Skip to content

GDPR for Website Owners & Small Businesses

GDPR for Website Owners

Please note that this is in no way a legal document and you should consult your own professionals regarding your GDPR compliance.

The General Data Protection Regulation (GDPR) is new legislation in the area of data protection which is going to come into force on May 25th 2018. Developed by the EU, it’s designed to strengthen individuals’ rights regarding the collection, use and storage of their personal data.

Who does the law apply to?

The law applies to all businesses or organisations in the EU. Those outside the EU who offer goods and services (whether paid or not) to people living within the EU, or monitor their behaviour, must also comply.

What Counts as Personal Data?

Any data that can be used to identify a living person directly or indirectly is classed as personal data.

For example (but not limited to):

  • Name
  • Address
  • Email address
  • Telephone number
  • Location data
  • IP address

What Counts as Sensitive Personal Data?

Sensitive personal data is a special class of personal data.  This data has to be even more carefully handled. It includes factors such as:

  • Race
  • Health status
  • Sexual orientation
  • Religious beliefs
  • Political beliefs

Key GDPR Points in a Nutshell

There are the key points

Consent must be explicitly given

To date, simply having a privacy policy and a link to it on every page was enough. It was implicit that if someone was on your site they were agreeing to your policy.

Now, if you are collecting NON-personally identifiable information (for example tracking data for Google Analytics) then you are fine with implicit consent. However, if you are going to collect personally identifiable information (name, email, phone, etc), then you must have explicit consent.

Explicit consent means that a checkbox for “I accept the terms” must be UNticked by default and the visitor to your website must voluntarily click that box. You must also make it clear when people voluntarily submit data what that will be used for. This means that within your form there should be a link to the privacy policy and some text stating that by submitting the form you are agreeing to the policy.

Notification of data breaches

You must notify data subjects of a data breach within 72 hours of you becoming aware of it. Data processors must notify data controllers of a breach “without undue delay”.

Some examples of data breaches:

  • You hired someone in India to do some work on your website. Your website logged your contact forms, and therefore this person in a non-GDPR compliant country had access.
  • You gave your mailing list to a new marketing company to do marketing on your behalf. Your privacy policy had not previously stated that the collected data would be used for this, so since this is a change in how personal data is handled, you must notify data subjects.
  • Your website was hacked.

Right to access their data

A data subject (EU citizen) is allowed to request, at no charge, that you provide a copy of the personal data that you have stored about them.  You must also provide them with what data is processed, where that data is processed, by whom, and for what purpose.

The basic steps for data access are:

  • verify they are who they say they are (otherwise you would be committing a data breach)
  • make sure you have their data, if you don’t, just tell them you don’t have data on them
  • don’t create extra data while processing their request
  • record the request in an audit log
  • do it within 20 days

Right to be forgotten

Basically, people have the right to leave your website without you storing personally identifiable information about them. Provided, of course, that doesn’t violate any other laws.

Upon request, a data subject can request that you delete the data you have collected about them. For example, if you have an eommerce website and someone created an account with you and then decided to close the account, they have the right to ask you (and any other plugin who may have access to the data, such as Woocommerce) to delete all data.

This is, however, limited by other laws. For example, if you had paid Woocommerce for services, then Woocommerce is required by tax laws to maintain certain records for a period of time. So in this case, Woocommerce would need to delete the data NOT related to tax purposes.  Phew, complicated eh!

Privacy by Design

Basically, only ask for data you actually need. If you don’t need the data then just don’t ask for it.

How Does GDPR Affect my Website?

Most websites will collect data in some form or other.  This can range from the more obvious such as a contact form to the behind the scenes data such as Google Analytics for tracking your website visitors.

There are certain changes that may need to be made to your website.  These include (but may not be limited to):

Contact forms

Contact forms need to include a check box (it must be Unchecked by default).  When ticked, you will have been given permission to process the subject’s data

Privacy Policy

If your site doesn’t already have a Privacy Policy, you will need one.  If you do already have a Privacy Policy you will probably need to update it to comply.  This will include stating what kind of personal data you collect, what you intend to do with the data, where it will be stored, who has access to it and their rights regarding the data.

Sign Up Forms

If you offer a sign up form on your website for Newsletters etc then you will need a checkbox as per the contact forms.  Many Newsletter sign ups have this already but they are usually ticked by default.  You will need to ensure that they are UNticked by default.

SSL Certificate

Most websites these days already have SSL certificates.  This is the padlock symbol that you can see at the top left of the browser bar that shows that your website is secure.  All sites created by Websites by Diane include an SSL certificate as standard but if you don’t have one then you need to contact your designer/developer asap.  As an aside from mid April, websites that don’t have an SSL cert will be shown as “unsafe” by Chrome.

Back End Data

Depending on your website type you may have data stored at the back end.  By having an SSL Cert installed you are already complying with the secure aspect of GDPR.  However make sure that you regularly log into the back end of your website and delete any data that you no longer need.  This may be names and telephone numbers from contact forms or even more detailed information of you run an ecommerce website.  If you still need access to this data then you can usually download this (to a safe and secure environment) before deleting from the back end of your website.

What Happens if I don’t Comply?

If you don’t comply you may be liable to for a fine. The maximum fine for a consent breach will become €20 million euros, or 4% of global turnover if this is greater than €500 million per year. But this headline-grabbing figure isn’t the end of it. Non-consent breaches are subject to a €10 million fine (2% of global turnover).

Isn’t this the cookie thing all over again?

While some people are likening it to the “this site uses cookies” EU directive that came into force in 2011, this is likely to much more monitored and enforced.  The recent Cambridge Analytica debacle has brought data protection to the forefront and as more and more people’s data is being abused, the more pertinent it will become.

Brexit is coming so it doesn’t apply to the UK

Yes it does.   Since the UK will still be a member of the EU on the date the GDPR enters into effect, the GDPR will become part of UK law.  Plus of course regardless of what happens post Brexit, if you deal with the EU then the Regulation will apply anyway.

Summary

In summary there can be no doubt that the new GDPR will be a pain for many small businesses.  Some may be wondering if they can get away with doing nothing.  My opinion (not legal) is that for most small businesses that changes are small, shouldn’t cost much and are worth doing.  Your customer’s data should be secure and by implementing the changes, it shows that you care about your customer’s data.

Posted in ,

diane

Are Cheap One Page Websites a Good Idea?

By diane | 7th October 2019

Are low cost one page websites a good idea? I’m inspired to write this after a long spate of clients wanting 1 page websites.  One page websites can be absolutely brilliant depending on the niche in which your business operates.  Here I’d like to take a look at the pros and cons of one page…

How to Rank on Page One of Google

By diane | 3rd December 2018

How to get to page 1 of Google The most frequent question I get asked is will my website get page 1 of Google? The answer to this question doesn’t have a straightforward answer. However, there are certain things that you can look at. These include What keywords you are trying to rank for The…

How to Choose a Domain Name

By diane | 13th June 2018

How to Choose a Domain Name A domain name is your www.yourcompany.com.  Choosing your domain name is probably the biggest and most important decision that you’ll make regarding your website.  Other areas of your website like the content, style, layout and hosting can always be changed at a later date without much impact.  However if…

GDPR for Website Owners & Small Businesses

By diane | 6th April 2018

GDPR for Website Owners Please note that this is in no way a legal document and you should consult your own professionals regarding your GDPR compliance. The General Data Protection Regulation (GDPR) is new legislation in the area of data protection which is going to come into force on May 25th 2018. Developed by the…

How to Design a Free Logo

By diane | 2nd March 2018

How to Design a Free Logo Because I specialise in low cost web design and web design for start up businesses, many of my clients just don’t have the extra budget for a logo to be designed.  Like web design, the cost of having a logo designed can vary wildly.  It can cost anything from…

Why Google Can be Bad for Local Business

By diane | 19th February 2018

UPDATE 25TH APRIL 2018 Everything has returned to normal.  Not only is my Google My Business listing showing again, but I am also number 1 in Google on the maps for “low cost web design Blackpool” and “affordable web design Blackpool” and also ranking on Page 1 of the Google organic results for several search…

7 Things Every B & B and Hotel Website Needs

By diane | 11th October 2017

Cheap Web Design in Blackpool for Hotels 8 Things Every Hotel Website in Blackpool Should Have Approximately 13 million tourists visit Blackpool each year. I repeat, thirteen million. This is a phenomenal figure and Blackpool is by far the most visited seaside resort in the UK. As a Blackpool born and bred (and travelled and…

Web Design for Start up Businesses

By diane | 28th August 2017

Web Design for Start Up Businesses 15 things you need to know to help your start up business succeed and before you get your website designed. As a UK web design company who specialises in web design for start up businesses, I’ve noticed a pattern over the past 10 years.  By the time a client’s…

Scroll To Top