What is GDPR and how will it affect my website?
The new General Data Protection Regulation (GDPR) is coming into action in May 2018 and online stores and websites will need to be prepared to adopt it before then.
When it takes effect, it’ll be the most comprehensive data privacy law in the world, and it’ll impact how companies – even small ones, collect and handle personal data about their customers. With fines up to €20 million, or 4% of annual revenue, SME’s simply can’t afford to make mistakes.
What information does GPDR cover?
Under GDPR, if you collect or store any information that can be linked to an individual, that counts as personal data. So this applies to all databases, marketing, sales, HR, accounting. Any way data is stored or processed, will fall under the new regulation.
Who does is cover?
The Data Subject: The customer, user, employee – anyone providing identifying personal data.
The Data Controller: The businesses offering services or goods that will state how and why personal data is used and is responsible for the safe storage and use of the data.
The Data Processor: This can be considered as all third-party suppliers such as Creo, Payment Providers, ERP systems, MailChimp, Delivery Providers and any internal teams employed to do similar work, such as an internal accounts team.
What you need to do on your website?
Consent is a key part of GDPR legislation and it is important for any website that collects personal data – for whatever reason – to obtain specific permission to use it in the course of their business. Visitors to your website must understand exactly how you are planning on using their data and must agree to each specific purpose. That means if you have someone’s email address because they have placed an order with you, you are only allowed to market to them if they have agreed to this.
What you need to do:
- Active Opt-In – Forms that invite users to subscribe to newsletters or indicate contact preferences must default to “no” or be blank.
Unbundled Opt-In – The consent you are asking for should be set out separately for accepting terms and conditions, and acceptance of consent for other ways of using data.
- Granular Opt-In – Users should be able to provide separate consent for different types of marketing activities, then consent must be granted for each of them separately.
- Easy to Withdraw Permission or Opt-Out – It must be just as easy to remove consent as it was to grant it, and individuals always need to know they have the right to withdraw their consent.
- Named Parties – Your web forms must clearly identify each party for which the consent is being granted. It isn’t enough to say specifically defined categories of third-party organisations. They need to be named.
- Have GPDR T&Cs – Update your terms and conditions on your website to reference GDPR terminology. In particular, you will need to make it transparent what you will do with the information once you’ve received it, and how long you will retain this information both on your website and also by your office systems.
See ICO office Guidance for writing a privacy notice; https://ico.org.uk/for-organisations/guide-to-data-protection/privacy-notices-transparency-and-control/what-should-you-include-in-your-privacy-notice/
Secure the Data you hold
The GDPR requires personal data to be processed in a manner that ensures its security. Controllers and processors are required to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.
If you have an e-commerce website or ask for any personal information via a form then your website is storing your client’s personal data.
There are a number of ways to improve the security of this data on your website:
- Purchase a SSL certificate – If you have not done so already ask Creo to purchase and install a SSL certificate for your website. This encrypts information from the user’s browser to the webserver. According to google this also has the added benefit of marginally improving your search rankings.
- Upgrade CMS – Consider asking us to upgrade to the latest Major release of your CMS. CMS and plugins providers would often release Minor and Major updates to their software. Minor releases will often automatically occur and will include bug fixes and minor enhancements. Upgrading a Major release may “break” your website so a little more care and attention needs to be paid to this process. Upgrading would be performed in a Sandbox environment by a developer who would make any code changes before updating your website.
- Encrypt sensitive data – If your website has a CRM or e-commerce system then you will need to think about encrypting data “at rest” – ie data that is held in your database.
- Secure access to the data:
- Passwords – Check that all the people who have access to your website CMS have used secure passwords. Remove accounts that no longer require access.
- Secure your IT system – Consider undertaking a cyber essentials certification, this will help you review the security of your local IT system.
The right to be forgotten
Also known as Data Erasure, the right to be forgotten entitles the data subject (perhaps your customers, prospective clients etc) to have the data controller (you or your designated data enforcement officer) erase his/her personal data, cease further use or distribution of the data, and potentially have third parties halt processing of the data. The conditions for erasure include the data no longer being relevant to original purposes for processing, or a data subjects withdrawing consent. It should also be noted that this right requires controllers to compare the subjects’ rights to “the public interest in the availability of the data” when considering such requests.
What you should do:
- Ability to delete private data – Ensure you have the ability to delete an individual’s data that you hold on your CMS / CRM
Any personal data breaches which would significantly harm individuals must be reported within 72 hours to the “relevant supervisory authority”. In the UK that’s the ICO. If the breach is serious enough, you’ll also need to tell the individuals affected.
What about cookies?
Cookies are covered under the ePrivacy regulation, separate from GDPR. Its implementation date was supposed to coincide with GDPR, but it will likely be delayed as it’s still in draft. The ePrivacy regulation distinguishes between first-party cookies, served by your domain, and third-party cookies e.g. from Google Analytics and some social sharing plugins. It may be that browser settings will be used as a form of user consent for third-party cookies, but this is something we’ll have to keep an eye on.
Your next step as a Data Controller
You should appoint a Data Protection Officer who will compile the following information about your business:
- What information is being collected?
- Who is collecting it?
- How is it collected?
- Why is it being collected?
- How will it be used?
- Who will it be shared with?
- What will be the effect of this on the individuals concerned?
- Is the intended use likely to cause individuals to object or complain?
Is that all I need to do?
Well, we’re not your lawyers, so we can’t offer legal advice. That’s why the best thing you can do to prepare yourself (and your customers’ data) for GDPR is to speak with your solicitor about any concerns you have.