Ensure Your Website is GDPR Compliant

There are 14 points in total first 5 points that must be followed by every website. Other 9 points are followed according to the nature and requirement of the website..

  1. Cookie Policy
  2. Cookie & Privacy Popup Notice
  3. Privacy Policy
  4. SSL Certificate
  5. Enquiry & Contact Form
  6. Newsletter Signups
  7. Payment Gateways
  8. Pseudonymisation or Anonymisation
  9. User Account Creation
  10. Live Chats
  11. Connected Email
  12. Social Media Account Connection
  13. Google Analytics (Tracking Systems)
  14. CRM connection

 

1. Cookie Policy

A page on your website that states what cookies are used on the site, the purpose of the cookies, both yours and from third parties and what data you capture with them and what you do with it. All the information must be shown to the user of the website.

This leads us on to the infamous ‘cookie pop up’, ‘cookie top/bottom bar.’

2. Cookie & Privacy Popup Notice

You will need to convey what cookies are employed and what the privacy policy is at the very first point of arriving to the website.

The absolute most logical and well-established solution is a pop up. It should explain that cookies are used on the site and that the user have to accept to the use of the data as explained in the privacy and cookie policy.

The policy pages state which cookies are employed (both yours and third-party ones) and that you have to accept the terms to be able to fully utilise the site. It is possible that since some cookies are purely functional and not data gathering tools, that the website won’t work correctly for you. You will have to request to the website owner to disclose what information you hold about the user and make it deleted permanently.

The use of the website mustn’t be restricted to people who accept the use of the cookies. The user should be given the choice to use the site without the use of the cookies and decline the use of cookies for their session. It has to be explained to them the cookie notices that if they decline the cookies the website may lose some functionality.

3. Privacy Policy

A privacy policy is a more thorough document that states the internet site owner’s full statement of what data is captured, when it had been captured, what the data is useful for, the 3rd party’s details and the method. This includes the DPO’s details as well as the method of requesting the user’s details and request that they be permanently deleted.

 4. SSL Certificate

Secure Sockets Layer certificate – this is the encryption code process that sits on the hosting space of your website. Its improvements makes the browser bar display a secure notice and sometimes go green and shows a padlock symbol. The purpose is to securely encrypt the information that are entered into any forms or fields on a website. They can be purchased and installed from £99 per year. Several different SSL certificates are available, all encrypting the data to the same level (256 bit – 2048) but some have further protection and insurances. There are free ones being offered with regard to a project called ‘Let’s Encrypt’ but it’s doubtful this offer will last long and doesn’t come with any assurances.

 5. Enquiry & Contact Form

If your website has an enquiry form for people to send you messages, it is advisable to ensure the following are adhered to:

  1. The website has an SSL
  2. The details are not stored in the website’s SQL database unless stored encrypted
  3. Whenever any data is sent to you by email, your email service provider must follow to GDPR rules and that the email has to be stored and sent according to GDPR secure ways. Many email service providers are there over internet, like Google mail and Outlook 365 are updating their terms of service according to GDPR. It is worthy to check their policies to be certain your email provider complies. Emails are the most common places where private data gets abused and misused or lost.
  4. Do you print out the email with the enquiry details on it? If your company undertakes this, it can be another data risk. Ensure you have got a shredding process in place to safeguard emails with user’s private details and preventing them from just going into the bin!
  5. No pre-ticked boxes to automatically sign the enquirer up to and including newsletter.
  6. The enquiry is explicit to that instance. You can’t add the user’s any details to your marketing database unless they have fully agreed to it by using a separate tick box.

 6. Newsletter Signups

Have you got the facility for users to subscribe to your website to receive a newsletter from you? Whether you send that out individually from your desktop email app or from a system like Mailchimp, Mizmoz, e-Shot, Communigator etc, you must make sure the tick box that handles this subscription is set to the user has to OPT-IN and not opt out.

You need to seek consent for each method you plan to email them, indicating how it is going to be used and tips on how to unsubscribe. You cannot roll onto your website’s standard terms of use/business the automatic sign up and agreement to the newsletter service. There has to be separate opt-in tick boxes for each place you gather the data on the site. E.g. If a user signs up to a service to buy on your website, they will have to tick a box to accept the terms of that service.

If you offer a monthly marketing newsletter, there must be a separate tick box to enable them to select. It cannot be a ‘required’ field. You will also have to provide another separate tick box if you give the user’s details to another party. Make sure that the emails you send out all have an unsubscribe link too.

 7. Payment Gateways

If you possess an E-commerce website and you use the payment gateways, such as PayPal, Sagepay, Worldpay or Stripe, you will need to ensure that (as well as ensuring the processes are followed depending on the above points) the payment gateway privacy policies are checked and referenced to your privacy policy. When they are UK (or European) based, they will have to be GDPR compliant, if US-based, Privacy Shield compliant. The storage of actual payment details online falls under and are regulated by PCI compliance.

8. Pseudonymisation or Anonymisation

– This one is the most difficult to resolve.

Most websites that have user accounts and store information about its users (like your Amazon account storing your name, address, birth date etc) store the data in an SQL database. This is usually a web-based database that the website calls to, queries and delivers your details when you sign in. More often than not, unless its online banking, these details will never be stored encrypted and so if the SQL file was accessed, the content could be clearly read.

It is very difficult to both store and retrieve data in an encrypted way and is why most sites don’t. However, together with GDPR, ‘pseudonymisation’ means that websites will have to start moving towards the users being identified by a username only and that all of those other data is encrypted so that there’s no possible connection between the user and the stored details. You will have to confer with your website developer and host about planning this change as it will require time, planning and require a budget.

9. User Account Creation

If your site is an E-commerce one or allows a user to create an account for access to services behind a login area, you will have to ensure you have both the SSL installed (as referred to in point 6) and also work towards the data being stored using pseudonyms. Recent headline examples (Uber, TalkTalk, Experian) have shown that even major internet giants aren’t doing this, so better approach to your web developer about tips on how to move towards this process.

10. Live Chats

For those who have a live chat service on their website, they have to ensure that they refer to this third-party service in their cookie policy and privacy policy and they review their GDPR/Privacy Shield policy. It may seem the data isn’t being stored anywhere, but it is often the transcript of the chat that is emailed to both parties once completed. The above principles to storage and use apply here, too.

 11. Connected Email

All email services in the market and the storage of email from all with whom you are connected, data must be stored according to DPA (Data Protection Act) & GDPR guidelines and instructions. Briefly, be sure you store and save your email data securely, must use good anti-virus applications and archive and delete unnecessary email completely. Ensure you have a Data Retention policy – a statement by which your organisation follows when it comes to how you store data and for how long prior to it being deleted. Typical business data retention policies are 2 years – anything older than that is usually out of date anyway. List of regulated industries that are excepted to the rule here are – financial services, medical, Governmental, HMRC etc – these businesses may need you to keep data records longer, particularly with regards to accounting and finance. You will need to check with your regulated body if you fall into this bracket.

12. Social Media Account Connection

Social media sites that are used for your organisation also falls under GDPR. Whilst you don’t need to seek permission from each person who ‘likes’ your page or ‘follows’ you, ensure that any information gathered directly from people with whom you interact on these sites is handled relative to the GDPR privacy guidelines. If you’ve had a chat using Facebook Messenger with someone about an enquiry, ensure the chat history is completely deleted when it’s done. Get the person to email you to enable you to hold the formal connection outside of a social media channel.

You also need to ensure that your privacy policy refers to these third-party data controllers, especially as people use SSO (Single Sign-on) for logging into sites also using their social media account logins for convenience. You also need to make sure that, if you apply the details of your customers or connections on your social media page to promote your business you have their consent to do so.

13. Google Analytics (Tracking Systems)

If you run Google Analytics on your site (or any other tracking service) you will have to make sure that it’s referred to in the cookie policy and the privacy policy and you ensure you check the third party’s own privacy policy to ensure they comply. Although we know that Google Analytics will be both GDPR and Privacy Shield compliant, other, lesser-known tracking services may not be.

You must enable the anonymisation option in Google Analytics to properly conform to GDPR. Google Analytics records user’s IP addresses in visitor reports and this is deemed as ‘identifiable information ‘. You don’t really need it so turn it off. What’s not fully clear right now is how this will affect geographic reports. We’ll update on this in the coming months.

 14. CRM connection

Points related to 6, 7, 8, 9 & 10. If your website captures user’s data and then writes it into a CRM, such as Salesforce or Pardot, you need to ensure that the data collection process is secure, as previously referred, so you refer to the third-party service in your privacy policy. Additionally, if your website automatically sends the enquiry into the CRM, the date, time, reason for capture and consent details are also captured. As a user, they have the legal right to ask you where you captured their details, when, was it explicit how the data will be used and how the details can be permanently deleted (also known as ‘request to be forgotten’).

The (ICO) has begun a committed advice line to help small organisations to prepare themselves for the new (GDPR) laws. The service is aimed at people running small businesses or charities and recognises the particular problems they face getting ready for the new law.

You can Learn more here: https://ico.org.uk/for-organisations/resources-and-support/getting-ready-for-the-gdpr-resources/

By | 2018-05-21T04:49:17+00:00 May 20th, 2018|

Leave A Comment

We are using cookies on our website

Please confirm, if you accept our tracking cookies. You can also decline the tracking, so you can continue to visit our website without any data sent to third party services. You can view the Cookie Policy on read more