How to make your website GDPR compliant?
Updated 8th May 2018
So you’ve read all about GDPR, you’ve done a company wide data audit and now you need to make sure that your website is compliant. In this post I’ll go through the main areas of a standard Ecommerce website and suggest ways that it could be GDPR compliant based on what the IOC says about GDPR.
The main thing to consider with regard to your website is what the GDPR call the ‘Legal grounds for processing’. These are:
a) Consent: The individual has given clear consent for you to process their Personal Data for a specific purpose.
b) Contract: The processing of Personal Data is necessary for a contract you have with an individual, or because they have asked you to take specific steps before entering into a contract.
c) Legal obligation: The processing of Personal Data is necessary for you to comply with the law.
d) Vital interests: The processing of Personal Data is necessary to protect someone’s life.
e) Public task: The processing of Personal Data is necessary for you to perform a task in the public interest or for your official functions, and the task of the function has a clear basis in law.
f) Legitimate interest: The processing of Personal Data is necessary for your legitimate interests or the legitimate interests of a third party unless there is good reason to protect the individual’s Personal Data which overrides those legitimate interests.
The areas that will probably only apply to you, will be Consent, Contract & Legitimate interest and these are the only ones I’ll be referring to in this post.
Let's start with something simple:
A basic example might be:
Getting people to sign up to your mailing list requires explicit consent. This means that you are no longer allowed to have pre-ticked boxes or applied consent, they have to actively opt-in.
Depending on your wording and how you are promoting your lead magnet, it might be a better solution to add an opt-in tick box as well as the information above, just to be on the safe side. You can then be assured that you are 100% GDPR compliant.
An example signup form text is:
If you think you will need to ask your subscribers to your newsletter to re-opt-in, view it as a good time to do a spot of list housekeeping and re-engage with your subscribers.
An example blog comment form text might be:
An example checkout text might be:
You can see what cookies a web page has by using your browser's 'Inspect Element' (ctrl click) and choosing 'Storage'. You will need to do this for each page type.
There are cookies that fall under the rule of GDPR as they collect Personal Data i.e. an IP address. These cookies should require an opt-in for the user before they are activated on your site. You will need to do a cookie audit on your site to find out what cookies you use, what data they collect and how you should implement that into your own site.
An example cookie banner text is:
The following questions should be considered when writing your GDPR compliant privacy notice, but
* Who are we?
* What type of data do we collect?
* Who is collecting the data?
* How is the data collected?
* Why is the data being collected?
* How will the data be used?
* Who will the data be shared with?
* How can I opt-out of data collection?
Informing people about your updated Policy:
As your website collects, stores and processes personal data, you need to make sure that this data is secure. Any data that is stored online, needs to be password protected and stored on a secure server. Make sure you have a list of all personnel in your business who has access to this data and inform them of GDPR and their responsibilities.
Any Personal Data that is transferred on your website needs to use HTTPS to ensure it's encrypted in transit. To do this your website will need to have an SSL (Secure Sockets Layer) certificate installed on your web server. An SSL is a technology that uses the encrypted connection between the web server and the web browser. When this is done, all connections are encrypted, which means that all data sent via a submitted form is only visible to the web owner. This helps to protect online users against hackers and means that you are well on the way to having your business GDPR compliant.
If you can assess the data collected via your laptop, you need to think about how secure your laptop is. What would happen if your laptop was stolen? How easy is it to gain entry to your laptop and then access all the data?
If you keep records of people, that includes personal data, offline in the form of paper files, these files need to be securely stored in locked files as GDPR applies to all personal data, not just online.
There are strict rules on transfers to third parties outside of the EEA (European Economic Area). So you will need to check what countries your third parties are in and check whether the country has an adequacy finding (whether a country outside the EU offers an adequate level of data protection) or if it is in the United States if it is certified under the GDPR approved Privacy Shield.
A data breach occurs where there is a loss, alteration, unauthorised disclosure of or access to personal data AND there is a risk to the rights and freedoms of individuals. If there is a data breach, you must notify the ICO within 72 hours of the breach.
This guide is not legal advice and by using it you agree to this disclaimer. The materials provided are for informational purposes only and do not constitute advertising, a solicitation or legal advice. You should not rely upon this information for any purpose without seeking legal advice. The information contained is provided only as general information and may or may not be useful to you in your current situation or reflect the most current legal developments; accordingly, information is not promised or guaranteed to be correct or complete.
If you have a comment or want to ask any questions about GDPR, please leave a message below.
Until next time…