GDPR Compliant Website

Many of our SEO Web Design clients have been asking what the GDPR means for their website, so I have written this article as a guide.

**Disclaimer. This post is not legal advice. I’m not a lawyer.  As always, I try to help my clients and small business owners and hope this guide will help you out and answer some questions.  The following information does not cover full compliance with GDPR, as it is actually massive. If in doubt, please consult a law firm.**

What is GDPR?

The General Data Protection Regulation (GDPR) is coming into effect 25th May 2018.  In the UK it will replace the Data Protection Act 1998 and is much more restrictive than the EU cookie law.  Non-compliance of these new rules could see organisations facing hefty fines of up to €20 million!

GDPR is a ruling intended to protect EU citizens data and give them greater control on how their data is used – Protection of personal data and digital privacy.

When people freely give their personal information over in return for using free services (think Facebook and Amazon for example), they are in danger of having their data harvested and abused.  The GDPR seeks to put an end to this.

For every businesses and organisation who want to offer services or products to customers who are EU citizens, you MUST look after their personal data.

Brexit DOES NOT make us UK folk immune from this. EUGDPR.org states that “The UK Government has indicated it will implement an equivalent or alternative legal mechanisms.”  So the UK government will be adopting something very similar.

So, anyone who collects and processes personal data from EU citizens will be required to comply with the new regulations, at least to a certain degree.

What is personal data?

Personal details or anything that can be used to determine your identity. Parental consent will be required to process any data relating to children ages 16 and under.

Personal Data Examples:

• Name
• Photo
• Email address
• Social media posts
• Personal medical information
• IP addresses
• Bank details

Who Does the GDPR Apply to?

Those who process and control data. A data controller is any organisation, company, charity or government obtaining data like name, email etc. The processor could be a simple operation of storing an IP address on your web server logs.

GDPR requires data controllers to state what data is being processed and for what reasons. Additionally, they are required to inform data subjects about how long the data will be stored. They must also state who the subject should contact with regards to any part of the data controller’s data processing actions.

Mainly considering:

• What information is being collected?
• Who is collecting it?
• How is it collected?
• Why is it being collected?
• How will it be used?
• Who will it be shared with?
• What will be the effect of this on the individuals concerned?
• Is the intended use likely to cause individuals to object or complain?

As Data controller, you must ensure personal data is:

• Processed lawfully (the subject has consented to their data being processed)
• Transparently
• For a specific purpose
• Deleted when no longer required

Is your Website GDPR Compliant?

Some ways your website may be collecting user data:

• User registrations
• Comments
• Contact form entries
• Analytics
• Logging tools
• Security tools
• Plugins

If your website is using any of these then you will need to ensure it’s GDPR compliant. (Since you’re here, we are super duper web designers that cover all these bases. Check us out ;-))

So let’s have a look at what you can do.

a) Privacy Policy

To help comply your website MUST have a transparent PRIVACY POLICY (take a look at our privacy policy for an example) informing data subjects what data is going to be stored, how it is going to be used, by who and for how long and provide the user a right to withdraw consent and deleting the data. This probably means your websites current privacy policy requires updating to fully disclose your data collection and storage practices. Link to that privacy policy from the form when requesting consent.

b) Obtain Explicit Consent

The Right to Access – Users MUST confirm that their data can be collected and be aware that any form they are filling in and submitting is collecting personal data. They must give explicit consent to their data being collected with the intent to store it. A checkbox that’s selected by default on a mailing list would count as a violation. You will need to explicitly collect consent by the user. Data controllers MUST keep a record of when and how consent was made.

Have a setup to provide users with a copy of their data and have a system in place to derive the required data out of your database.   For simplicity sake, you may wish to avoid collecting and storing data altogether.   Or only store data points that are absolutely necessary.  For example, set up contact forms to directly forward all submissions to your email address rather than storing them on the web server.

c) Keep User Data Accessible

The Right to Be Forgotten allows individuals to withdraw consent, have their personal data deleted and stop further processing of the data by an organisation. The Data Portability clause of the GDPR provides users with a right to download their personal data, for which they have previously given consent, and transfer that data to a different data controller. On request, you must provide a user with a copy of all personal data you have on them, free of cost and within one month.

A simple form for consent withdrawal and/or request to view on your privacy policy page (which is linked to by any form which collects personal data) will let the user contact you easily.

D) Breach Notification

You MUST tell the people affected by any data breach and inform the Information Commissioner’s Office of any data breach within 72 hours of becoming aware of the breach. A data breach is any situation where an outsider gains access to user data without the permission of the individual.

Perform a security audit on your website and continue to assess and monitor the security of your website.  Adequate IT security should be in place to protect personal data.