Disclaimer: EU data protection laws, including the GDPR, are complex. This guide should not be considered legal advice. Please consult a legal professional for details on how the GDPR impacts your business.
From 25th May 2018, the General Data Protection Regulation (GDPR) will come into force. Affecting companies and sole traders of all sizes, GDPR is a significant tightening of data protection laws, aiming to strengthen data privacy for all EU citizens.
Any business Worldwide that trades with, or handles data of individuals in the EU must comply with GDPR. Significant fines of up to 4% of revenue or 20 million euros could be imposed on none-compliant businesses.
Could I really be fined that much?
Theoretically yes, regardless of your business size. In practice, the UK’s Information Commissioner, Elizabeth Denham, has indicated that the intention of the regulations is to protect data, and that they prefer to work with companies to improve their practices rather than making an example of them through fines. She also adds that her office will be more lenient on companies that have shown awareness of the GDPR and tried to implement it.
What exactly is GDPR?
The regulations are concerned with the handling of data throughout an organisation, rather than just online marketing or website compliance. In broad terms, the Regulation covers:
Ensuring businesses have permission, and a lawful basis to process individuals data.
The right of an individual to access what businesses hold about them, the right to rectify or request removal and more.
Ensuring businesses have correct procedures and documentation in place.
Ensuring businesses have appropriate technical and organisational measures in place.
Ensuring businesses report data breeches to their relevant authorities and individuals themselves, within an appropriate time span.
Where Can I Read More?
The Information Commissioner’s Office has an excellent and easy-to-read Guide to the GDPR.
How Does GDPR Affect My Website?
GDPR impacts your business as a whole, encompassing your offline and office, marketing and sales activities. Your website of course also needs to adhere to GDPR principles.
As a website owner, you are designated a ‘Data Controller’ in charge of personal data that your website may store or come into contact with.
Other organisations that you work with who may come into contact with your website application or data, such as: website agencies, IT providers, website hosts, emailing companies, are designated a ‘Data Processor’ acting on behalf of the ‘Data Controller’.
No two websites are the same, but some general principles might help website owners ensure their website adheres to GDPR principles.
If you send out a regular newsletter to your customers, you need to ensure you have obtained explicit consent to email them, through a clear affirmative action. This means clear language, and no pre-ticked consent boxes.
Consent is needed retrospectively for your existing mailing list as well as future sign-ups.
If your existing mailing list collection process uses a third-party service such as MailChimp, check whether ‘double opt-in’ is enabled. Double opt-in is where the customer signing up is sent an email asking for their confirmation (through the click of a button) to add them to the list. This act of confirming the sign-up may count as affirmative action for your existing list.
Moving forward, you should enable this feature and review your sign-up mechanism to ensure there is a checkbox, with clear language indicating how you intend to use their data.
Only Hold The Data You Need To
If you don’t hold data, you don’t need to protect it. In practical terms, review where on your website you gather and store personal information, and question whether it is needed.
Some websites utilise a ‘contact form database add-on’. This is where a contact form is submitted and triggers an email to the website owner, but the add-on also stores the contact submission in the database for future retrieval. If you haven’t used the feature recently, there’s a good chance it isn’t needed.
Update Your Policies
Ensure the security of your website is as good as it can be. This includes ensuring any passwords to your website Content Management System are changed frequently and are cryptic.
You may wish to implement an SSL certificate to ensure all website traffic is encrypted, or utilise a security plugin to help keep out hackers.
Most importantly you need to ensure your website software is kept up-to-date. Just like a computer has regular updates, your website also has regular updates that fix weaknesses. Updates can be to your Content Management System itself, plugins being used or themes in use.
Your website will usually display an icon indicating updates are available, and as a website owner, it is your responsibility to ensure these updates are made. The vast majority of our clients use WordPress for their website, and information on updating can be found using the links below:
We offer monthly maintenance plans to clients where we keep their website updated on their behalf. This includes taking backups and testing upgrades on a test version of your website before applying them to your live site.
Maintenance plans also include firewall protection, 24/7 monitoring, and disaster recovery should your site be hacked. Please see full details on our list of Hosting Plans.
We would recommend reviewing the ICO guidance and preparing a business-wide plan for tackling GDPR. A lot of the guidance is simply good practice for handling data, and isn’t as onerous as you may think.
If you need guidance with, or changes to your website, feel free to contact us and we’d be happy to book some time for you to provide customised recommendations.