What is the GDPR?
The GDPR – or General Data Protection Regulation – is the new EU data protection legislation. It was introduced two years ago but will start being enforced from May 2018.
The GDPR affects all companies and organisations, big or small, who handle the personal data of EU citizens. It doesn’t matter whether you’re in the EU or not. And no, Brexit won’t make any difference: it still affects the UK!
Key concepts of the GDPR include:
- Privacy by design – you should always consider data protection at an early stage so it’s ‘built in’ to new processes.
- Active consent – people must be able to understand how you plan to use their data and actively agree to this.
- Safeguarding sensitive data – you must put extra protection in place for sensitive data like health, sexual orientation, political or religious beliefs.
- Subject access requests – people have the right to know what data you hold about them. If they ask, you must be able to provide this, in an electronic format, within a month of the request.
- Right to be forgotten – if someone asks to be removed from your systems, you must be able to comply. (Note that this doesn’t apply in all situations, e.g. an employee can’t expect you to remove their data, since it’s still needed).
- Notification of breaches – if there is a data breach, you must report it to the Information Commisioner’s Office (ICO), or equivalent organisation for your country, within 72 hours, and notify any affected individuals ‘without undue delay’.
Here’s a great infographic summary of the GDPR and its obligations, produced by the European Commission.
Why should I care about GDPR?
As a colleague recently said, “There are 20 million reasons…”
He was referring to the fact that the maximum fine for non-compliance with GDPR is a whopping 20 million euros, or 4% of annual worldwide turnover, whichever is greater.
…the fact is that this law is not about fines. It’s about putting the consumer and citizen first.
It’s good for your customers, and good for your business, if you have solid data protection policies and protections in place – and that should be your first concern.
How does GDPR affect my website?
Even if your website is only a small part of your business, it’s likely that you use it to handle other people’s data.
The GDPR applies to all areas of your business (including how you handle employee data) but I’ll focus on those areas where your website is likely to be involved, i.e. the data of your website visitors and online customers.
What do I need to do to make my website compliant?
It depends enormously on your organisation and your website, but here are some starting points.
I’m a web developer, not a lawyer or a data-protection specialist.
These are suggestions for things to think about, not an all-inclusive checklist. Please do not rely on this information for ensuring that your website is GDPR compliant.
1. Check what you’re asking for – and how.
- When people submit information via your website, is it clear what that data will be used for?
- Make sure you explain why you need the data and how you plan to use it.
- Are you getting active consent for using the data in all the ways you intend to use it?
- Make sure no checkboxes are “opt in” by default. Users must always choose to opt in. (Double opt-in is a good idea, but not essential).
- Don’t assume consent. For example, don’t automatically add people to your marketing email list just because they commented on your Facebook page. (However, you can send marketing to people if there’s a ‘legitimate interest’, e.g. if they’ve bought something from you, you can tell them about related products – as long as you give them the chance to opt out).
- Are you asking for more information than you need? For example:
- Do you really need to ask for ‘date of birth’? If the information is significant, would an age range suffice instead of a date?
- Do you need a phone number as well as an email address? If not, make one (or both) optional.
2. Check your online data handling and storage.
- Make a list of all the places where personal data is submitted or stored and create a list of these. For example:
- contact form, newsletter, sales, membership, customer or client database/spreadsheet…
- List the third parties who handle or store your customer’s data. For example:
- third-party mailing systems like MailChimp, AWeber or ConvertKit;
- payment processors like Stripe, PayPal, SagePay;
- your hosting company (if you store user data in a database on their servers);
- analytics or A/B testing companies which set cookies via your website, e.g. Google Analytics, Unbounce or Convert;
- cloud storage of documents or databases;
- anyone else?
- Looking at those two lists, think about the safety of the data at each stage, e.g.
- Do you use HTTPS for your website to secure submitted information?
- Do you know how the third parties you use keep data secure? Are they GDPR compliant?
(Links to named companies in this blog post generally link to their published GDPR policies or similar).
- Are files containing personal data encrypted or ‘pseudonamised‘? (This isn’t essential but may be a useful added protection)
- Think about who can access personal data and how.
- Are there different user permissions to make sure that people only see the data that they need to use?
- Do you have processes to review who has access?
- Are people accessing the data forced to use strong passwords?
- Think about all how you’d respond to requests about an individual’s data.
- If someone asked for all the data you hold on them, could you provide that?
- Can you delete all instances of someone’s data if requested to do so?
- If not, what’s stopping you? If there’s a genuine business reason, you can probably keep it – but make sure you (a) check your grounds for keeping it and (b) keep a record of this.
- why and how you collect their data;
- how it’s stored and used (and by whom);
- what you do to keep data safe, including how third parties protect it;
- how long you keep it for, e.g. is it deleted after a specific period or only if requested?
- how people can request deletion of their data.
Even if you can’t achieve full GDPR compliance by May, it’s important to show that you are moving in the right direction. Document any difficulties you’re having and show that you’re trying to mitigate any risks. The ICO are likely to be more forgiving if you show that you’ve thought about it and are taking steps.
Where can I find out more about GDPR?
If you’re in the UK, and want a full and detailed overview of the legislation, your first port of call should be the ICO guide to the GDPR.
Here are some useful guides to writing a GDPR-compliant privacy notice, creating a data retention policy, auditing and making your website GDPR compliant and some resources about GDPR for online marketing.
Alongside these Suzanne has been offering huge amounts of advice, as well as daily videos on GDPR-related topics relevant to small/medium sized businesses, in her GDPR Facebook Group.
- 6th April 2018 – Added an extract from, and a link to, the UK Information Commissioner’s note to SMEs.
- 24th April 2018 – Minor edits for clarity. Changed link for ‘make your website GDPR compliant’ to a more helpful article. Added links to Suzanne Dibble’s GDPR group and resources.