Disclaimer: This article is not provided as authoritative legal guidance. Gem Internet does not accept any responsibility or liability that might occur directly or indirectly as a consequence of the use, application or reliance on this material.

Here are some helpful guidelines for businesses to follow to help them in making their website more compliant with the GDPR Data Protection regulations that will become enforceable after 25th May 2018. This is not a complete guide for all data protection best practice, but helpful guidance in respect to how to ensure a website can become more compliant.

The General Data Protection Regulation (GDPR).

GDPR is in place to make sure that businesses that store a users data do it in a secure & proper way. It’s about looking after of the information you, as an business, hold about other people and how it’s used.

The questions you need to review:

It should start with a data risk assessment which is not limited to just the data revolving around a website but the whole business’s practices. You should address the following questions about your website:

  1. What data is being captured and held?
  2. When and where is it captured?
  3. How long will the data be stored?
  4. How is it being used?
  5. Do you have explicit consent from the user to have and use the data?
  6. Do you display who to contact to find out what data is held about a user and request how it’s being used?
  7. Do you display the process for a user to ask to have all the data you hold about them permanently removed from your system? (The Right to be Forgotten)

You must prove you have been given explicit consent to hold the data and what it will be used for.

The user must be able to withdraw consent at any time.

Organisations need to make sure they:

  • Have a data breach process
  • Appoint a Data Protection Officer (DPO)
  • Have a ‘Right to be Forgotten’ process (also known as Right of Erasure)
  • Have good default privacy settings
  • Improve data encryption and work towards storing user profiles as pseudonyms

Compliant connected systems: Google, Mailchimp, Salesforce, Facebook etc

You need to make sure that your processes and policy clearly states what third party data processors you use and where a subject’s data is passed to.

The website GDPR compliance guideline checklist:

As an organisation you need to make sure you are registered on the ICO (Information Commissioner’s Office) website as a data controller (you may also be a data processor, too). Go to https://ico.org.uk/for-organisations/ for more information.

The website checklist:

1. Cookie policy

A page on your website that states what cookies are used on the site, both yours and from third parties and what data you capture with them and what you do with it.

2. Cookie & privacy popup notice

The easiest way to handle this for most website owners is to provide a simple explanation that users can clear and block cookies on their browser settings.

3. Privacy policy

A privacy policy is a more thorough document that states the website owner’s full statement of what data is captured, when it was captured, what the data is used for, the third party’s details and the process as the process of requesting the user’s details and request that they be permanently deleted.

4. SSL certificate

The purpose is to securely encrypt all the details that are sent through any forms or fields on a website.

5. Pseudonymisation or anonymisation

As part of GDPR, ‘pseudonymisation’ means that websites will need to start moving towards the users being identified by a username only.

6. Newsletter signups

You need to make sure the tick box that handles this subscription is set to the user has to opt-in and not opt out. Emails you send out all have an unsubscribe link, too.

7. User account creation

If your website is an online shop or allow a user to set up an account for access to services behind a login area, you will need to ensure that you have both the SSL installed and also start work towards the data being stored using pseudonyms.

8. Payment gateways

If you have an ecommerce website and use one of the popular payment gateways, such as PayPal, Sagepay, Worldpay or Stripe, you need to make sure that the payment gateway privacy policies are checked and referenced in your own privacy policy.

9. Enquiry & contact form

If your website has an enquiry form for people to send you messages, you need to ensure the following are adhered to:

  • The website has an SSL
  • The details are not stored in the website’s SQL database unless stored encrypted
  • If they are sent to you by email, your email service provider adheres to GDPR rules and that the email is stored and sent according to GDPR secure methods
  • No pre-ticked boxes to automatically sign the enquirer up to a newsletter or mailing lists

The enquiry is explicit to that instance. You cannot then add the user’s details to your marketing database unless they have explicitly agreed to it using a separate tick box.

10. Live chat

If you have a live chat service on your website, you need to make sure that you refer to this third-party service in your cookie policy and privacy policy.

11. Email

Whilst not strictly website-related, all email services and the storage of email from all with whom you are connected, must be stored in accordance with DPA (Data Protection Act) & GDPR guidelines.

12. Social media account connection

Using social media sites for your organisation also falls under GDPR.

You also need to make sure that your privacy policy refers to these third-party data controllers, especially as people use SSO (Single Sign-on) for logging into sites also using their social media account logins for convenience. You also need to ensure that, if you use the details of your customers or connections on your social media page to promote your business that you have their consent to do so.

13. Google Analytics (and any other user tracking systems)

If you run Google Analytics on your site (or other tracking services) you will need to make sure that it is referred to in the cookie policy and the privacy policy. You must also enable the anonymisation option in Google Analytics to properly conform to GDPR.

14. A CRM connection

If your website captures user’s data and then writes it into a CRM, you need to make sure that the data collection process is secure, and that you refer to the third-party service in your privacy policy.