GDPR or the General Data Protection Regulation (GDPR) aims to harmonies data flows between all member states, and bolster the rights that EU citizens have over their data held and processed by organizations. Before its implementation, misuse of a person's data was punishable by relatively nominal fee of £500,000. Now, mammoth fines are possible, with companies found guilty of misusing data liable for fines of up to 20 million.
You can already tell the importance of keeping to GDPR guidelines and it's especially important for your website. In this blog we'll be going through 9 useful steps that will make sure your website will be GDPR compliant.
1. Establish where your data comes from and how to handle it
Just to state personal data is defined as any information which can be used directly or indirectly to identify a person. It could be a name, photo, email, bank address, computer IP address, social media posts and more.
Your starting point is to know where the data comes from and what to do with it. Data can be collected through Google Analytics and GPS location trackers as well as email sign us. Next, find where the information is stored and who has access to it.
Next you need to define the procedures for the following
- What to do is someone wants their data to be erased
- Proving some has given you consent
- What to do if you suffer a data breach
You need to be thinking about the type of data you'll be collecting. If you're asking about someones favorite food and you're not a food business that takes you into the territory of unnecessary information. It is important to know that the data you collect must have a 'lawful basis', which can be one or more of the following.
- Legitimate interests
- Public tasks
- Vital interests
- Legal obligation
- Contract
- Consent
Make it a certainty that you're able to handle requests for a person's data to be removed or changed.
2. Making email marketing emails GDPR compliant
Most businesses will venture into using email marketing as a business strategy. The most important consideration here, as with any area of GDPR, is consent.
You must be able to prove that a user or customer has given you consent to send them email marketing emails. This includes everyone on your email database.
In addition to ensuing everyone's consent you must make it easy for them to opt out. This could include such things as a unsubscribe link at the bottom of emails.
3. Perfect your opt-in forms
Opt-in forms will be your registration forms, cookie pop-ups/banners and privacy policy. It's a necessity that opt-in forms are not pre-ticked - users must actively tick the box themselves. Label the checkbox in a way that isn't confusing.
In the case that someone accidentally subscribes you could go for a double opt-in option. This could be a tick box to sign up to your email marketing list and a follow up email to confirm.
Make sure that you control the automation of your email campaigns to as if someone who has opted out receives one, you could land a penalty.
4. Write a privacy policy
I'm sure most people have seen privacy policies outlines on various websites. A privacy policy outlines how you collect and release information about a user. It should clarify what is confidential or shared with other firms, researchers or sellers.
You need to state what personal information you collect, how you collect it, use it and whether you share or sell it. Keep in mind the more data you request and store, the more difficult it'll be to write a privacy policy.
Following on, explain to users that their data is stored securely. Outline user rights, including making amendments to their data, deleting data nad to having their data removed on request.
When updating the privacy policy ensure to notify users. It keeps users up to date and helps you remain transparent.
5. Write a cookie policy and create a pop-up/banner
A cookie is a file which is saved to your device and store the website's name, giving you a unique ID to show that you've been there before. It can store how long you've been on a website, which links you're clicking on and more. When you revisit a site, they'll remember you and give you a more personalized experience.
To help with creating a cookie policy tell users what kind of cookies you're using, how you're using them and how they can control the way that cookies are managed.
You must also ensure you have an opt-in checkbox here too, again allowing users to easily opt out if they require.
Your pop-up/banner notification confirms consent and must be easy to understand with a link to your full cookie policy.
6. Protect yourself from data breaches
In some cases we've seen huge businesses be the hands of a data breach, which might make you think if they can't stop it why can't I? Well there's the phrase never say never however, there is some good steps you can take to ensure you've done the most you can.
You can protect data by encrypting it, restricting sharing and data retention policies, minimizing the amount of data you hold and maximizing user privacy as standard. To further protect from hackers, you can't store it across multiple devices and programmes and check that only authorized members of staff can access it.
Privacy Impact Assessments (PIAs) also need to be carried out if there are changes to the company like a business acquisition, a new IT system or a new surveillance system.
Contact ICO within 72 hours of becoming aware of the breach and notify all customers that may have been affected as soon as possible.
7. Train your staff
Staff must have training and awareness of GDPR. This could be done by bringing someone in to lead training or by giving employees an online training course with a quiz.
8. Set up a GDPR compliance folder
This is where you can prove how you obtained permission to gather someone’s personal data, what you use it for and how you keep it safe. It’s the place to store opt-in forms, privacy policies, pop-ups and other ways users have actively engaged to give you consent.
In your folder, you should include:
- The name and address of data controller
- The name of your data protection officer (if you need one)
- A record showing how your business processes personal data and what you do to protect it
- Personal data impact assessment template
- Privacy notices
- Data retention policy
- Procedure for subject access requests
- Responses to data breaches
- A data breach log
- A notification template for the Information Commissioner’s Office (ICO) in case you need to report a breach
- Records of staff training
- Third party processors and copies of their contracts
The whole folder should be stored on the company’s file system and be ready to send to ICO at short notice.
9. Create regular reviews for the data you hold
Look at whether you might be holding on to more information than you need and if so, get rid of it.
