How to make your website GDPR compliant

GDPR and your website: 6 things you need to do now

How to make your website GDPR compliant

The General Data Protection Regulation (GDPR) is fast approaching and comes into force on 25 May 2018.

It supersedes the Data Protection Act 1998 and introduces tougher fines for non-compliance and breaches. GDPR also gives people more say over what companies can do with their data.

After 25 May, any data you gather on your website must be processed lawfully, transparently and for a specific purpose. This could include obvious data such as names, addresses and contact numbers but also less obvious data that you may not be aware of such as cookies and IP addresses. 

There are a number of steps that you can take to achieve GDPR compliance with your website data processing. 

1. Undertake a data flow audit

Start the process by identifying data sources on your website (contact forms, newsletter sign-ups etc) and map the flow of data once someone completes a form. Are all the contact fields necessary? Data minimisation is a key principle relating to the processing of personal data. Limit the data to what is necessary by only gathering what you need. 

A key part of GDPR is being aware of who has access to personal data that you log and store on your website’s content management system. Review who can access the data you gather and restrict access to only those that genuinely need it. 

2. Understand consent guidelines

If you plan to send email marketing to anyone who submits your web forms, GDPR requires that you get their explicit consent to do so. This means active opt-in from the user through unchecked boxes on web forms. 

Consent must be granular so you need to feature separate check boxes for different types of processing. For example, if you plan to use the data for post, email or telephone communication, or pass user details onto a third party, then you must feature a separate, unchecked box detailing each data processing purpose. 

GDPR also states that consent must be easily withdrawn if an individual no longer wants to provide their data. 

3. Keep a record of consent

GDPR requires you to keep a record of consent given by users. You need evidence of who consented, when they consented, the version of the form at the time of consent and whether they have withdrawn consent. 

4. Identify your lawful basis for data processing

To legally process data under the GDPR, you must have a lawful basis to do so. The Information Commissioner’s Office outlines the six lawful bases for processing data on their website. Once you’ve identified your lawful basis, you must ensure this is clearly stated in the your privacy notice. 

5. Update your privacy policy

You must publish what data you collect, why it is processed and who you share it with on your website privacy notice. You must also inform users how they can view information you have stored on them and how they can ask for their data to be removed from your system, amongst other things. Check the ICO website for a full list of what you need to include in your privacy notice

You should also outline the use of cookies in your privacy policy and explain to users how they can opt out of cookie tracking in their browser’s privacy settings.

6. Encrypt your data with an SSL certificate

Any data submitted to your site must be encrypted to comply with GDPR and you can achieve this by installing an SSL certificate on your site. To check whether you have an SSL certificate, look for the padlock icon in the address bar of your website. If the symbol is missing, then you need to install an SSL certificate which will enable the https protocol for secure data transfer. This is a quick and simple task and will give your customers confidence that any information they submit on your site is secure. 

Web Foundry can provide you with help and advice on how to make your website GDPR compliant. Whilst we can advise on some of the steps you can take to make your website GDPR compliant, you should seek legal counsel on how be fully compliant with your data processing in general. 

Contact us now for more information and advice on GDPR best practices. 

Author

Joan Lavery on Tuesday, 01 May 2018

Wilmslow

Lowry House
Kennerley's Lane
Wilmslow
SK9 5EQ
0161 820 5727
This email address is being protected from spambots. You need JavaScript enabled to view it.

Edinburgh

8 Albany St
Edinburgh
EH1 3QB
0131 445 4050
This email address is being protected from spambots. You need JavaScript enabled to view it.

Warsaw

ul. Warszawska 164
Latchorzew
Stare Babice
Warsaw
05-082
This email address is being protected from spambots. You need JavaScript enabled to view it.

© 2019 Web Foundry Limited. All rights reserved. Privacy Policy