General Data Protection Regulation or GDPR is on everybody’s lips at the moment and the countdown is ticking down towards the May 2018 deadline. But what exactly does it mean for you small business website and how can you make sure you’re compliant?
What is GDPR
GDPR is the biggest shakeup of data protection for years. The UK currently uses the Data Protection Act 1998, which governs how we use and store people’s data. But after years of work, the EU’s GDPR will supersede all current UK legislation and has been designed to be more relevant to the way we collect, store and use data in today’s digital world.
Essentially, they wanted to give people more control over their data and have tougher penalties for those who don’t comply either deliberately or negligently.
Who does the GDPR apply to?
GDPR applies to everyone and anyone using data. If you think this isn’t you because you don’t actively collect emails for newsletters and the like, you’re wrong. If you have EU clients/customers and hold any of their personal identifying information, then it applies.
Note – Brexit is unlikely to affect GDPR.
What is personal data?
Personal data now includes online identifiers like IP address as well names, addresses, DoBs etc.
The official definition is:
‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
When will GDPR apply?
GDPR comes into force on the 25th May 2018 so ideally, your website should be compliant prior to this date.
What will happen if your website doesn’t comply?
Chances are, nothing will happen straight away – the ICO have categorically stated ‘it’s not a silver bullet’ – but to be frank, it’s not prudent for any small business to simply take the risk when the penalty for non-compliance is €20 million or 4% of global turnover.
“I want to be clear that this law is not about fines; it’s about putting the consumer and citizen first, and rebalancing data relationships and trust between individuals and organisations.”
Elizabeth Denham, Information Commissioner (ICO)
MAKING YOUR WEBSITE COMPLIANT
Step One: Encryption
The first step is encryption which luckily, most website have already done as it’s something Google flagged up last year resulting in many businesses getting an SSL certificate for their website. If you haven’t yet got yours read this blog on how to get one for your website.
Encryption (or HTTPS://) stops your website’s data being hijacked by unscrupulous people wanting to use it maliciously and Google now flag any website that is not protected. Data sent from the website to it’s server, or to third-parties like Mailchimp or PayPal needs to be encrypted to make sure it’s not captured by anyone else along the way.
So if you have not yet encrypted your website (check if it has the green padlock near the browser address bar), it’s wise to do this step first and you will be one step closer to GDPR compliance whilst also protecting the data and keeping Google happy at the same time. Win Win!
Step Two: Consent
It’s important that people are aware of what they are consenting to, and it’s just as important people are aware of how to remove that consent should they change their mind.
If you are signing them up to a newsletter, you need to be clear. If you’re planning to pass the data to third parties (i.e. marketing) then you need to get their explicit permission. And, if you’re not doing either of those but only using the data to communicate with them during a transaction, then make that clear as well.
It’s no longer acceptable to hide those checked boxes in the small print; it has to be obvious and in clear and understandable terms – and most importantly, the box has to be unchecked to start with.
Areas you’ll need to look at on your website:
With regard to the latter, consent must be freely given ‘without coercion, undue incentives, or a penalty for refusal’ – so that means that discounts and giveaways may not be compliant. Check out this blog, by Jessie Wilson, if you’d like more information on this side of compliance. Or, read the ICO’s guide to Direct Marketing found here.
Step Three: Data Processing
Access to Data
Question yourself who has access to all the data held on your website. Chances are it will be you, your staff if applicable and perhaps your web developer?
Now ask yourself do all those people require access to that data.
If you think that actually, there are people who don’t need access all the time then revoke that access when not in use. It can always be restored at a later date if the need arises.
For those who do need access, make sure they are aware of their responsibilities in keeping this data safe and how they are allowed to use it as you may need to prove to the data owner it is being kept safe at some point.
The second question to ask yourself is do you need to keep the data on your website and what data are you keeping on it. For example, if someone has bought a product from your shop, you probably do need to keep their name and address but likely, you wouldn’t need data like their date of birth or ethnicity. (By the way, the latter is classed as sensitive data and has special rules for storing and processing).
Don’t collect data because you think it might come in useful later, if you don’t need it during every day processing then you don’t need to collect it at all.
And, the last step would be to decide how long do you need to keep any of the information on the website, and can it be deleted after a period of time?
Keeping the data safe
As well as ensuring your website is encrypted, it is also important to keep the data safe – this includes offline version of the data or exported information.
All data should be securely deleted once it has been finished being processed – for example shredding pieces of paper, specialist (and licensed) computer data shredders for the disposal of old computers, etc etc. It’s down to your company to ensure all the data is safe.
Passwords should be strong (i.e. not ‘password’) and must be kept in a safe place to ensure no one can hack into either your systems, emails or website to steal data.
Computers and networks should have adequate anti-virus and firewalls – it’s also useful to have a ‘lock screen’ policy when away from desks, especially if the office is open to the public or is a shared workspace.
Physical property where the computers are kept, should have adequate protection like window locks etc. And, special attention should be given to the protection of portable devices if data is held, or can be accessed, from them.
Third Party Applications
Do you share any of the data you hold with third-parties (for example Mailchimp*, CRMs/accounting software that link to your website etc)?
If you do, then make sure they are also storing data correctly and only holding relevant information.
Do they need access to that information?
Does it need to be on multiple platforms, at all?
For example you may have an accounting system with a stand alone CRM – does the address need to be on both?
Ensure third-parties are clear on their responsibilities when looking after the data. For example they should not be sharing it with other people or selling it on.
It’s wise to do regular audits of each platform, deleting data where appropriate.
Often websites evolve over time and we forget about past systems where data transferred to third-parties.
*For things like newsletter lists on third party apps, if you plan to keep the data collected previously, you will need to ask everybody to re-consent to that.
Correcting and viewing held data
Individuals have the right to request what data you hold on them and you have to provide it without charging (previously administration charges were ok). They also have the right to ask for corrections to be made if there is any incorrect data.
Should an individual withdraw consent then you have to stop processing the data immediately.
Step Four: Privacy Policies
There’s an argument that says Privacy Policies should be written by lawyers because they’re technically a legal document, and if you can afford to go down this route then it probably is a good idea. However, keep in mind these 3 rules of GDPR:
- They should be concise, transparent, intelligible and easily accessible;
- written in clear and plain language, particularly if addressed to a child; and
- be free of charge to the public
As language is often more confusing when written by the legal profession, look to tone down any legal and technical jargon so it is as clear and concise as possible.
For WordPress users, there are already a number of handy plugins to help with GDPR, some implementing easy to use shortcodes, so take a look in the plugin library to see if any suit your needs!
Updating privacy policies is probably the hardest part to the changes introduced with GDPR although putting all the other parts into practice, long term, will be very time consuming; the Federation of Small Businesses (FSB) reckon that ‘On average small firms will spend seven hours per month meeting their data protection obligations’. That’s a lot for a micro business!
In addition, small businesses need to register as a data controller with the ICO via their website – it’s a very low cost at around £55 per year for micro businesses but a very important step.
If you do have a data breach or data is put at risk – for example a hacked website – then advise the ICO within 72 hours and tell them what you’re doing to rectify the situation.
If it’s a high-risk situation like credit card information being stolen/hacked then it’s important to inform the individual who owns the card, immediately.
And, although the ICO intend to take a softly softly approach to non-compliance (in the early days) it’s far better to introduce the changes to your policies, practices and website as soon as possible so seek advice and assistance if you’re struggling with any of the aspects.