Faqs: GDPR and Your Website
Date Added: 10/05/2018 @ 11:58am
If you run a website and you haven't heard of the new GDPR (General Data Protection Regulation) legislation that comes into force on 25th May 2018 - then where have you been? I'm not a legal expert, so this advice should not be treated as legally binding, and is given as simply my understanding of the new law.
What is it?
Do you remember a few years ago when people fought for the right to be forgotten by search engines and social media platforms? Well, this is in effect the EU's implementation of it. However, it affects every business from the online giants to those running a small company online in their spare time. If you handle any kind of personal data, then that means you!
If you're thinking, I'll take my chances - don't! The fine for non compliance in the event of a data breach is as high as £7m or a percentage of your company's turnover - whichever is higher! I don't know about you, but I can't afford to take a risk like that.
What do they mean by Personal Data?
You may think that personal data only refers to your bank numbers, date of birth or address - but you'd be incorrect. Under this new law it covers everything from your name, email address to your location data - including an IP address. It even covers CCTV footage!
So what does this mean in practice?
In practice this means you need to think about what data you hold, how you store it and why? You also need to ask yourself, where did this information come from and for what reason did we request it?
For example, say you have a mailing list you've been using for years to send out updates to your customers. From 25th May you need to be able to prove that each contact on that list agreed to be contacted for the purpose of marketing. If they ended up on that list because they purchased something last year but didn't implicitly say that they wanted to receive your updates, then that is no longer sufficient. Hence the huge number of emails you've probably received lately.
You might be thinking: "Well, we have a check box on our website, isn't that enough?" That depends. Was the box pre-checked or did they have to check it themselves? How was it worded, was it clear that they'd receive your updates forever and a day, and could they complete their order if they didn't agree? Also, did you coerce them to sign up with a freebe or a prize draw? That wouldn't count either.
Do I need to wipe my entire mailing list?
I want to say no, but it depends on your answers to the questions from above and what you do next. If you can prove all your data was collected giving your members the opportunity to opt in originally, then you're fine. Carry on.
If not you may need to send one of those "stay in contact" emails or letters in order to get your customers to opt in. Some companies are doing an "opt out" email, but this is generally the exception to the rule. On the bright side, when this is all complete you'll know that everyone on your mailing list has chosen to be on there and are therefore far more likely to be a happy customer.
Members Areas and Contact Forms
Unfortunately it's not just something that affects mailing lists. It also affects members areas and contact forms.
I'm sure we've all been on a website and subscribed to something - like setting up a new broadband or car insurance deal - but when it comes to closing the account, it is almost impossible to find information for doing so.
Under the new law, you need to provide all members with a chance to "close their account" and it needs to be as simple as opening an account was in the first place. So no more hiding it away in a sub-sub-sub section.
That doesn't mean that a customer can close an account for which they have a 12 month contract, of course, or if you have a legitimate reason to stay in contact. However, if you don't have a legitimate reason for storing their details, don't. You might want to set an automatic closure of accounts over a certain age that aren't being used, for example.
When signing up, or getting in contact we would recommend adding at least 2 boxes.
1. An option to "opt in" to receiving updates - which should not be automatically checked.
2. A check box where the customer agrees that they have read and understand your privacy policy...
Privacy Policies
Speaking of which, you should probably update your privacy policy. The new law replaces the Data Protection Act and places new responsibilities on you and anyone else that works on your website.
We have been working on a template for our clients regarding this privacy policy. However, we cannot speak on your behalf so we can only advise. If you would like a copy of this contract, please get in contact ASAP.
Data Processors and Contracts
We are sending out contracts to all customers that store any kind of personal data on their websites, or for whom we store a database back up. Personal information, as we mentioned above, even includes email addresses. So you should check whether your website stores this information.
These contracts mark us as a "Data Processor" in that we have access to personal information, but are doing so purely under the instructions of the third party. However, this does not exempt us from responsibility. This agreement needs to be in the form of a contract signed by both parties.
Secure Hosting
While it is not legally required, it would be a good idea to take any security measures that you can make. Secure hosting, which includes the setting up of a security certificate, means that all data sent to and from a website is encrypted - i.e. making it harder to intercept and therefore hack.
Where relevant we are recommending any customers that store personal data upgrade their website hosting to include this. We are able to provide this service for £150 a year, compared with our £92 advanced website hosting.
More Information...
There are other requirements that you will need to consider including keeping a record of what information is stored, where and why. Like we said at the start, we're not legal experts, so please take everything here as just friendly advice.
Your best course of action is to check the ICO website where a list of requirements can be found, along with some slightly useful information. Unfortunately, a lot of the information is rather vague at present, despite the impending deadline.
Members of the Federation of Small Businesses (FSB) may be able to access free resources which may clarify this further - see the FSB article here.
Churches may find this website: www.gdprforchurches.org.uk useful.
Finally, then
The advice I was given is that you're better to do something and to get it wrong than to have done nothing. The ICO are likely to help you correct your mistakes provided you've tried to be compliant, but if you haven't you may well get clobbered.