Making your Website GDPR Compliant[ 14 min read ]

General Data Protection Regulation or GDPR is on everybody’s lips at the moment and the countdown is ticking down towards the May 2018 deadline. But what exactly does it mean for you small business website and how can you make sure you’re GDPR compliant?

GDPR is the biggest shakeup of data protection for years. The UK currently uses the Data Protection Act 1998, which governs how we use and store people’s data. But after years of work, the EU’s GDPR will supersede all current UK legislation and has been designed to be more relevant to the way we collect, store and use data in today’s digital world.
Essentially, they wanted to give people more control over their data and have tougher penalties for those who don’t comply either deliberately or negligently.

GDPR applies to everyone and anyone using data. If you think this isn’t you because you don’t actively collect emails for newsletters and the like, you’re wrong. If you have EU clients/customers and hold any of their personal identifying information, then it applies.
Note – Brexit is unlikely to affect GDPR.

Personal data now includes online identifiers like IP address as well names, addresses, DoBs etc.

The official definition is:

‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

GDPR comes into force on the 25th May 2018 so ideally, your website should be compliant prior to this date.

Chances are, nothing will happen straight away – the ICO have categorically stated ‘it’s not a silver bullet’ – but to be frank, it’s not prudent for any small business to simply take the risk when the penalty for non-compliance is €20 million or 4% of global turnover.

“I want to be clear that this law is not about fines; it’s about putting the consumer and citizen first, and rebalancing data relationships and trust between individuals and organisations.”
Elizabeth Denham, Information Commissioner (ICO)

It’s important that people are aware of what they are consenting to, and it’s just as important people are aware of how to remove that consent should they change their mind.
If you are signing them up to a newsletter, you need to be clear. If you’re planning to pass the data to third parties (i.e. marketing) then you need to get their explicit permission. And, if you’re not doing either of those but only using the data to communicate with them during a transaction, then make that clear as well.
It’s no longer acceptable to hide those checked boxes in the small print; it has to be obvious and in clear and understandable terms – and most importantly, the box has to be unchecked to start with.
Areas you’ll need to look at on your website:

With regard to the latter, consent must be freely given ‘without coercion, undue incentives, or a penalty for refusal’ – so that means that discounts and giveaways may not be compliant. Check out this blog, by Jessie Wilson, if you’d like more information on this side of compliance. Or, read the ICO’s guide to Direct Marketing found here.

Question yourself who has access to all the data held on your website. Chances are it will be you, your staff if applicable and perhaps your web developer?
Now ask yourself do all those people require access to that data.
If you think that actually, there are people who don’t need access all the time then revoke that access when not in use. It can always be restored at a later date if the need arises.
For those who do need access, make sure they are aware of their responsibilities in keeping this data safe and how they are allowed to use it as you may need to prove to the data owner it is being kept safe at some point.

The second question to ask yourself is do you need to keep the data on your website and what data are you keeping on it. For example, if someone has bought a product from your shop, you probably do need to keep their name and address but likely, you wouldn’t need data like their date of birth or ethnicity. (By the way, the latter is classed as sensitive data and has special rules for storing and processing).
Don’t collect data because you think it might come in useful later, if you don’t need it during every day processing then you don’t need to collect it at all.
And, the last step would be to decide how long do you need to keep any of the information on the website, and can it be deleted after a period of time?

As well as ensuring your website is encrypted, it is also important to keep the data safe – this includes offline version of the data or exported information.
All data should be securely deleted once it has been finished being processed – for example shredding pieces of paper, specialist (and licensed) computer data shredders for the disposal of old computers, etc etc. It’s down to your company to ensure all the data is safe.
Passwords should be strong (i.e. not ‘password’) and must be kept in a safe place to ensure no one can hack into either your systems, emails or website to steal data.

Computers and networks should have adequate anti-virus and firewalls – it’s also useful to have a ‘lock screen’ policy when away from desks, especially if the office is open to the public or is a shared workspace.
Physical property where the computers are kept, should have adequate protection like window locks etc. And, special attention should be given to the protection of portable devices if data is held, or can be accessed, from them.

Do you share any of the data you hold with third-parties (for example Mailchimp*, CRMs/accounting software that link to your website etc)?
If you do, then make sure they are also storing data correctly and only holding relevant information.
Do they need access to that information?
Does it need to be on multiple platforms, at all?
For example you may have an accounting system with a stand alone CRM – does the address need to be on both?
Ensure third-parties are clear on their responsibilities when looking after the data. For example they should not be sharing it with other people or selling it on.

It’s wise to do regular audits of each platform, deleting data where appropriate.
Often websites evolve over time and we forget about past systems where data transferred to third-parties.
*For things like newsletter lists on third party apps, if you plan to keep the data collected previously, you will need to ask everybody to re-consent to that.

Individuals have the right to request what data you hold on them and you have to provide it without charging (previously administration charges were ok). They also have the right to ask for corrections to be made if there is any incorrect data.
Should an individual withdraw consent then you have to stop processing the data immediately.

There’s an argument that says Privacy Policies should be written by lawyers because they’re technically a legal document, and if you can afford to go down this route then it probably is a good idea. However, keep in mind these 3 rules of GDPR:

1. They should be concise, transparent, intelligible and easily accessible;
2. written in clear and plain language, particularly if addressed to a child; and
3. be free of charge to the public

As language is often more confusing when written by the legal profession, look to tone down any legal and technical jargon so it is as clear and concise as possible.

There are places that will provide examples of a privacy policy, and some companies will write it for you but do ensure it covers the following:

Also, consider a privacy policy section within contracts if you are a service provider.

For WordPress users, there are already a number of handy plugins to help with GDPR, some implementing easy to use shortcodes, so take a look in the plugin library to see if any suit your needs! 

Updating privacy policies is probably the hardest part to the changes introduced with GDPR although putting all the other parts into practice, long term, will be very time consuming; the Federation of Small Businesses (FSB) reckon that ‘On average small firms will spend seven hours per month meeting their data protection obligations’. That’s a lot for a micro business!

In addition, small businesses need to register as a data controller with the Information Commissioner’s Office (ICO) via their website – it’s a very low cost at around £55 per year for micro businesses but a very important step.

If you do have a data breach or data is put at risk – for example a hacked website – then advise the ICO within 72 hours and tell them what you’re doing to rectify the situation.
If it’s a high-risk situation like credit card information being stolen/hacked then it’s important to inform the individual who owns the card, immediately.
And, although the ICO intend to take a softly softly approach to non-compliance (in the early days) it’s far better to introduce the changes to your policies, practices and website as soon as possible so seek advice and assistance if you’re struggling with any of the aspects.

We’re still working on our privacy policy but here it is if you want to check it on.