Skip to content

GDPR: It’s Happening

Administratively and logistically, coping with the change is going to be daunting for many smaller and medium-sized businesses. It will take time and money to audit current data and change the way future data is captured, stored and used.

Overview

Before we go further, we just want to say that the new regulations are a good thing. Representing the biggest shakeup in data protection in over twenty years, they are well overdue.

With the advancement of digital media, if you use a phone or a laptop, or browse and shop online (that’s most of us, right?) your personal details are tracked and recorded 24/7.

Everyone values their privacy and GDPR is being put in place to make sure that all those companies whose websites we visit look after the things they know about us in the correct way.

And if you happen to be one of those websites or businesses then you now have to take your duties and obligations seriously. Why? Read on.

Fines

The threat of huge fines (up to 4% of global revenues or 20 million euros, whichever is higher) hangs over those who fail to comply.

And while the enforcement is not expected to be immediate or draconian, there is still a sense of mild panic among small businesses about what they should be doing to ensure that their website, database and business practices are all fully compliant.

The UK’s independent authority on data protection, the ICO, offers both a comprehensive 12-step guide and online self-assessment toolkits. They can be found here.

However, not all of the new regulations are applicable to everyone, so it’s worth taking some time to familiarise yourself with the implications of the new expectations before panicking.

How we can help

We’ve scratched our heads and put together some research to give you an informed overview for the best practices for your website with regards to GDPR.

Disclaimer: GDPR is not just about your website; there are obligations you must fulfil as a business too. We cannot advise on the legality of GDPR and your business but we are able to help and advise you fulfil some of your obligations on your website. The following list is based on our own research and knowledge of how our sites are built. Please do contact us if you have any questions.

GDPR and your website

The tasks you should undertake on your website to conform with GDPR:

1. Cookies

All websites using cookies must display a cookie notice, that the user must accept or opt-out. If your site is using WordPress then you may need this a GDPR-compliant notice and consent must be agreed before continuing. The simplest way to handle this for most website owners is to provide a simple explanation that users can clear and block cookies on their browser.

We can add a cookie acceptance to the bottom of every page, which also explains how users can clear and block cookies on their browser.

2. Privacy policy

If you are collecting any data (including just an email address for a newsletter) then you should have a privacy policy. This should be available on every page (usually linked to from your footer) and from any instances where users sign-up with their details.

If you have an eCommerce website and use one of the payment gateways such as PayPal, Sagepay, Worldpay or Stripe, you need to make sure that the payment gateway privacy policies are checked and referenced in your own privacy policy. If they are UK (or European)-based, they will need to be GDPR compliant; if US-based, Privacy Shield compliant. The storage of actual payment details on a website falls under and are regulated by Payment Card Industry (PCI) Compliance.

We can provide you with a new page ready for your privacy policy and add links to it from the footer and other locations.

3. GDPR compliant consent

You must send your new privacy policy to your subscribers to ensure they accept your new privacy policy and it must specify how you will use their data. It may be relevant that you ask them to accept this policy if they wish to remain on your subscriber list.

We can help you update your subscriber list so you can put this policy in place.

4. Opt-in on subscribe

You should have an opt-in tick box and a link to your privacy policy within your subscribe/contact us/and any other forms on your website. You must not automatically add someone to your subscriber list if they email, you should not add them manually without consent and you should not add them automatically if they use your contact us form.

We can make sure that your contact us form has the relevant GDPR fields and only adds users to your subscriber list if accepted.

5. Sensitive data

If you collect sensitive data (i.e. religion, health etc) then you should ask for explicit consent to your users. You will need to do this in addition to your GDPR compliant consent acceptance.

We can help you set up the email and form to send this compliance through to your users.

6. Your email marketing system checks

You will need to ensure that your email marketing system (i.e. Mailchimp) has a system for users to opt-out (unsubscribe) from your subscriber list.

We can help you ensure that this is working correctly and set up in accordance with GDPR.

7. Access to a user’s data and the right to deletion

You will need to have a process in place if a user requests a copy of their information, or they request to be deleted.

We can help you make sure you know how to access this information in your email marketing system and within any applications on your website.

8. Security & back-ups

You will need to ensure that your data on a server is protected and backed-up regularly, and you should have an internal process for if a data breach occurs.

If you are not on our secure, automatically backed-up hosting then you may wish to transfer to us for peace of mind.

9. SSL certificate

Your site must have a SSL certificate (when it says https:// and a padlock appears) if you are collecting any data.

All sites hosted by Individualise have an SSL as standard. If you don’t have one we can help you set one up.

10. Pseudonymisation or anonymisation

All websites that collect data should be aiming towards storing personal details anonymously or via a pseudonym.

We would be happy to discuss this with you if it is appropriate to your data.

11. Form submission

If your site has am online form and the submission is emailed to you, you must ensure that your email provider is compliant with GDPR. All email services and the storage of email from all with whom you are connected, must be stored in accordance with GDPR guidelines anyway.

Check that your email provider has a suitable policy in place and that you have accepted them.

12. Google Analytics (and other user tracking systems)

If you run Google Analytics on your site (or any other tracking service) you will need to make sure that it is referred to in the cookie policy and the privacy policy and that you ensure you check the third party’s own privacy policy to ensure they comply. Whilst we know that Google Analytics will be both GDPR and Privacy Shield compliant, other, lesser-known tracking services may not be.  You must enable the anonymisation option in Google Analytics to properly conform to GDPR. Google Analytics records user’s IP addresses in visitor reports and this is deemed as ‘identifiable information’.

We can help you update Google Analytics to switch on anonymisation.

Please contact us to discuss how we can help with any of these issues.

Share

Leave a Comment

You must be logged in to post a comment.

Get in Touch

Let's see how we can help.

Keen to get started? Go straight to our project enquiry form