Administratively and logistically, coping with the change is going to be daunting for many smaller and medium-sized businesses. It will take time and money to audit current data and change the way future data is captured, stored and used.
Before we go further, we just want to say that the new regulations are a good thing. Representing the biggest shakeup in data protection in over twenty years, they are well overdue.
With the advancement of digital media, if you use a phone or a laptop, or browse and shop online (that’s most of us, right?) your personal details are tracked and recorded 24/7.
Everyone values their privacy and GDPR is being put in place to make sure that all those companies whose websites we visit look after the things they know about us in the correct way.
And if you happen to be one of those websites or businesses then you now have to take your duties and obligations seriously. Why? Read on.
The threat of huge fines (up to 4% of global revenues or 20 million euros, whichever is higher) hangs over those who fail to comply.
And while the enforcement is not expected to be immediate or draconian, there is still a sense of mild panic among small businesses about what they should be doing to ensure that their website, database and business practices are all fully compliant.
The UK’s independent authority on data protection, the ICO, offers both a comprehensive 12-step guide and online self-assessment toolkits. They can be found here.
However, not all of the new regulations are applicable to everyone, so it’s worth taking some time to familiarise yourself with the implications of the new expectations before panicking.
How we can help
We’ve scratched our heads and put together some research to give you an informed overview for the best practices for your website with regards to GDPR.
Disclaimer: GDPR is not just about your website; there are obligations you must fulfil as a business too. We cannot advise on the legality of GDPR and your business but we are able to help and advise you fulfil some of your obligations on your website. The following list is based on our own research and knowledge of how our sites are built. Please do contact us if you have any questions.
GDPR and your website
The tasks you should undertake on your website to conform with GDPR:
All websites using cookies must display a cookie notice, that the user must accept or opt-out. If your site is using WordPress then you may need this a GDPR-compliant notice and consent must be agreed before continuing. The simplest way to handle this for most website owners is to provide a simple explanation that users can clear and block cookies on their browser.
We can add a cookie acceptance to the bottom of every page, which also explains how users can clear and block cookies on their browser.
3. GDPR compliant consent
We can help you update your subscriber list so you can put this policy in place.
4. Opt-in on subscribe
We can make sure that your contact us form has the relevant GDPR fields and only adds users to your subscriber list if accepted.
5. Sensitive data
If you collect sensitive data (i.e. religion, health etc) then you should ask for explicit consent to your users. You will need to do this in addition to your GDPR compliant consent acceptance.
We can help you set up the email and form to send this compliance through to your users.
6. Your email marketing system checks
You will need to ensure that your email marketing system (i.e. Mailchimp) has a system for users to opt-out (unsubscribe) from your subscriber list.
We can help you ensure that this is working correctly and set up in accordance with GDPR.
7. Access to a user’s data and the right to deletion
You will need to have a process in place if a user requests a copy of their information, or they request to be deleted.
We can help you make sure you know how to access this information in your email marketing system and within any applications on your website.
8. Security & back-ups
You will need to ensure that your data on a server is protected and backed-up regularly, and you should have an internal process for if a data breach occurs.
If you are not on our secure, automatically backed-up hosting then you may wish to transfer to us for peace of mind.
9. SSL certificate
Your site must have a SSL certificate (when it says https:// and a padlock appears) if you are collecting any data.
All sites hosted by Individualise have an SSL as standard. If you don’t have one we can help you set one up.
10. Pseudonymisation or anonymisation
All websites that collect data should be aiming towards storing personal details anonymously or via a pseudonym.
We would be happy to discuss this with you if it is appropriate to your data.
11. Form submission
If your site has am online form and the submission is emailed to you, you must ensure that your email provider is compliant with GDPR. All email services and the storage of email from all with whom you are connected, must be stored in accordance with GDPR guidelines anyway.
Check that your email provider has a suitable policy in place and that you have accepted them.
12. Google Analytics (and other user tracking systems)
We can help you update Google Analytics to switch on anonymisation.
Please contact us to discuss how we can help with any of these issues.