GDPR and your website: 7 steps to compliance
The General Data Protection Regulation (GDPR) came into force on 25 May 2018.
It supersedes the Data Protection Act 1998 and introduces tougher fines for non-compliance and breaches. GDPR also gives people more say over what companies can do with their data.
Any data you gather on your website must now be processed lawfully, transparently and for a specific purpose. This could include obvious data such as names, addresses and contact numbers but also less obvious data that you may not be aware of such as cookies and IP addresses.
There are a number of steps that you can take to achieve GDPR compliance with your website data processing.
Start the process by identifying data sources on your website (contact forms, newsletter sign-ups etc) and map the flow of data once someone completes a form. Are all the contact fields necessary? Data minimisation is a key principle relating to the processing of personal data. Limit the data to what is necessary by only gathering what you need.
A key part of GDPR is being aware of who has access to personal data that you log and store on your website’s content management system. Review who can access the data you gather and restrict access to only those that genuinely need it.
If you plan to send email marketing or newsletters to anyone who submits your web forms, GDPR requires that you get their explicit consent to do so. This means active opt-in from the user through unchecked boxes on web forms.
Consent must be granular, so you need to feature separate check boxes for different types of processing. For example, if you plan to use the data for post, email or telephone communication, or pass user details onto a third party, then you must feature a separate, unchecked box detailing each data processing purpose.
Opt-in should also be unbundled, meaning consent requests must be separate from acceptance of other terms and conditions.
GDPR also states that consent must be easily withdrawn if an individual no longer wants to provide their data. Include text on your form that details how users can unsubscribe at any time, and ensure there is an obvious unsubscribe link on any subsequent email communication you send.
GDPR requires you to keep a record of consent given by users. You need evidence of who consented, when they consented, the version of the form at the time of consent and whether they have withdrawn consent.
To legally process data under the GDPR, you must have a lawful basis to do so. The Information Commissioner’s Office outlines the six lawful bases for processing data on their website. Once you’ve identified your lawful basis, you must ensure this is clearly stated in the your privacy notice.
You must publish what data you collect, why it is processed and who you share it with on your website privacy notice. You must also inform users how they can view information you have stored on them and how they can ask for their data to be removed from your system, amongst other things. Check the ICO website for a full list of what you need to include in your privacy notice.
Any data submitted to your site must be encrypted to comply with GDPR and you can achieve this by installing an SSL certificate on your site. To check whether you have an SSL certificate, look for the padlock icon in the address bar of your website. If the symbol is missing, then you need to install an SSL certificate which will enable the https protocol for secure data transfer. This is a quick and simple task and will give your customers confidence that any information they submit on your site is secure.
Web Foundry can provide you with help and advice on how to make your website GDPR compliant. Whilst we can advise on some of the steps you can take to make your website GDPR compliant, you should seek legal counsel on how be fully compliant with your data processing in general.
ORIGINALLY WRITTEN MAY 2018; UPDATED APRIL 2019
Contact us now for more information and advice on GDPR website best practices.