GDPR for Website Owners
Please note that this is in no way a legal document and you should consult your own professionals regarding your GDPR compliance.
The General Data Protection Regulation (GDPR) is new legislation in the area of data protection which is going to come into force on May 25th 2018. Developed by the EU, it’s designed to strengthen individuals’ rights regarding the collection, use and storage of their personal data.
Who does the law apply to?
The law applies to all businesses or organisations in the EU. Those outside the EU who offer goods and services (whether paid or not) to people living within the EU, or monitor their behaviour, must also comply.
What Counts as Personal Data?
Any data that can be used to identify a living person directly or indirectly is classed as personal data.
For example (but not limited to):
- Email address
- Telephone number
- Location data
- IP address
What Counts as Sensitive Personal Data?
Sensitive personal data is a special class of personal data. This data has to be even more carefully handled. It includes factors such as:
- Health status
- Sexual orientation
- Religious beliefs
- Political beliefs
Key GDPR Points in a Nutshell
There are the key points
Consent must be explicitly given
Now, if you are collecting NON-personally identifiable information (for example tracking data for Google Analytics) then you are fine with implicit consent. However, if you are going to collect personally identifiable information (name, email, phone, etc), then you must have explicit consent.
Notification of data breaches
You must notify data subjects of a data breach within 72 hours of you becoming aware of it. Data processors must notify data controllers of a breach “without undue delay”.
Some examples of data breaches:
- You hired someone in India to do some work on your website. Your website logged your contact forms, and therefore this person in a non-GDPR compliant country had access.
- Your website was hacked.
Right to access their data
A data subject (EU citizen) is allowed to request, at no charge, that you provide a copy of the personal data that you have stored about them. You must also provide them with what data is processed, where that data is processed, by whom, and for what purpose.
The basic steps for data access are:
- verify they are who they say they are (otherwise you would be committing a data breach)
- make sure you have their data, if you don’t, just tell them you don’t have data on them
- don’t create extra data while processing their request
- record the request in an audit log
- do it within 20 days
Right to be forgotten
Basically, people have the right to leave your website without you storing personally identifiable information about them. Provided, of course, that doesn’t violate any other laws.
Upon request, a data subject can request that you delete the data you have collected about them. For example, if you have an eommerce website and someone created an account with you and then decided to close the account, they have the right to ask you (and any other plugin who may have access to the data, such as Woocommerce) to delete all data.
This is, however, limited by other laws. For example, if you had paid Woocommerce for services, then Woocommerce is required by tax laws to maintain certain records for a period of time. So in this case, Woocommerce would need to delete the data NOT related to tax purposes. Phew, complicated eh!
Privacy by Design
Basically, only ask for data you actually need. If you don’t need the data then just don’t ask for it.
How Does GDPR Affect my Website?
Most websites will collect data in some form or other. This can range from the more obvious such as a contact form to the behind the scenes data such as Google Analytics for tracking your website visitors.
There are certain changes that may need to be made to your website. These include (but may not be limited to):
Contact forms need to include a check box (it must be Unchecked by default). When ticked, you will have been given permission to process the subject’s data
Sign Up Forms
If you offer a sign up form on your website for Newsletters etc then you will need a checkbox as per the contact forms. Many Newsletter sign ups have this already but they are usually ticked by default. You will need to ensure that they are UNticked by default.
Most websites these days already have SSL certificates. This is the padlock symbol that you can see at the top left of the browser bar that shows that your website is secure. All sites created by Websites by Diane include an SSL certificate as standard but if you don’t have one then you need to contact your designer/developer asap. As an aside from mid April, websites that don’t have an SSL cert will be shown as “unsafe” by Chrome.
Back End Data
Depending on your website type you may have data stored at the back end. By having an SSL Cert installed you are already complying with the secure aspect of GDPR. However make sure that you regularly log into the back end of your website and delete any data that you no longer need. This may be names and telephone numbers from contact forms or even more detailed information of you run an ecommerce website. If you still need access to this data then you can usually download this (to a safe and secure environment) before deleting from the back end of your website.
What Happens if I don’t Comply?
If you don’t comply you may be liable to for a fine. The maximum fine for a consent breach will become €20 million euros, or 4% of global turnover if this is greater than €500 million per year. But this headline-grabbing figure isn’t the end of it. Non-consent breaches are subject to a €10 million fine (2% of global turnover).
Isn’t this the cookie thing all over again?
Brexit is coming so it doesn’t apply to the UK
Yes it does. Since the UK will still be a member of the EU on the date the GDPR enters into effect, the GDPR will become part of UK law. Plus of course regardless of what happens post Brexit, if you deal with the EU then the Regulation will apply anyway.
In summary there can be no doubt that the new GDPR will be a pain for many small businesses. Some may be wondering if they can get away with doing nothing. My opinion (not legal) is that for most small businesses that changes are small, shouldn’t cost much and are worth doing. Your customer’s data should be secure and by implementing the changes, it shows that you care about your customer’s data.
There is a legal requirement to display certain information on your website. This information depends on whether or not you are a limited company and if your website is an e-commerce website or not. Failing to display this information can result in a fine. Limited Company Information If you run a limited company you are…
What Should I do with my New Website? Your website is live. Exciting! Now what? There are over a billion websites (I know!) on the internet so thinking that “build it and they will come” will work isn’t really a viable strategy, especially if your business is brand new. It’s crucial that you promote and…
Are low cost one page websites a good idea? I’m inspired to write this after a long spate of clients wanting 1 page websites. One page websites can be absolutely brilliant depending on the niche in which your business operates. Here I’d like to take a look at the pros and cons of one page…
How to get to page 1 of Google The most frequent question I get asked is will my website get page 1 of Google? The answer to this question doesn’t have a straightforward answer. However, there are certain things that you can look at. These include What keywords you are trying to rank for The…
How to Choose a Domain Name A domain name is your www.yourcompany.com. Choosing your domain name is probably the biggest and most important decision that you’ll make regarding your website. Other areas of your website like the content, style, layout and hosting can always be changed at a later date without much impact. However if…
GDPR for Website Owners Please note that this is in no way a legal document and you should consult your own professionals regarding your GDPR compliance. The General Data Protection Regulation (GDPR) is new legislation in the area of data protection which is going to come into force on May 25th 2018. Developed by the…
How to Design a Free Logo Because I specialise in low cost web design and web design for start up businesses, many of my clients just don’t have the extra budget for a logo to be designed. Like web design, the cost of having a logo designed can vary wildly. It can cost anything from…
UPDATE 25TH APRIL 2018 Everything has returned to normal. Not only is my Google My Business listing showing again, but I am also number 1 in Google on the maps for “low cost web design Blackpool” and “affordable web design Blackpool” and also ranking on Page 1 of the Google organic results for several search…
Cheap Web Design in Blackpool for Hotels 8 Things Every Hotel Website in Blackpool Should Have Approximately 13 million tourists visit Blackpool each year. I repeat, thirteen million. This is a phenomenal figure and Blackpool is by far the most visited seaside resort in the UK. As a Blackpool born and bred (and travelled and…
Web Design for Start Up Businesses 15 things you need to know to help your start up business succeed and before you get your website designed. As a UK web design company who specialises in web design for start up businesses, I’ve noticed a pattern over the past 10 years. By the time a client’s…