Is your website compliant with GDPR?
The EU General Data Protection Regulation (or GDPR) supersedes the Data Protection Act 1998 and simplifies data protection laws by making them common throughout the EU single market, and giving individuals more control over how their data is used and stored, while protecting the privacy of EU citizens.
GDPR came into force on 24 May 2016 but businesses have until 25 May 2018 to comply.
- Notify data breaches within 72 hours of any incident
- Provide transparent information to data owners
- Demonstrate data owner’s consent to the processing of their data
- Pseudonymise and encrypt held personal data
- Respond quickly to requests for data to be deleted
Despite the UK triggering Article 50, GDPR will automatically apply to the UK until such time as we finally leave the EU – and it seems likely the UK will keep the provisions of the legislation after Brexit.
Under GDPR, data must be gathered with an active consent for use by a controller or processor – that is by actively opting in rather than failing to opt out – and consent can be withdrawn (or unsubscribed) at any point. Requests can also be made for held personal data to be deleted under the ‘right to be forgotten’ provision.
So what is ‘personal data’?
The provisions of the Data Protection Act 1998 have been expanded to include online identifiers such as IP addresses and cookie identifiers, along with any other information which could be used to identify an individual.
Under the new legislation consent must explicitly be given before data can be processed and it can only be used for the purpose that the consent has been given for. So, for example, a website enquiry about a specific product does not mean they can be added to your email marketing database.
Safe and secure
Your digital systems should include ‘privacy by default’ meaning user privacy should be at the heart of your digital systems. Privacy settings should be set to their highest levels with users given the opportunity to downgrade settings if they wish to. If you are storing ‘personally identifiable’ data that could be used to identify individuals then you should consider encryption where data is held and can only be unlocked via a key to decrypt it. Websites with an SSL certificate (HTTPS sites – look at the browser address bar on our site) send data over an encrypted connection so if data is intercepted it can’t be decrypted without the key. But the data itself will most likely be stored unencrypted so if the database is hacked, your data could still be exposed.
If you accept online payments through your website where you collect personal data and pass it along to a 3rd party/payment gateway, you may also be storing these personal details. You will need to ensure that this information is deleted after a ‘reasonable and necessary’ period of time.
Many websites use 3rd party software for lead tracking such as Lead Forensics which track and store data where no specific permissions have been granted. This is a grey area as far as GDPR is concerned but it is worth checking with your 3rd party supplier that they are GDPR compliant and updating your cookie statement and privacy policies to reflect cookie tracking technology is being used, and why.
While Google Analytics is used to track visitor behaviour it is entirely anonymous and gathers no ‘personal data’ so falls outside of GDPR.
Website privacy policies and T&Cs should be updated to reference GDPR, communicate the steps you are taking, how and why you’re collecting user data and how that data will be used. As users can request copies of their data or request to have it deleted, you may want to include a way for those requests to be made.
Can Avid help get your website compliant with GDPR?
In a nutshell, yes we can! We’ll review your website and report back on what changes are needed and we can put together a schedule of works to ensure that your site is ready for GDPR ahead of the deadline. This might include:
- Updating your privacy page and cookie notification to explain what information you collect, how it will be used and how long it will be retained
- Reviewing any data capture, databases, systems and resources you have in place to ensure personal data is kept safe and manage communication preferences
- Reviewing users’ ability to update their own consent and communications preferences on your website
- Reviewing 3rd party software used and its GDPR compliance status
- Updating website sign up boxes and enquiry forms to ensure checkboxes enable active ‘opt in’ responses.
- Ensuring any ‘opt in’ responses are ‘unbundled’ for complete transparency
- Enabling separate consent for different types of contact – phone, email, post, SMS, 3rd parties etc.
- Implementing the ability to ‘opt out’ or change frequencies of communication
- Securing your website with SSL
Failure to meet the requirements could incur a penalty of 4% of global annual turnover, or €20 million, whichever is higher so it’s important all businesses are on board with the requirements. If you’d like help analysing your website and getting ready for GDPR compliance, send us an email or give us a call on 01420 568127.
This information isn’t legal advice and is intended for guidance only. We all have a vested interest in success under the GDPR, but if you need concrete legal counsel, you should consult a solicitor.