Is your website ready for the GDPR?

by

The EU flag (12 yellow stars in a circle against a blue background) with a padlock icon at its centre. Alongside this is the text GDPR - Is your website ready?

What is the GDPR?

The GDPR – or General Data Protection Regulation – is the new EU data protection legislation. It was introduced two years ago but will start being enforced from May 2018.

The GDPR affects all companies and organisations, big or small, who handle the personal data of EU citizens. It doesn’t matter whether you’re in the EU or not. And no, Brexit won’t make any difference: it still affects the UK!

Key concepts of the GDPR include:

  • Privacy by design – you should always consider data protection at an early stage so it’s ‘built in’ to new processes.
  • Active consent – people must be able to understand how you plan to use their data and actively agree to this.
  • Safeguarding sensitive data – you must put extra protection in place for sensitive data like health, sexual orientation, political or religious beliefs.
  • Subject access requests – people have the right to know what data you hold about them. If they ask, you must be able to provide this, in an electronic format, within a month of the request.
  • Right to be forgotten – if someone asks to be removed from your systems, you must be able to comply. (Note that this doesn’t apply in all situations, e.g. an employee can’t expect you to remove their data, since it’s still needed).
  • Notification of breaches – if there is a data breach, you must report it to the Information Commisioner’s Office (ICO), or equivalent organisation for your country, within 72 hours, and notify any affected individuals ‘without undue delay’.

Here’s a great infographic summary of the GDPR and its obligations, produced by the European Commission.

Why should I care about GDPR?

As a colleague recently said, “There are 20 million reasons…”

He was referring to the fact that the maximum fine for non-compliance with GDPR is a whopping 20 million euros, or 4% of annual worldwide turnover, whichever is greater.

However, as UK Information Commissioner Elizabeth Denham said in an open letter to SMEs:

…the fact is that this law is not about fines. It’s about putting the consumer and citizen first.

It’s good for your customers, and good for your business, if you have solid data protection policies and protections in place – and that should be your first concern.

How does GDPR affect my website?

Even if your website is only a small part of your business, it’s likely that you use it to handle other people’s data.

You might receive messages sent via a contact form or accept newsletter sign-ups via a pop-up. Perhaps you actively collect user data via your website for processing sales, event registration or membership, or some other reason. Or maybe your site uses cookies for analytics or A/B testing. Under GDPR, you need to consider how you handle all this data.

Your website is also a great place to communicate your GDPR policy to your customers. It should, at the very least, have a summary of your privacy policy with information about where to get full details.

The GDPR applies to all areas of your business (including how you handle employee data) but I’ll focus on those areas where your website is likely to be involved, i.e. the data of your website visitors and online customers.

What do I need to do to make my website compliant?

It depends enormously on your organisation and your website, but here are some starting points.

HUGE DISCLAIMER

I’m a web developer, not a lawyer or a data-protection specialist.

These are suggestions for things to think about, not an all-inclusive checklist. Please do not rely on this information for ensuring that your website is GDPR compliant.

1. Check what you’re asking for – and how.

  • When people submit information via your website, is it clear what that data will be used for?
    • Make sure you explain why you need the data and how you plan to use it.
    • Do this at the point you’re asking for it, not hidden in your privacy policy or terms and conditions.
  • Are you getting active consent for using the data in all the ways you intend to use it?
    • Make sure no checkboxes are “opt in” by default. Users must always choose to opt in. (Double opt-in is a good idea, but not essential).
    • Don’t assume consent. For example, don’t automatically add people to your marketing email list just because they commented on your Facebook page. (However, you can send marketing to people if there’s a ‘legitimate interest’, e.g. if they’ve bought something from you, you can tell them about related products – as long as you give them the chance to opt out).
  • Are you asking for more information than you need? For example:
    • Do you really need to ask for ‘date of birth’? If the information is significant, would an age range suffice instead of a date?
    • Do you need a phone number as well as an email address? If not, make one (or both) optional.

2. Check your online data handling and storage.

  • Make a list of all the places where personal data is submitted or stored and create a list of these. For example:
    • contact form, newsletter, sales, membership, customer or client database/spreadsheet…
  • List the third parties who handle or store your customer’s data. For example:
    • third-party mailing systems like MailChimp, AWeber or ConvertKit;
    • payment processors like Stripe, PayPal, SagePay;
    • your hosting company (if you store user data in a database on their servers);
    • analytics or A/B testing companies which set cookies via your website, e.g. Google AnalyticsUnbounce or Convert;
    • cloud storage of documents or databases;
    • anyone else?
  • Looking at those two lists, think about the safety of the data at each stage, e.g.
    • Do you use HTTPS for your website to secure submitted information?
    • Do you know how the third parties you use keep data secure? Are they GDPR compliant?
      (Links to named companies in this blog post generally link to their published GDPR policies or similar).
    • Are files containing personal data encrypted or ‘pseudonamised‘? (This isn’t essential but may be a useful added protection)
  • Think about who can access personal data and how.
    • Are there different user permissions to make sure that people only see the data that they need to use?
    • Do you have processes to review who has access?
    • Are people accessing the data forced to use strong passwords?
  • Think about all how you’d respond to requests about an individual’s data.
    • If someone asked for all the data you hold on them, could you provide that?
    • Can you delete all instances of someone’s data if requested to do so?
    • If not, what’s stopping you? If there’s a genuine business reason, you can probably keep it – but make sure you (a) check your grounds for keeping it and (b) keep a record of this.

3. Update your online privacy policy.

Make sure that your privacy policy tells people:

  • why and how you collect their data;
  • how it’s stored and used (and by whom);
  • what you do to keep data safe, including how third parties protect it;
  • how long you keep it for, e.g. is it deleted after a specific period or only if requested?
  • how people can request deletion of their data.

Even if you can’t achieve full GDPR compliance by May, it’s important to show that you are moving in the right direction. Document any difficulties you’re having and show that you’re trying to mitigate any risks. The ICO are likely to be more forgiving if you show that you’ve thought about it and are taking steps.

Where can I find out more about GDPR?

Please note that some of the following links are affiliate links. If you use these and then go on to buy something, I may receive a small commission, at no cost to you. Note also that using these links may set cookies on your device – please see our Cookie Notice for details.

If you’re in the UK, and want a full and detailed overview of the legislation, your first port of call should be the ICO guide to the GDPR.

Here are some useful guides to writing a GDPR-compliant privacy noticecreating a data retention policy, auditing and making your website GDPR compliant and some resources about GDPR for online marketing.

For WordPress users, here’s some extra information about WordPress and GDPR and WooCommerce and GDPR.

A couple of resources that I personally have found extremely helpful for getting my head round it all are data protection lawyer Suzanne Dibble’s GDPR Checklist and GDPR Compliance Pack.

Alongside these Suzanne has been offering huge amounts of advice, as well as daily videos on GDPR-related topics relevant to small/medium sized businesses, in her GDPR Facebook Group.

Edits:

  • 6th April 2018 – Added an extract from, and a link to, the UK Information Commissioner’s note to SMEs.
  • 24th April 2018 – Minor edits for clarity. Changed link for ‘make your website GDPR compliant’ to a more helpful article. Added links to Suzanne Dibble’s GDPR group and resources.

Want more blog posts?

Subscribe to get my latest blog posts straight to your inbox

You may also like:

A padlock sits on top of a computer keyboard. Photo by FLY:D on Unsplash.
What to do if your data is leaked
Review of 2022
Review of 2021