By now you will be well aware that as of the 25th May 2018 the General Data Protection Regulation (GDPR) will be coming into force across the EU.
This regulation has caused quite a stir for a number of reasons. Not only does it introduce tougher fines for businesses with data breaches and non-compliance, a staggering 20 million euros or 4 percent of your global turnover, whichever is higher. But GDPR also carries with it more protection for individuals that feel their data has been misused, allowing individuals to request for their information to be deleted or to be given detailed insight into how their data is stored and for what purpose.
Furthermore, unlike the outdated 1998 Data Protection Act, GDPR aims to address the issues that have arisen with the internet and cloud computing. Strengthening measures to stop the swapping of people’s personal data and introducing much stricter rules.
The regulation itself is the elephant in the room for many businesses right now. As GDPR is a regulation and not a directive, it will automatically apply to all businesses no matter how big or small. So there’s really no way of ignoring its importance.
While there are many guides available online to detail how to begin preparing the clean-up of your data for GDPR, one area that may feel grey is your website.
As websites are now business critical, and the touch point of lead generation and marketing, it’s essential that you ensure you’re following some basic steps to avoid falling into the murky waters of data breaches and bad practice. Follow these steps to ensure your website is GDPR ready.
Know Your Third Parties
If you use external systems such as MailChimp, Google or SalesForce, it’s imperative that you gain information from them as to how secure your data is and the procedures they have in place to prevent any security breaches.
Under GDPR cloud-based platforms and SaS systems are seen as third party data processors, as they are controlling your data on your behalf.
Even though many of these systems are based in the US, as they hold EU citizens data, they will still have to abide by the rules of GDPR and meet compliance.
List all the third party systems that you use, and audit each of them. Do this by simply asking the following questions;
- What are you using this data for?
- Where is the data stored?
- Do you still need the data?
Once you have conducted a clear audit in-house, you can then move onto gaining information from the third parties themselves.
For each platform and system, check their privacy policy to ensure they are GDPR compliant. If there is any doubt or confusion in your mind, then contact your provider and gain a clear understanding of where they currently stand with GDPR. Unfortunately, if they are not yet compliant you will need to find another provider.
Get Clear With Your Privacy Policy
The key element to GDPR is transparency. Your business should be clear about how it uses peoples data and where it is stored. Therefore, being honest with your website users and communicating clearly about why you’re collecting and using their data is essential.
A privacy policy is one of the most effective ways to do this on your website, as it allows you to clearly define your compliance with GDPR. However, it’s important that you keep this document as understandable as possible and avoid using jargon or misleading terms.
Consent Is Required
For any data that you collect through your website consent will be required. This includes areas such as your contact forms and any other data capture forms that you have on your website.
Even if someone makes a purchase through your website, they must still give consent that their email address can be used for marketing purposes. There is no way of getting around how clear you must be, and how much people must confirm that they are happy for you to use their email for such actions. No matter the purpose, the user must give consent.
For recruitment agencies, this is a particular thorn in the side, as even if a candidate applies for a role on the website, the recruitment agency cannot approach them about other opportunities unless they have given consent to be contacted.
Ensure all your forms are updated and give clear and precise instructions to users. A simple tick box is no longer sufficient. For more guidance, this GDPR Whitepaper gives detailed instruction on how to create your forms.
Audit Data Access
If your website is hosted on a content management system such as WordPress you will need to know exactly who has access to this system and the data that it stores.
While many small organisations may only have one user, larger corporations may have multiple users who have access and regularly manage the back-office.
In order to be GDPR compliant, you need to know who has access, as well as information on what data is stored in this area.
The first step in your CMS audit is to list all those who have permission and ask yourself if they all really need to be active. If they do not, it’s important that you revoke access and implement measures to control future requests.
Under GDPR, businesses must also ensure that any old data is removed. So thoroughly cleansing the back-end of your CMS system is vital to ensure you don’t have any data that your business no longer requires.
Secure Your Website
While website security is something that all businesses should be regarded as a high priority, when GDPR comes into effect it will be paramount in being compliant, so it’s now more important than ever to lock down your website from possible breaches.
The first step in providing a secure website to your users is by implementing an SSL certificate. This is fitted to your website to encrypt the data. An easy way to check if your website currently has this is if you can see the little padlock symbol in your address bar.
If you do not have an SSL certificate, speak to your developer to add one as soon as possible (we are about to make the switch).
There are also many other best practices that you should be following in order to maintain a secure website. This includes employing good password practices, keeping your CMS updated and ensuring you have trusted antivirus software.
Overall GDPR, will mean that you need to make some significant alterations to your website to allow for complete transparency about data use. While this may affect your marketing in the initial stages, for example, having fewer people actively ‘opt-in’ to be included in your email newsletters, in the long term it will secure your business and mean that you have more qualified leads who are interested in your product or service.
It may seem like a lot of work to do, but once it’s in place you can be at ease that your business can continue to run smoothly, and be in the safest possible position.