Knowing what you must have in place when it comes to collecting user information on your website
In this article I provide guidance for businesses to help them make their website more compliant with the General Data Protection Regulation (GDPR) that came into force on 25 May 2018. This is not a complete guide for all data protection best practices but a guide to how to ensure your website can be compliant.
GDPR is a good thing…
Administratively and logistically, it is going to be hard for a lot of small and medium-sized businesses to cope with the change as it will take a lot of time and money to change the way data is captured, stored and used. Morally and fundamentally it is the right thing to do, and here’s why:
You value your privacy and all the private things about your life: your name, address, date of birth, place you were born and what websites you visit – even your favourite places to holiday. Would want the organisations that know these things about you to look after that data? Especially sensitive information that relates to where you live and your family. GDPR is in place to make sure that those people look after the things they know about you in a proper way but in the same respect, you as a small business must do the same.
Example: Let’s say a plumber scribbled down the name and contact details of someone who called him after seeing his website on a post-it note and left it in his van. That plumber will be sending them a quote for a new project. Nice. However, that night the builder’s van was broken in to and now, the name of someone along with their contact details are out there. A trickster’s Christmas and birthday all in one. The data is loose and now cannot be controlled or forgotten. A data breach in every sense of the word.
Whilst it’s an extreme example, it’s no different to how data is stored on a website or sits on a note on a desk in an office and then goes in your wastebin at the end of the day. Tricksters rummage through bins. Fundamentally, it’s all about taking better care of the information you, as an business, hold about other people and how it’s used.
Individuals that access your website or maybe those that you send monthly newsletters to must have given consent to the processing of his or her personal data. New GDPR laws mean you must be clear in what people are signing up to and keep evidence of how they consented during sign up. No longer can you use pre-ticked boxes for sign up purposes – neither can you be vague in telling them what they are signing up too. The new legislation means you must outline what they will receive upon accepting, whether its newsletters, offers,etc. Above all you cannot use their data without their consent.
Does this apply to my existing data?
Sadly, the new GDPR legislation includes the use of existing data. If you have no record of when and how these users consented then you cannot use that user data anymore. It is recommended, in preparation prior to GDPR to email your existing database and send out a re-permission list. The result may be a smaller mailing list but your new database will primarily be of loyal customers.
What are the risks?
Penalties until the new GDPR legislation mean that, if you are not compliant with the new legislation, you could receive up to a €20 million fine or a fine of up to 4% of your annual worldwide turnover.
What if there is a data breach?
Organisations that find themselves with a serious data breach (where personal data is compromised) must notify the Information Commissioner’s Office (ICO) within 72 hours.
Do I have to change my data protection policy?
What you can do before the implementation of GDPR
I have listed a few key points that you can do prior to GDPR being implemented. This is in no way the full list and I recommend that if you have any further questions in regards to GDPR that you seek legal advice.
- Send re-permissioning emails out to your database.
- Ensure your wording for obtaining consent is clear, freely given, informed and unambiguous.
- Go back to your terms and conditions, privacy and/or cookie policies and make sure you detail how you collect data at the top of the policies, including the names of any third parties used.
- Have a method in place to start safely organising how users gave their consent and keep electronic and physical copies.
I am able to help website owners review their website’s GDPR liability and offer a ‘WordPress GDPR Upgrade’ service. These changes are technical and involve web development.
If you are concerned about GDPR and need more information you can visit the ICO website here.