GDPR for Website Owners
Please note that this is in no way a legal document and you should consult your own professionals regarding your GDPR compliance.
The General Data Protection Regulation (GDPR) is new legislation in the area of data protection which is going to come into force on May 25th 2018. Developed by the EU, it’s designed to strengthen individuals’ rights regarding the collection, use and storage of their personal data.
Who does the law apply to?
The law applies to all businesses or organisations in the EU. Those outside the EU who offer goods and services (whether paid or not) to people living within the EU, or monitor their behaviour, must also comply.
What Counts as Personal Data?
Any data that can be used to identify a living person directly or indirectly is classed as personal data.
For example (but not limited to):
- Name
- Address
- Email address
- Telephone number
- Location data
- IP address
What Counts as Sensitive Personal Data?
Sensitive personal data is a special class of personal data. This data has to be even more carefully handled. It includes factors such as:
- Race
- Health status
- Sexual orientation
- Religious beliefs
- Political beliefs
Key GDPR Points in a Nutshell
There are the key points
Consent must be explicitly given
To date, simply having a privacy policy and a link to it on every page was enough. It was implicit that if someone was on your site they were agreeing to your policy.
Now, if you are collecting NON-personally identifiable information (for example tracking data for Google Analytics) then you are fine with implicit consent. However, if you are going to collect personally identifiable information (name, email, phone, etc), then you must have explicit consent.
Explicit consent means that a checkbox for “I accept the terms” must be UNticked by default and the visitor to your website must voluntarily click that box. You must also make it clear when people voluntarily submit data what that will be used for. This means that within your form there should be a link to the privacy policy and some text stating that by submitting the form you are agreeing to the policy.
Notification of data breaches
You must notify data subjects of a data breach within 72 hours of you becoming aware of it. Data processors must notify data controllers of a breach “without undue delay”.
Some examples of data breaches:
- You hired someone in India to do some work on your website. Your website logged your contact forms, and therefore this person in a non-GDPR compliant country had access.
- You gave your mailing list to a new marketing company to do marketing on your behalf. Your privacy policy had not previously stated that the collected data would be used for this, so since this is a change in how personal data is handled, you must notify data subjects.
- Your website was hacked.
Right to access their data
A data subject (EU citizen) is allowed to request, at no charge, that you provide a copy of the personal data that you have stored about them. You must also provide them with what data is processed, where that data is processed, by whom, and for what purpose.
The basic steps for data access are:
- verify they are who they say they are (otherwise you would be committing a data breach)
- make sure you have their data, if you don’t, just tell them you don’t have data on them
- don’t create extra data while processing their request
- record the request in an audit log
- do it within 20 days
Right to be forgotten
Basically, people have the right to leave your website without you storing personally identifiable information about them. Provided, of course, that doesn’t violate any other laws.
Upon request, a data subject can request that you delete the data you have collected about them. For example, if you have an eommerce website and someone created an account with you and then decided to close the account, they have the right to ask you (and any other plugin who may have access to the data, such as Woocommerce) to delete all data.
This is, however, limited by other laws. For example, if you had paid Woocommerce for services, then Woocommerce is required by tax laws to maintain certain records for a period of time. So in this case, Woocommerce would need to delete the data NOT related to tax purposes. Phew, complicated eh!
Privacy by Design
Basically, only ask for data you actually need. If you don’t need the data then just don’t ask for it.
How Does GDPR Affect my Website?
Most websites will collect data in some form or other. This can range from the more obvious such as a contact form to the behind the scenes data such as Google Analytics for tracking your website visitors.
There are certain changes that may need to be made to your website. These include (but may not be limited to):
Contact forms
Contact forms need to include a check box (it must be Unchecked by default). When ticked, you will have been given permission to process the subject’s data
Privacy Policy
If your site doesn’t already have a Privacy Policy, you will need one. If you do already have a Privacy Policy you will probably need to update it to comply. This will include stating what kind of personal data you collect, what you intend to do with the data, where it will be stored, who has access to it and their rights regarding the data.
Sign Up Forms
If you offer a sign up form on your website for Newsletters etc then you will need a checkbox as per the contact forms. Many Newsletter sign ups have this already but they are usually ticked by default. You will need to ensure that they are UNticked by default.
SSL Certificate
Most websites these days already have SSL certificates. This is the padlock symbol that you can see at the top left of the browser bar that shows that your website is secure. All sites created by Websites by Diane include an SSL certificate as standard but if you don’t have one then you need to contact your designer/developer asap. As an aside from mid April, websites that don’t have an SSL cert will be shown as “unsafe” by Chrome.
Back End Data
Depending on your website type you may have data stored at the back end. By having an SSL Cert installed you are already complying with the secure aspect of GDPR. However make sure that you regularly log into the back end of your website and delete any data that you no longer need. This may be names and telephone numbers from contact forms or even more detailed information of you run an ecommerce website. If you still need access to this data then you can usually download this (to a safe and secure environment) before deleting from the back end of your website.
What Happens if I don’t Comply?
If you don’t comply you may be liable to for a fine. The maximum fine for a consent breach will become €20 million euros, or 4% of global turnover if this is greater than €500 million per year. But this headline-grabbing figure isn’t the end of it. Non-consent breaches are subject to a €10 million fine (2% of global turnover).
Isn’t this the cookie thing all over again?
While some people are likening it to the “this site uses cookies” EU directive that came into force in 2011, this is likely to much more monitored and enforced. The recent Cambridge Analytica debacle has brought data protection to the forefront and as more and more people’s data is being abused, the more pertinent it will become.
Brexit is coming so it doesn’t apply to the UK
Yes it does. Since the UK will still be a member of the EU on the date the GDPR enters into effect, the GDPR will become part of UK law. Plus of course regardless of what happens post Brexit, if you deal with the EU then the Regulation will apply anyway.
Summary
In summary there can be no doubt that the new GDPR will be a pain for many small businesses. Some may be wondering if they can get away with doing nothing. My opinion (not legal) is that for most small businesses that changes are small, shouldn’t cost much and are worth doing. Your customer’s data should be secure and by implementing the changes, it shows that you care about your customer’s data.