Ensure Your Website Is GDPR Compliant
There are 14 points in total first 5 points must be followed by every website. The other 9 points are followed according to the nature and requirements of the website.
- Cookie & Privacy Popup Notice
- SSL Certificate
- Inquiry & Contact Form
- Newsletter Signups
- Payment Gateways
- Pseudonymisation or Anonymisation
- User Account Creation
- Live Chats
- Connected Email
- Social Media Account Connection
- Google Analytics (Tracking Systems)
- CRM connection
A page on your website that states what cookies are used on the site, the purpose of the cookies, both yours and from third parties, and what data you capture with them, and what you do with it. All the information must be shown to the user of the website.
This leads us on to the infamous ‘cookie pop up’, ‘cookie top/bottom bar.’
Cookie & Privacy Popup Notice
The policy pages state which cookies are employed (both yours and third-party ones) and that you have to accept the terms to be able to fully utilize the site. It is possible that since some cookies are purely functional and not data gathering tools, that the website won’t work correctly for you. You will have to request the website owner to disclose what information you hold about the user and make it deleted permanently.
Secure Sockets Layer certificate – this is the encryption code process that sits on the hosting space of your website. Its improvements make the browser bar display a security notice and sometimes go green and show a padlock symbol. The purpose is to securely encrypt the information that is entered into any forms or fields on a website. They can be purchased and installed for £99 per year. Several different SSL certificates are available, all encrypting the data to the same level (256 bit – 2048) but some have further protection and insurance. There are free ones being offered with regard to a project called ‘Let’s Encrypt’ but it’s doubtful this offer will last long and doesn’t come with any assurances.
Enquiry & Contact Form
So if your website has an inquiry form for people to send you messages, it is advisable to ensure the following are adhered to:
The website has an SSL
The details are not stored in the website’s SQL database unless stored encrypted
Whenever any data is sent to you by email, your email service provider must follow GDPR rules, and the email has to be stored and sent according to GDPR Compliant secure ways. Many email service providers are there over the internet like Google mail and Outlook 365 are updating their terms of service according to GDPR Compliant. It is worth checking their policies to be certain your email provider complies. Emails are the most common places where private data gets abused and misused or lost.
So Do you print out the email with the inquiry details on it? If your company undertakes this, it can be another data risk. Ensure you have got a shredding process in place to safeguard emails with users’ private details and prevent them from just going into the bin!
No pre-ticked boxes to automatically sign the enquirer up to and including the newsletter.
The inquiry is explicit in that instance. You can’t add the user’s details to your marketing database unless they have fully agreed to it by using a separate tick box.
Have you got the facility for users to subscribe to your website to receive a newsletter from you? Whether you send that out individually from your desktop email app or from a system like Mailchimp, Mizmoz, e-Shot, Communicator, etc, you must make sure the tick box that handles this subscription is set to the user has to OPT-IN and not opt-out.
If you offer a monthly marketing newsletter, there must be a separate tick box to enable them to select. It cannot be a ‘required’ field. You will also have to provide another separate tick box if you give the user’s details to another party. Make sure that the emails you send out all have an unsubscribe link too.
Pseudonymisation or Anonymisation
This one is the most difficult to resolve.
Most websites that have user accounts and store information about their users (like your Amazon account storing your name, address, birth date, etc) store the data in an SQL database. This is usually a web-based database that the website calls to, queries, and delivers your details when you sign in. More often than not, unless it’s online banking, these details will never be stored encrypted and so if the SQL file was accessed, the content could be clearly read.
It is very difficult to both store and retrieve data in an encrypted way and is why most sites don’t. However, together with GDPR Compliant, ‘pseudonymization’ means that websites will have to start moving towards the users being identified by a username only and that all of those other data is encrypted so that there’s no possible connection between the user and the stored details. You will have to confer with your website developer and host about planning this change as it will require time, planning, and require a budget.
User Account Creation
If your site is an E-commerce one or allows a user to create an account for access to services behind a login area, you will have to ensure you have both the SSL installed (as referred to in point 6) and also work towards the data being stored using pseudonyms. Recent headline examples (Uber, TalkTalk, Experian) have shown that even major internet giants aren’t doing this, so better approach to your web developer for tips on how to move towards this process.
All email services in the market and the storage of email from all with whom you are connected, data must be stored according to DPA (Data Protection Act) & GDPR guidelines and instructions. Briefly, be sure you store and save your email data securely, must use good anti-virus applications, and archive and delete unnecessary emails completely. Ensure you have a Data Retention policy – a statement that your organization follows when it comes to how you store data and for how long prior to it being deleted. Typical business data retention policies are 2 years – anything older than that is usually out of date anyway. The list of regulated industries that are excepted to the rule here is – financial services, medical, Governmental, HMRC, etc – these businesses may need you to keep data records longer, particularly with regard to accounting and finance. You will need to check with your regulated body if you fall into this bracket.
Social Media Account Connection
Social media sites that are used for your organization also fall under GDPR Compliant. Whilst you don’t need to seek permission from each person who ‘likes’ your page or ‘follows’ you, ensure that any information gathered directly from people with whom you interact on these sites is handled relative to the GDPR privacy guidelines. If you’ve had a chat using Facebook Messenger with someone about an inquiry, ensure the chat history is completely deleted when it’s done. Get the person to email you to enable you to hold the formal connection outside of a social media channel.
Google Analytics (Tracking Systems)
You must enable the anonymization option in Google Analytics to properly conform to GDPR Compliant. Google Analytics records users’ IP addresses in visitor reports and this is deemed as ‘identifiable information ‘. You don’t really need it so turn it off. What’s not fully clear right now is how this will affect geographic reports. We’ll update you on this in the coming months.
The (ICO) has begun a committed advice line to help small organisations prepare themselves for the new (GDPR) laws. The service is aimed at people running small businesses or charities and recognises the particular problems they face getting ready for the new law.
You can learn more here: https://ico.org.uk/for-organisations/resources-and-support/getting-ready-for-the-gdpr-resources/