GDPR (General Data Protection Regulation) is new legislation coming into effect from 25th May 2018 which gives you as an individual more rights and protection over your personal data.
Companies will have to be transparent about what data they hold about you and why, will no longer be able to spam you with unwanted marketing material, nor share your data with third parties without your knowledge. In our opinion this is a hugely positive step forward for the rights of the individual in the context of the current multi-billion dollar data industry and wake of the Facebook/ Cambridge Analytica scandal.
GDPR affects all businesses operating within the EU in terms of how they collect, use, share and store personally identifiable data such as names, addresses, phone numbers and emails. There is a misconception that GDPR only affects B2C businesses. GDPR also affects B2B businesses because client and employee names, emails and job roles can all be used to personally identify individuals.
Businesses will need to have new policies, processes, documentation and contracts in place by 25th May 2018. As part of this, your website will need to be GDPR compliant. However, it’s important to note that your website is largely a reflection of your internal policies and processes; you can’t update your website without first looking at your business. So before we jump into how to get your website GDPR compliant, let’s start with reviewing some of the key aspects your business will need to consider in light of GDPR.
Going forward, you must be up front and honest about how you will use personal data e.g. letting individuals know why you’re collecting it and what you will do with it. You must ensure that all data you collect is lawfully processed e.g. if you’re an accounting firm, you can’t collect data about your clients’ political beliefs as it’s simply not relevant. You must also specifically name any third parties with whom you’re sharing personal data, and have new contracts in place with them as data processors.
You must always give individuals the option to opt-in rather than opt-out of direct marketing – that means no more pre-ticked boxes saying ‘I want to receive promotions and updates’; and you should check that any individuals currently on your mailing lists have consented to receiving updates from you.
You must have adequate measures to securely store and protect personal data and can only store it for a valid time frame – this means you can’t keep data on your ex-clients years after they’ve ceased being your client. Upon request, you must also be able to give an individual a breakdown of all the data you hold about them and delete it permanently if they so wish.
There are a number of things your website needs in place before 25th May 2018 to ensure GDPR compliance. Below is a checklist of the most common things most websites need to do. Please note, this is not an exhaustive list and does not constitute legal advice. Every website and business is different and you are ultimately responsible for ensuring the data you collect, use, share and store meets with GDPR requirements.
3. Cookie notice
You will likely have seen a number of website cookie notices over the past few years. Sometimes these are prominent, other times more subtle. From 25th May 2018, implied consent or messages such as ‘by using this site, you accept cookies’ are no longer sufficient.
4. Contact forms
You must ensure you’re only using the data you collect for the purposes you state and that any direct marketing (such as subscribing to your newsletter) has a separate affirmative opt-in box. Contact forms should run from a supported, up to date contact form plugin and sent securely using an SSL certificate (see below). If you keep logs on the website of your contact form submissions, you need internal processes in place to protect access and ensure they’re not kept for longer than needed.
5. E-commerce and payments
Payments should be taken through a supported and secure payment processor and the site must have an SSL certificate (see below). Your website is highly likely to store logs of all purchases on the website, so you also need internal processes in place to protect access and ensure they’re not kept for longer than needed.
6. Direct marketing
If you communicate via different channels such as email, phone, SMS, post, etc., users should be able to choose which channels they want to be contacted by. You should also check that any systems you use for marketing communications (such as Mailchimp – tick!) are GDPR compliant, and that the people already on your lists have given their consent.
8. Sensitive/ special category data
If your website collects any data about an individual’s race, ethnic origin, politics, religion, trade union membership, genetics, biometrics (where used for ID purposes), health, sex life or sexual orientation, or any data about children, this is deemed to be more sensitive and subject to greater protection. As well as having lawful grounds for collecting it you must also satisfy a separate condition under Article 9. You can read more about special category data here.
It’s already recommended for all websites to have an SSL certificate. An SSL is the little green padlock symbol in an address bar that lets you know a site is secure. What it does is encrypt data sent from the website to other systems or emails (e.g. contact forms, e-commerce purchases) to ensure they’re sent securely. GDPR places a responsibility on all businesses to protect personal data, so if your website doesn’t already have an SSL certificate, make sure you have one in place before 25th May 2018.
Need some help?
If you need some help and would like to talk to us about making your website GDPR compliant, please call us on 01233 333824.
We’re Six Two: a long-standing, tight-knit team of designers, developers, strategists and planners who specialise in WordPress. We’re on a mission to empower businesses with their websites and technology, and our commitment to quality means we guarantee our websites for 12 months.
Find out more about us
Discover our services
See our work