GDPR for websites
What is GDPR
GDPR will replace the UK Data Protection Act of 1998. It looks to provide better control over how businesses use peoples data. This includes covering areas such as consent, clear policies, security and more.
Businesses found to be in breach of GDPR could be fined up to 4% of their global revenue!
I am not in the EU, why should I care?
Article 3 of the GDPR says that if you collect any data on someone IN an EU country that your company is subject to the requirements of GDPR.
Check out this Forbes article for more information
Also if you are offering services, be they web development, marketing services etc to anyone in the EU, they will be leaning on you to help them with their own GDPR compliance so it is therefore wise to be aware, and as educated as possible on this.
If you have a SaaS product, and is used by companies in the EU, you will need to ensure compliance, as you could see the withdrawal of business from EU companies seeking a platform that offers them GDPR compliance.
GDPR is extremely high on people’s agenda as the implementation date of the 25th of May 2018 looms.
I am not a legal expert. This article is based on research we have made as a business and what we have understood through helping other companies action their GDPR strategies.
You should undertake your own research to validate this information as it is for general information purposes only and does not constitute legal advice.
GDPR For Websites
GDPR covers a wide range of data points, and you have likely heard of the biggest worry being the collection of emails from lead captures and traceability of consent. In fact in many industries most of the conversations have revolved around email collection and email marketing whilst other essential areas are being forgotten.
Other key areas include (but not limited to):
- IT infrastructure
- Third party SaaS tools
- Network and device security
Lets deep dive into GDPR for websites.
Let’s first start with WordPress. If you are not using WordPress stay tuned for further website advice, and of course be sure to check out what your CMS is doing in order to assist with GDPR compliance.
WordPress are taking GDPR very seriously and have setup a GDPR Compliance team. They are focused on several key areas including
- Functionality for site owners to create privacy policies on their sites
- Guidelines for plugins to be GDPR compliant
- New admin tools to facilitate compliance
- Documentation to educate people on privacy and the new tools they are making available.
More information can be found in their recent blog post “GDPR Compliance Tools in WordPress”
And be sure to keep an eye on the GDPR compliance tag in WordPress. As of this article, the most recent conversation includes discussions on tools to export and remove personal data, as well as the documentation for developers and much more.
Core areas to consider for a website
Key areas for consideration on any website include (but not limited to):
- Data collection
- Data retention
- Right of access / portability
- Right to be forgotten
- Time period of data retention
- Secure processing and storage of data
- Breach reporting
Let’s break each one down a little further.
We collect data in a wide range of ways through our websites. For example through:
- Calls to actions
- And more
It is therefore imperative that we provide clear information on what is being collected, and ensuring we have permission from the user to collect that data.
If we are collecting information through cookies, then clear notification needs to be provided, and a break down of what is being collected should be provided along with clear information on our Privacy Policies.
Example One: Lead captures and other forms
The same goes with other data through forms and other inputs. You need to be clear how data is being used and stored.
Example Two: Cookies
Cookies can collect personal identifiable information. It would seem reasonable to think that as long as the name of the person is not being collected that we are good to go, however let’s look at what Recital 30 of the EU GDPR documentation says on the matter:
(30) Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags.
It is important you understand what each cookie is doing and storing so that you can:
- Ascertain if it contains any PII (personal identifiable information)
- Provide clear information to the user
- Remove or change the cookie if needed
For example the Google Analytics cookie. At its absolute basic setting, there is no identifiable information linking to that site visitor. However you should ensure that you are not passing personal information via URLs as these will show up in GA, and you are not giving personal information it’s due diligence passing personal information in such a way.
Further on from this, you need to take a look at your GA configuration. Are you capturing identifiable information on completion events, or using an ID from your website or email as an identifier in your reports etc?
Edward from Littledata provides an excellent article on Google Analytics compliance here.
We would recommend you engage in a full website audit of your website. It is essential your business understands how your website works, how it stores data etc. Then with this information take necessary compliance action and update your policies for full transparency.
We are offering a GDPR website audit. For more information visit: https://trailblazer.fm
Once you have established how your site works, what information is gathered and how, it is essential that you provide a clear policy and reasonable opportunity for individuals to see and access that documentation for them to make an informed decision.
This policy/documentation needs to be kept to date. If you introduce new code, plugins or services to your website, your documentation should reflect this.
Data should be stored for no longer than is necessary, it should be stored securely and the information gathered should be relevant and serve only the purpose it is intended for.
On a positive side note, this could of course lead to better conversions on forms as it forces you to seriously consider what information you are asking for.
Right of access / portability
People have the right to access personal and other information you store on them. This gives them transparency as well and allows them to verify the lawfulness of the processing.
In standard cases you cannot charge for access to this information, however you can find more information on “Right of Access” here.
The data you provide should be portable allowing the individual to use that data for themselves and potentially import it into their own or other third party systems. Therefore it should be provided in a “machine readable” format. For example a CSV file.
Right to be forgotten
People are given the “right to be forgotten” under Article 17 of the GDPR. There are caveats to this so you can’t call your bank and ask them to delete your credit card balance!
Often in the case of a website however, information often falls under this right.
For example (but not limited to:)
- Data used for marketing
- Data that required their consent to hold
- Data you collected unlawfully
- Data that is no longer necessary
Recommended further reading here to help you understand what is or is not covered under this right.
Time period of data retention
GDPR does not set period limitations for retaining personal information. However it does stipulate it should not be kept beyond it’s required purpose(s). Data should be reviewed regularly and any information deemed no longer relevant should be securely deleted or updated.
A good example would be form entries in Gravity Forms or whatever form processor you use. If the information has served its purpose, it may not be necessary to store that entry indefinitely.
This could be through an internal policy that you adhere to on a regular basis, or could be automated should there be clearly defined parameters on how long certain information is needed.
More information on the ICO website here.
As a business storing personal information, it is essential you do your due diligence with the data you have on your systems.
Secure processing and storage of data
Your website should adhere to industry standards for security. This includes (but not limited to):
- SSL (secure connections)
- Updated and maintained website code
- Updated server
- Firewall protection
- Correct file permission settings
- Password policies
- Encryption of data
- Audit logs
- Encrypted backups
In the world of WordPress there are great plugins to help facilitate much of this, as well as the backing of the WordPress team who are taking GDPR very seriously. Most reputable website hosts are also taking measures to help protect websites and be GDPR compliant. Be sure to connect with your website host for more information.
In the event of a data breach, GDPR requires that you inform the relevant supervisory authority within 72 hours of becoming aware of such a breach.
There are some detailed guidelines on the ICO website that provide more information as to when you should inform people affected by the breach as well as providing you a clear checklist for preparing for and responding to a data breach. You can find that article by clicking here.
Whether you build websites, or are looking to make your own website GDPR compliant, it is essential you carefully review your website and take necessary action.
Given the potential of a 4% fine of global revenue for a data breach, this is not something to take lightly. Government threats aside however, it is really good business practice to respect and protect the information entrusted to us by our audience, clients and associates.
Showing respect to their information helps build up trust in you and your brand and shows you are a credible business who does their due diligence in order to protect those you serve.
If you are feeling overwhelmed by everything we would recommend you take things one step at a time.
You could break it down like so:
- Review your website and what data it captures
- Make a list of what data is captured and how, and if it falls under PII (personal identifiable information)
- Make a list of any plugins or features that expose PII that need to be rectified and connect with a developer or the plugin author.
- Data retention (many sites that use form builders or standard WordPress functionality should facilitate)
- Ensure you have created a plan to provide data upon request (manual or automated).
- Ensure you have a clear way to remove all information on a user if requested.
- Ensure you can provide any requested data in a CSV file.
- Review your site security
This is not an exhaustive list and is likely over simplifying things.
We do have a duty of care to our customers and those we interact with, so it is essential we educate ourselves on the key parts of GDPR and take necessary action.
In short, achieving GDPR compliance is about understanding what you have, and putting in functionality or procedures in place to comply.
They need not be rocket science nor costly, just based on a sensible understanding of GDPR, with reasonable action taken.
Got questions about GDPR? Let’s discuss…
We are offering a GDPR website audit for business owners and agencies that need to understand how their website works and stores information in more detail.
To find out more visit: https://trailblazer.fm/gdpr-audit/