Practical steps to take to ensure your website is GDPR compliant
The General Data Protection Regulation (‘GDPR’ or ‘Regulation’) will come into force on 25 May 2018. The purpose of the Regulation is to strengthen and protect the rights of individuals regarding the collection, storage and use of their personal data.
Whilst this article focuses on website compliancy, the Regulation will permeate your entire business and therefore the Regulation will also need to be considered in the wider context of your business.
Who does the Regulation apply to?
The Regulation applies to any business in the European Union (‘EU’) or any business outside the EU who offer goods and services or who monitor the behaviour of individuals living within the EU. The UK is subject to the Regulation despite Brexit.
What data is affected by the Regulation?
Personal Data and Sensitive Personal Data are affected. These are defined within the Regulation.
Personal Data is any data that can be used to identify a living person (e.g. name, address, email address, national insurance number or IP address).
Sensitive Personal Data is a special category of personal data that needs to be even more carefully handled. It includes a living person’s sexual orientation, race, religious or political beliefs.
Preliminary actions to take without delay
- Identify and map out the categories of personal data held, used, shared or otherwise processed by your business.
- Review the systems and data flows that are in place to determine how personal data flows through your business and how it is managed. For example where is the personal data physically and geographically held? Is it held electronically (in house or remotely) or in hard copy format?
- Is the personal data shared by the business with any other organisations or third parties and where are those parties based (within the EU or outside the EU)? Are cloud providers involved? What supplier agreements do you have in place? Ensure you understand and can document what measures those third parties have in place to protect the personal data. Under the Regulation, you must ensure that all third party suppliers you use are GDPR compliant.
- Do you have any third party tracking software deployed on your website or do you track user behaviour through Google Analytics or Google Tag Manager? If you use Google Tag Manager you will need to analyse ‘who’ has access to your Tag Manager (e.g. your web designer or digital marketing agency) and ensure they understand their legal responsibilities.
- How does your Company keep personal data secure? Does it use encryption, anonymise data and/or have access control restrictions in place?
- How long is the personal data stored/kept for?
What should you consider including on your website in order to be GDPR compliant?
Effective communication to users of your website is paramount. You need to actively seek their consent to use their data along with setting out how and why you are collecting their data. If there is one buzz word to remember with GDPR, it is arguably ‘transparency’. Be as transparent as possible with your users. Under the Regulation, individuals have the right to request erasure of their personal data from your systems. This is also known as ‘the right to be forgotten’. Put in place measures to ensure you are able to respond to these requests promptly and to effectively erase the information from your systems.
Include the following GDPR compliant documents in a prominent place on your website:
- Privacy Notice/Policy (This should include what, how and why personal data is collected and used and how personal data is securely stored). Actively consider what personal information your business really needs in order to function. Try to minimize the collection of personal information. Remember that if a user of your website contacts you with a general query, you must not automatically include their details on your marketing database. You would need to seek and obtain their express consent to add them to your database and this consent needs to be documented
- Opt-ins You must actively seek consent to including a user on a marketing list. This cannot be wrapped up in your website terms and conditions. Ensure that any forms which invite users to subscribe to marketing materials or provide contact preferences default to ‘no’ or remain blank if no response is given. Any opt-ins you give on your website should be un-bundled. For example if you are asking users for consent to contact them, you should specifically seek the user’s consent for each form of contact/processing you would like to undertake (SMS, email, post)).
- Updating other documents Your business’ terms and conditions will also need to be reviewed and updated to ensure GDPR compliancy. It is likely that you may also have a data processing policy in place and this too will need to be updated.
- Opt-outs You must make it easy for your customers to opt out of any consents which have been provided to your business. A form should be displayed on the website to give customers the option to do this.
The Nature of your Business Depending on the nature of your business, there may also be additional measures you need to take. For example, if your business is involved in e-commerce, it is likely that a payment gateway will be used for financial transactions. You will need to check whether your own website collects personal information before passing those details on to the payment gateway and if it does it will be important for you to implement measures to ensure that the personal information is removed after a reasonable period of time. The Regulation does not define ‘reasonable’ and therefore you will need to consider what time period would be considered necessary and reasonable in your business’s circumstances.
The ICO has two self-assessment checklists to help organisations determine their high level of compliance with GDPR.
New ICO Fee Regime
Under the new GDPR the requirement to notify (or register) the ICO is gone but is replaced with a requirement for all organisations that determine the purpose for which personal data is kept, “data controllers”, to pay an annual fee. There are three levels of fees which are calculated based on the size of your organisation. There are exemptions for public authorities and charitable organisations.
Tier 1: £40 for organisations with a turnover of less than £632,000 or less than 10 members of staff.
Tier 2: £60 for organisations with a turnover greater than £632,000 but up to or less than £36million or less than 250 members of staff.
Tier 3: £2,900 for all other organisations that do not meet the criteria for Tier 1 or 2.
Compliance with the Regulation is to be ignored at your peril. Penalties for serious breaches are eye wateringly large with fines up to 4% of worldwide turnover or 20 million euro (whichever is greater). You could also face litigation from disgruntled users whose personal data you hold.
Need further assistance?
Can we assist you with GDPR compliance? Call or email one of our specialists at McKenna Hughes Limited: firstname.lastname@example.org; telephone 01789 721 831.
Note: this article is intended as a guidance note only. It does not constitute legal advice and should not be relied upon.