writes it into a CRM, such as Salesforce or Pardot, you need to ensure that the data collection process is secure, as previously referred, so you refer to the third-party service in your privacy policy. Additionally, if your website automatically sends the enquiry into the CRM, the date, time, reason for capture, and consent details are also captured. As a user, they have the legal right to ask you where you captured their details, when, was it explicit how the data will be used and how the details can be permanently deleted (also known as ‘request to be forgotten’).

The (ICO) has begun a committed advice line to help small organisations prepare themselves for the new (GDPR) laws. The service is aimed at people running small businesses or charities and recognises the particular problems they face getting ready for the new law.