Disclaimer: This article is not provided as authoritative legal guidance. Gem Internet does not accept any responsibility or liability that might occur directly or indirectly as a consequence of the use, application or reliance on this material.
Here are some helpful guidelines for businesses to follow to help them in making their website more compliant with the GDPR Data Protection regulations that will become enforceable after 25th May 2018. This is not a complete guide for all data protection best practice, but helpful guidance in respect to how to ensure a website can become more compliant.
The General Data Protection Regulation (GDPR).
GDPR is in place to make sure that businesses that store a users data do it in a secure & proper way. It’s about looking after of the information you, as an business, hold about other people and how it’s used.
The questions you need to review:
It should start with a data risk assessment which is not limited to just the data revolving around a website but the whole business’s practices. You should address the following questions about your website:
- What data is being captured and held?
- When and where is it captured?
- How long will the data be stored?
- How is it being used?
- Do you have explicit consent from the user to have and use the data?
- Do you display who to contact to find out what data is held about a user and request how it’s being used?
- Do you display the process for a user to ask to have all the data you hold about them permanently removed from your system? (The Right to be Forgotten)
You must prove you have been given explicit consent to hold the data and what it will be used for.
The user must be able to withdraw consent at any time.
Organisations need to make sure they:
- Have a data breach process
- Appoint a Data Protection Officer (DPO)
- Have a ‘Right to be Forgotten’ process (also known as Right of Erasure)
- Have good default privacy settings
- Improve data encryption and work towards storing user profiles as pseudonyms
Compliant connected systems: Google, Mailchimp, Salesforce, Facebook etc
You need to make sure that your processes and policy clearly states what third party data processors you use and where a subject’s data is passed to.
The website GDPR compliance guideline checklist:
As an organisation you need to make sure you are registered on the ICO (Information Commissioner’s Office) website as a data controller (you may also be a data processor, too). Go to https://ico.org.uk/for-organisations/ for more information.
The website checklist:
A page on your website that states what cookies are used on the site, both yours and from third parties and what data you capture with them and what you do with it.
2. Cookie & privacy popup notice
The easiest way to handle this for most website owners is to provide a simple explanation that users can clear and block cookies on their browser settings.
4. SSL certificate
The purpose is to securely encrypt all the details that are sent through any forms or fields on a website.
5. Pseudonymisation or anonymisation
As part of GDPR, ‘pseudonymisation’ means that websites will need to start moving towards the users being identified by a username only.
6. Newsletter signups
You need to make sure the tick box that handles this subscription is set to the user has to opt-in and not opt out. Emails you send out all have an unsubscribe link, too.
7. User account creation
If your website is an online shop or allow a user to set up an account for access to services behind a login area, you will need to ensure that you have both the SSL installed and also start work towards the data being stored using pseudonyms.
8. Payment gateways
9. Enquiry & contact form
If your website has an enquiry form for people to send you messages, you need to ensure the following are adhered to:
- The website has an SSL
- The details are not stored in the website’s SQL database unless stored encrypted
- If they are sent to you by email, your email service provider adheres to GDPR rules and that the email is stored and sent according to GDPR secure methods
- No pre-ticked boxes to automatically sign the enquirer up to a newsletter or mailing lists
The enquiry is explicit to that instance. You cannot then add the user’s details to your marketing database unless they have explicitly agreed to it using a separate tick box.
10. Live chat
Whilst not strictly website-related, all email services and the storage of email from all with whom you are connected, must be stored in accordance with DPA (Data Protection Act) & GDPR guidelines.
12. Social media account connection
Using social media sites for your organisation also falls under GDPR.
13. Google Analytics (and any other user tracking systems)
14. A CRM connection