GDPR for Website Owners & Small Businesses

GDPR for Website Owners

Please note that this is in no way a legal document and you should consult your own professionals regarding your GDPR compliance.

The General Data Protection Regulation (GDPR) is new legislation in the area of data protection which is going to come into force on May 25th 2018. Developed by the EU, it’s designed to strengthen individuals’ rights regarding the collection, use and storage of their personal data.

Who does the law apply to?

The law applies to all businesses or organisations in the EU. Those outside the EU who offer goods and services (whether paid or not) to people living within the EU, or monitor their behaviour, must also comply.

What Counts as Personal Data?

Any data that can be used to identify a living person directly or indirectly is classed as personal data.

For example (but not limited to):

  • Name
  • Address
  • Email address
  • Telephone number
  • Location data
  • IP address

What Counts as Sensitive Personal Data?

Sensitive personal data is a special class of personal data.  This data has to be even more carefully handled. It includes factors such as:

  • Race
  • Health status
  • Sexual orientation
  • Religious beliefs
  • Political beliefs

Key GDPR Points in a Nutshell

There are the key points

Consent must be explicitly given

To date, simply having a privacy policy and a link to it on every page was enough. It was implicit that if someone was on your site they were agreeing to your policy.

Now, if you are collecting NON-personally identifiable information (for example tracking data for Google Analytics) then you are fine with implicit consent. However, if you are going to collect personally identifiable information (name, email, phone, etc), then you must have explicit consent.

Explicit consent means that a checkbox for “I accept the terms” must be UNticked by default and the visitor to your website must voluntarily click that box. You must also make it clear when people voluntarily submit data what that will be used for. This means that within your form there should be a link to the privacy policy and some text stating that by submitting the form you are agreeing to the policy.

Notification of data breaches

You must notify data subjects of a data breach within 72 hours of you becoming aware of it. Data processors must notify data controllers of a breach “without undue delay”.

Some examples of data breaches:

  • You hired someone in India to do some work on your website. Your website logged your contact forms, and therefore this person in a non-GDPR compliant country had access.
  • You gave your mailing list to a new marketing company to do marketing on your behalf. Your privacy policy had not previously stated that the collected data would be used for this, so since this is a change in how personal data is handled, you must notify data subjects.
  • Your website was hacked.

Right to access their data

A data subject (EU citizen) is allowed to request, at no charge, that you provide a copy of the personal data that you have stored about them.  You must also provide them with what data is processed, where that data is processed, by whom, and for what purpose.

The basic steps for data access are:

  • verify they are who they say they are (otherwise you would be committing a data breach)
  • make sure you have their data, if you don’t, just tell them you don’t have data on them
  • don’t create extra data while processing their request
  • record the request in an audit log
  • do it within 20 days

Right to be forgotten

Basically, people have the right to leave your website without you storing personally identifiable information about them. Provided, of course, that doesn’t violate any other laws.

Upon request, a data subject can request that you delete the data you have collected about them. For example, if you have an eommerce website and someone created an account with you and then decided to close the account, they have the right to ask you (and any other plugin who may have access to the data, such as Woocommerce) to delete all data.

This is, however, limited by other laws. For example, if you had paid Woocommerce for services, then Woocommerce is required by tax laws to maintain certain records for a period of time. So in this case, Woocommerce would need to delete the data NOT related to tax purposes.  Phew, complicated eh!

Privacy by Design

Basically, only ask for data you actually need. If you don’t need the data then just don’t ask for it.

How Does GDPR Affect my Website?

Most websites will collect data in some form or other.  This can range from the more obvious such as a contact form to the behind the scenes data such as Google Analytics for tracking your website visitors.

There are certain changes that may need to be made to your website.  These include (but may not be limited to):

Contact forms

Contact forms need to include a check box (it must be Unchecked by default).  When ticked, you will have been given permission to process the subject’s data

Privacy Policy

If your site doesn’t already have a Privacy Policy, you will need one.  If you do already have a Privacy Policy you will probably need to update it to comply.  This will include stating what kind of personal data you collect, what you intend to do with the data, where it will be stored, who has access to it and their rights regarding the data.

Sign Up Forms

If you offer a sign up form on your website for Newsletters etc then you will need a checkbox as per the contact forms.  Many Newsletter sign ups have this already but they are usually ticked by default.  You will need to ensure that they are UNticked by default.

SSL Certificate

Most websites these days already have SSL certificates.  This is the padlock symbol that you can see at the top left of the browser bar that shows that your website is secure.  All sites created by Websites by Diane include an SSL certificate as standard but if you don’t have one then you need to contact your designer/developer asap.  As an aside from mid April, websites that don’t have an SSL cert will be shown as “unsafe” by Chrome.

Back End Data

Depending on your website type you may have data stored at the back end.  By having an SSL Cert installed you are already complying with the secure aspect of GDPR.  However make sure that you regularly log into the back end of your website and delete any data that you no longer need.  This may be names and telephone numbers from contact forms or even more detailed information of you run an ecommerce website.  If you still need access to this data then you can usually download this (to a safe and secure environment) before deleting from the back end of your website.

What Happens if I don’t Comply?

If you don’t comply you may be liable to for a fine. The maximum fine for a consent breach will become €20 million euros, or 4% of global turnover if this is greater than €500 million per year. But this headline-grabbing figure isn’t the end of it. Non-consent breaches are subject to a €10 million fine (2% of global turnover).

Isn’t this the cookie thing all over again?

While some people are likening it to the “this site uses cookies” EU directive that came into force in 2011, this is likely to much more monitored and enforced.  The recent Cambridge Analytica debacle has brought data protection to the forefront and as more and more people’s data is being abused, the more pertinent it will become.

Brexit is coming so it doesn’t apply to the UK

Yes it does.   Since the UK will still be a member of the EU on the date the GDPR enters into effect, the GDPR will become part of UK law.  Plus of course regardless of what happens post Brexit, if you deal with the EU then the Regulation will apply anyway.

Summary

In summary there can be no doubt that the new GDPR will be a pain for many small businesses.  Some may be wondering if they can get away with doing nothing.  My opinion (not legal) is that for most small businesses that changes are small, shouldn’t cost much and are worth doing.  Your customer’s data should be secure and by implementing the changes, it shows that you care about your customer’s data.

Posted in ,

Websites By Diane Acquired by Creative Marketing (NW) Ltd

Full-service marketing firm Creative Marketing (NW) Ltd has successfully acquired Blackpool websites design agency – Websites by Diane. Websites by Diane has been supporting local Blackpool businesses and many other websites around the UK, including a couple in the US & Ghana to host and support their website. The founder Diane has been building WordPress websites…

Do You Need a Website if you have a Facebook Page?

Facebook vs Website It’s becoming increasingly common for small businesses to think that a website isn’t necessary and that having a Facebook page will suffice. I know I’m a web designer so might just be a little bit biased 😉 but here are some great reasons why a website to compliment your Facebook page is…

How Long Before You Rank in Google?

How long does it take to start ranking in Google? TL;DRIt’s highly unlikely that your website will rank for your keywords before the 6 month mark. Page One Google Rankings It goes without saying that having your website appear on page one of Google is the holy grail. Organic page one rankings are free (unless…

What is a Pay Monthly Website?

In 2022 I introduced a new service – Pay Monthly Websites. The main reason for introducing this new service is because even though I already offer affordable web design it was becoming apparent to me that for some start up businesses, even those costs were too high. So I had a few options: Lower my…

What Goes into Building a Website?

Back when I launched my low cost web design business in 2008 I used to charge £199 for a 5 page website. I was new to the market, my knowledge was relatively new and I was by far the cheapest web design company in the UK (if you’ve not read my About page I started…

What Details Do I Legally Need on my Website?

There is a legal requirement to display certain information on your website. This information depends on whether or not you are a limited company and if your website is an e-commerce website or not. Failing to display this information can result in a fine. Limited Company Information If you run a limited company you are…

Your Site is Live – Now What?

What Should I do with my New Website? Your website is live. Exciting! Now what? There are over a billion websites (I know!) on the internet so thinking that “build it and they will come” will work isn’t really a viable strategy, especially if your business is brand new. It’s crucial that you promote and…

Are Cheap One Page Websites a Good Idea?

Are low cost one page websites a good idea? I’m inspired to write this after a long spate of clients wanting 1 page websites.  One page websites can be absolutely brilliant depending on the niche in which your business operates.  Here I’d like to take a look at the pros and cons of one page…

How to Rank on Page One of Google

How to get to page 1 of Google The most frequent question I get asked is will my website get page 1 of Google? The answer to this question doesn’t have a straightforward answer. However, there are certain things that you can look at. These include What keywords you are trying to rank for The…

How to Choose a Domain Name

How to Choose a Domain Name A domain name is your www.yourcompany.com.  Choosing your domain name is probably the biggest and most important decision that you’ll make regarding your website.  Other areas of your website like the content, style, layout and hosting can always be changed at a later date without much impact.  However if…