When building a website, many business owners get excited about the styling and persona that they want to create for their company. But sometimes, data protection and security end up taking a back seat.
Let’s fill you in on a secret: no matter how engaging your sales pitch or how flashy your graphic design, no customer is going to buy from a website if they don’t feel that their personal details are secure.
The internet is full of dangers, scams, hackers, and unscrupulous companies who sell their customer’s details to the highest bidder, so it is natural that customers have become more wary of the businesses they buy from.
However, customer safeguards are also adapting to become more secure to match the expansion of the web. Effective as of May 25, 2018, General Data Protection Regulations apply to any business that sell goods or services and/or keeps a record of the data of its customers.
These regulations apply to all businesses and freelance workers who work with citizens within the EU or in the UK, and the penalties for breaching them can be severe!
If you own a business, and your business targets customers in the EU or UK, you will most likely be subject to GDPR.
What Is The GDPR?
General Data Protection Regulations, or GDPR, control how the data of EU or UK customers is processed. According to the GDPR, data must be collected and processed according to seven principles:
- Lawfulness, fairness, and transparency – The way that data is handled must be in accordance with EU and UK law, it must be fair, and all information must be made transparent to the consumer. This means that it should be clearly and factually stated, and accessible for all consumers.
- Purpose limitation – Data must only be used for the purpose stated to the consumer at the time of collection.
- Data minimisation – Companies should only collect the amount of data necessary for the purpose stated.
- Accuracy – Personal data should be kept up to date and accurate.
- Storage limitation – Personally identifying data must not be kept for longer than necessary, and this period of time must be explicitly disclosed to the consumer.
- Integrity and confidentiality – Data must be collected and kept in a manner that is secure and confidential.
- Accountability – The data controller bears the responsibility for demonstrating GDPR compliance with the principles outlined above.
The Essentials That Organisations Must Have:
A Data Breach Process: Processes must be clearly defined and put in place for use during the event of a data breach. A data breach must be reported within 72 hours, depending on the extent of the breach.
An Appointed Data Protection Officer: A Data Protection Officer is responsible for monitoring compliance with GDPR internally. If you regularly collect and process customer data on a wide scale, you must appoint a Data Protection Officer.
A ‘Right To Be Forgotten’ Process (Right Of Erasure): Your website must contain a Privacy Policy. This must include a process for the user to request details of the data stored about them, and a process for them to request that their data be removed from the system.
A Secure Default Privacy Setting: If your website stores user details and data, it should be set as a default to the highest privacy settings. The user should have the option to lower these settings if they so wish.
Data Encryption And Pseudonymisation
All businesses should be working towards storing customer data in a way that is encrypted and/or pseudonymised.
This reduces the likelihood of personally identifiable information (PII) being hacked during a breach. Using an SSL (secure sockets layer) certificate allows the website holder to encrypt all data which is disclosed via form fields. However, the data stored is unlikely to be encrypted.
Be aware that certain websites, particularly CMS systems such as WordPress, do not have this feature, so you may need to customise your site to personally identifiable information being leaked in the event of a hack.
Making Your Website GDPR Compliant: A Checklist
Here, we’ve compiled the basics required for a GDPR compliant website:
- Make A Privacy Policy
To be GDPR compliant, your Privacy Policy must contain:
- Company information (who you are, and what you do)
- How you store and collect information, including the types of information gathered.
- Short descriptions of the applicable laws and links out to sources that give more information.
- Links to third-party providers such as Google or Facebook
- Links to applications, plugins, and software that store customer data
- Links to user request forms so that users can delete or change their data
- Details of the personal information collected and why this information needs to be gathered
- Information about data stored by contact forms and why it needs to be collected
- If using email newsletters, a link to the email service provider’s privacy policy should be provided, along with details of the information about the customer that is collected through email marketing.
- For websites containing checkout pages, details about the type of data stored via the checkout page
- Details of the website server, including privacy and protection methods
- Details of third-party data processors (eg. Mailchimp)
- Data breach action plan
- Data protection officer/data controller details
- Forms
Users should have the option to request to delete or change their data. Your business should therefore have a User Request Form that the visitors of your website can use to request changes to their data.
This should include:
- A contact form with a tick box to indicate consent
- The option to download their own data and links to third-party services
- User request to change and/or delete data
Your website must also include a checkbox to indicate that the user consents to the terms and conditions listed under the Privacy Policy, and a link in the Privacy Policy to the mailing service provider.
- Cookies
A cookie notification should appear to all users of your website, which should offer the user the chance to read and agree to your Privacy Policy. You should also make available a list of cookies collected by your website.
- Plugins, Applications, And CMS
All third-party plugins, applications, and CMS systems (such as WordPress) must be GDPR compliant and regularly updated.
- Backups
You may not keep more than three customer data backups. These backups must be secure, and only you can access them.
- Checkouts
Your checkouts must contain a link to the Privacy Policy and a user consent form to be GDPR compliant.
- Opt-ins
All automatic opt-ins on your website and in newsletters must be disabled.
- User Request Response
If a user requests their data be disclosed or deleted, you must respond to their request in two days and action it in under 30 days.
- Data Access Requests Processes
If a user requests a copy of his or her data, you must:
- Have a process in place for a user to request access to their data
- Have a process in place which gives the user access to their data in a portable transferrable format.
Have you worked your way through our checklist? Congratulations! Your website should now be GDPR compliant, although be sure to check with a professional if you have any doubts.