OK, we know, you’re totally fed up with hearing about GDPR. To be honest, so are we – which is why we wanted to create a short blog aimed at SME business owners like you that will take no more than 5 minutes to read, and will tell you everything you need to know about making your website GDPR compliant.
The new regulations will apply to all businesses offering goods or services to EU citizens – regardless of whether they’re based inside or outside of the EU, and after the implementation date, anyone collecting and processing personal data will be required to comply with the new regulations or risk a fine.
You’ll need to look at all the ways you collect and store personal data, and this is likely to include your website.
We don’t profess to be experts on the new legislation – there’s plenty of information online if you want more detail – the GDPR Portal is a good place to start. You do need to have a basic understanding of the regulations though, so just before we discuss website compliance, bear with us while we quickly run through some of the key rights that GDPR will give your customers.
o The right to be informed: When you collect any personal data from a customer, they will have the right to know what information you’re going to hold on to, and you’ll need to clearly communicate this to them.
o The right of access: Your customers will have the right to demand to see all the data you hold on them at any time.
o The right to rectification: Your customers will have the right to request you amend information you hold on them, and if they do, you’ll need to ensure data is updated in all areas.
o The right to erasure: Also known as the right to be forgotten, a customer can ask you to completely delete all the data you hold on them.
o The right to restrict processing: A customer will be able to continue using your service, while insisting you restrict processing any data on them to the bare minimum.
o The right to data portability: You’ll need to make it easy for a customer to transfer their data elsewhere if they want to.
o The right to object: This includes a customer’s right to expect you to stop processing personal data for direct marketing purposes as soon as you receive an objection.
So now you have an understanding of the rights your customers will enjoy under GDPR, let’s look at the key steps you need to take to ensure your website is fully compliant:
You will have to review all areas of your website to check what personal data you are collecting and storing. This may not be quite as straightforward as it sounds – while some data will be held by you directly, some might be held by third-party processors working on your behalf, and you may have web functions that automatically send data elsewhere, or auto-store data without you even realising it.
Depending on the functionality of your website, areas you may need to look at could include:
o Live chat tools
o Contact forms
o Blog comment areas
o Account registration
o Online booking systems
Once you’ve identified all the data you’re collecting, ask yourself:
o Why are we holding this data?
o Where is it being stored?
o Do we have consent to hold it?
o Do we need to continue to hold it?
This last point is particularly pertinent; personal data is a liability, and you’ll make your life a lot easier by only holding what you absolutely need to.
If you are using third parties to store data (i.e. newsletter software, CRM, invoicing software), check they are – or are going to be – compliant by the time GDPR comes into effect.
A key objective of GDPR is to make ‘privacy by default’ a central consideration in the design of any digital system, so you need to make sure any privacy settings on your website are set to their highest levels, with options for the user to change them if they want to.
Hopefully you’ll never need to use it, but should the worst ever happen, showing that you have a process for reporting a breach will demonstrate you recognise your GDPR responsibilities. Depending on how serious a breach is, you have a legal obligation to notify the Information Commissioner’s Office within 72 hours.
While getting GDPR-ready shouldn’t be too onerous for most businesses, it will inevitably require investing some time and resources, so it’s worth keeping in mind that the new regulations are not simply an exercise in bureaucracy, they’re designed to protect all of us.
In an increasingly digital world, we’re handing more and more of our personal data over to a myriad of organisations, trusting they’ll take all steps to safeguard it and prevent it from falling into the wrong hands. By making sure that everyone plays by the same rules, GDPR is a huge step towards making these expectations legal reality.
If you just don’t have the time or resources to undertake a personal data audit of your organisation’s website, we can do it for you. Get in touch now by sending us a message or calling us on 0118 380 0131 and let’s have a chat!
What about ‘Cookies’?
Cookie law is not part of GDPR. It’s a separate piece of privacy legislation, and we’ll be looking at it in another blog post soon.