GDPR for your business website
NOTE: I am not a lawyer, nor am I an expert on GDPR law. This is just my advice regarding the law and how I feel it may affect your business website. This isn’t to be taken as legal advice.
What is GDPR?
GDPR stands for General Data Protection Regulation. It’s a new law which comes into force on 25th May 2018. The new law gives consumers new rights which include the right to find out what data is being held on them and to delete that information.
What you need to do for GDPR
Looking after client data
You are responsible for knowing where all your data is kept on your clients. This data is anything you may have on a person, their name, phone number, address, email address etc.
If a client requests to see that information, you need to be able to give them everything you have. The new law says you need to give this information to them within 1 month and it must be free of charge.
If you are ever investigated by the GDPR then you need to be organised with your client data enough to be able to show them everything you have on all your clients.
Make sure all your client data is secure. If you store it digitally then make sure it’s protected and it can’t be hacked or got to. Use anti-virus software. If you have paper copies of data make sure it’s locked away.
Clean up data
It’s really important not to keep hold of any data you don’t need. You must not keep hold of data if you don’t know what you will use it for. Delete it fully or shred paper copies.
A client can ask for their data to be deleted at any time. You need to be able to make sure that every bit of data on that client can be deleted. Make a note on what you need to do if you should ever have to do this.
Who is responsible for GDPR on my website?
It is not clear if it’s the web designer or the clients’ job for making sure the website is GDPR compliant. SpiralNet Design will take the necessary steps to make sure that your website is GDPR ready by adding policies and ensuring any forms are compliant.
It is important that you understand these additions to your website and it’s your responsibility to take a look through these policies and notify us if you wish for anything to be changed.
The policies need to explain what information you are collecting from visitors (for example from online forms), why and what it will be used for.
While SpiralNet Design will take the appropriate measures to make your website GDPR friendly, any information that comes to you from your website is your responsibly. This could be information from contact forms, chats, or comments. Once you receive data from online forms through your website into your inbox, it is your responsibility to make sure it stays secure.
What to do to make your website GDPR ready
Add a Cookie Notification
When you visit a website for the first time a cookie is downloaded onto your PC. This then sends data back to the website. Some cookies send personal data and are used for a website owner to know how long you spend on each page, what you clicked on and where you are located.
If you receive payments on your site, the privacy policies of these payment gateways should be outlined here too or at least linked to.
Secure your site with SSL
It is recommended that your website is secured using SSL. You can tell if a site is secure by the green padlock in the address bar. This gives your website a heightened security and even if you don’t take payments on your website it gives security for using online forms.
Some browsers notify the visitor if the site is not secure and the added bonus is that Google loves SSL sites.
Signing up for communication in the correct way
If you are collecting contact details from your website in order to send newsletters or other information the user has to actively tick a box to do that. It can not be pre-ticked. The user has to consent to receive your newsletters. Also, add a link to a page that gives more information on how their data is going to be used.
Users should always be able to opt out at any time. It should be easy for them to do such as an unsubscribe button at the end of an email. If you send text messages, letters or call them, they need to be able to opt out just as easily.
Away from your website, if you collect information in person for a mailing list, they must sign something or tick a box that says they are happy for you to use their data to send them information.
Should I lose sleep over GDPR?
As a small business, it is hard to make out what is required of you with the new law. But if you are shown to be doing something about it and aware of the law then it would be unfair to receive the hefty fine of €20m.
An extract from BBC News article today:
With the advice from lawyers contradictory, and the guide on the information commissioner’s website pretty complex, you can understand why many small organisations are unsure what to do.
But there is comfort in what the information commissioner herself has said. Elizabeth Denham has stressed that any action against those who fall foul of the new regulations will be fair and proportionate – and that she is not planning to go after those who show a willingness to comply.