GDPR, as known as General Data Protection Regulation, is on the way to change consumers’ data access for companies.
Not only about how companies collect these data but also by giving everything they need to know about their data: why do they need them? For how long? Etc… To give more power on people’s data.
This regulation will apply the 25th of May 2018 and will certainly change a lot of things for data collection. Now we are going to focus on the effect of this regulation on your website.
To be prepared for this massive regulation within the European Union, you need to ensure your company is compliant with these several points. These points are all the things people need to be able to do, access, their right regarding their data so be ensure your respect what’s next:
Consent for data collection is important more than ever. Your company must use consent language easy to understand, clear for the customers and provide to the customers the right to withdraw this consent.
When a data breach comes up, your customers needs to be notified with 72 hours.
Customers must be able to know everything about the data collection process, on what purpose, for how long but also be capable of access those data electronically.
Choice to be “Forgotten”
Customers can choose to have their data erased and no longer processed. They can choose if they still want their data on your website or no – and this include the third-parties involved with your company.
More than just be able to receive their data, customers must be able to transport them easily and give it to another company if they want to do so.
Privacy from the beginning
Data privacy must be considered from the beginning of any systems or processes, when it’s on the design step. This privacy is becoming more and more important with GDPR, so take this into account at the first sight.
DPO – Data Protection Officers
A DPO is required in each company, someone who can understand the whole data processing operations but also who can regularly monitor these processes.
Finally, your organisation must be registered on the ICO – Information Commissioner’s Office– as a data controller. Now that you have all the basis concerning GDPR and the guidelines to be compliant, you must be wondering what will happen for your website.
Here are 14 things that will change with this regulation.
You must ensure your website contains a page registering what kind of cookies you and your third-parties use but also what data are captured and what are you going to do with those one. It’s not only a list because you can state – and it’s highly recommended – to state how to block cookies.
This page must state the website’s owner’s whole statement of data captured: when, what these data are used for, the third-parties details and the process, Data Protection Officer details, process of data collection and need also request that these data can be permanently deleted – Right to be Forgotten. Privacy is one of the most precious point following this regulation and telling the truth about how you use these data will help customers better trust in your company. Giving all these details is a proof you’ve got nothing to hide from your customers.
Cookie & Privacy notice
Secure Sockets Layer Certificate – SSL
The SSL Certificate is an encryption code process taking place on the hosting space. You’ve probably already seen that, it marks the browser bar display with a secure notice, sometimes it goes green and a padlock symbol. The main goal is to securely encrypt all the details entered on the website and you can purchase this certificate for 99 £ per year.
You need to be aware that different SSL Certificates exist, all encrypting at the same level of data but some of them have further insurances and protections – which justify the price.
You can also find free SSL certificates as part of the “Let’s encrypt” project – provided by GeoTrust and VeriSign for example- but these offers will not last for a long time and doesn’t come with any insurances. Therefore, be protective about these data and choose the most reliable options -even if it’s not the cheapest way to do.
Challenge between anonymisation or pseudonymisation
Most websites that have user account or store data users keep their data in an SQL database- Structured Query Language- which is a web-based database that the websites call to and queries delivers details when the user sign-in.
Except if it’s online banking, these details will not be collected encrypted so if the SQL file was accessed the content could have clearly read.
Concerning GDPR, “pseudonymisation” website will need to start moving towards the users being identified by username only and the rest of the data encrypted so that there’s no possible connection between user and stored details. You can speak to your website developer and how he’s getting on planning this change because it takes time and it requires budget.
Make sure the tick box that handles the newsletter subscription provide a way for users to opt-in rather than opt-out. You also need to seek consent from users at each step you plan to email them: how it will be used and how to unsubscribe. Separate opt-in tick boxes must be provided for each place you gather the data. Also provide another separate tick box if you five the user’s details to another party. Each mail must deliver an unsubscribe link if case this is what the user wants to do.
Creation of the user account
As an e-commerce website or one of them when an account is needed to access your services, you need to ensure you have both SSL installed and using pseudonyms for data being stored – really try to work towards this point.
Contact forms & enquiries
If your website contains a contact form for people to send you messages, you should be compliant with the following points.
Indeed, you need to ensure your website has an SSL certificate and that your data are not stored in SQL database unless encrypted. If people sent this information by email, make sure you email service is GDPR compliant and this email is sent following GDPR rules. You can also check their policies because email is one of the most common places where data gets abused, lost or misused. If you print emails with enquiry details on, ensure you have a shredding process in place to not just put those data in the bin. Finally, you need to erase pre-ticked boxes which automatically sign the enquirer for the newsletter.
You need to be careful because you can’t use those data for your marketing database unless the user has given its consent.
Emails and connection
Connected emails must be stored following the DPA – Data Protection Act – and GDPR guidelines. You need to make sure you store your email data securely by using good antivirus app or archive and delete unnecessary email completely. You can also provide a data retention policy that states what your organisation follows in terms, the way you store data and the length of time you keep these data before deleted.
There are exceptions when it comes to regulated industries such as financial services, medical data records which can keep data a little bit longer, especially in accounting and finance domains. To make sure you follow the right rules, check your regulated body to know in what bracket do you fall.
Social Media Connection
Of course, and thankfully, you don’t need to ask permission from each people who like your posts or follow you online. In another dimension, you need to ensure the information gathered directly from people you interact with. Delete your chat history when done and take the person to email to have a formal connection outside social media platforms.
User Tracking Systems & Google Analytics
You also must enable anonymisation option in Google Analytics to conform with GDPR. Google Analytics for example, records user’s IP address in visitor reports as “identifiable information”. You don’t really need to turn this one off.
Customer Relationship Management – CRM Connection
With GDPR, users have the legal right to ask where you captured their details in an explicit way to make sure they have everything they need to know to understand what will happen to their data and also the details to permanently delete their data. Don’t forget they have the right to be “Forgotten”.
For small businesses, the ICO has dedicated an advice line for GDPR help and advices regarding this new measure.
This is it! Here what will happen soon regarding your website with the GDPR guidelines. Make sure you’ve clearly understood the former points to be compliant.