Scroll to top

GDPR, as known as General Data Protection Regulation, is on the way to change consumers’ data access for companies.

Not only about how companies collect these data but also by giving everything they need to know about their data: why do they need them? For how long? Etc… To give more power on people’s data.

This regulation will apply the 25th of May 2018 and will certainly change a lot of things for data collection. Now we are going to focus on the effect of this regulation on your website.

 

To be prepared for this massive regulation within the European Union, you need to ensure your company is compliant with these several points. These points are all the things people need to be able to do, access, their right regarding their data so be ensure your respect what’s next:

Consent

Consent for data collection is important more than ever. Your company must use consent language easy to understand, clear for the customers and provide to the customers the right to withdraw this consent.

Data Breach

When a data breach comes up, your customers needs to be notified with 72 hours.

Access

Customers must be able to know everything about the data collection process, on what purpose, for how long but also be capable of access those data electronically.

Choice to be “Forgotten”

Customers can choose to have their data erased and no longer processed. They can choose if they still want their data on your website or no – and this include the third-parties involved with your company.

Portability

More than just be able to receive their data, customers must be able to transport them easily and give it to another company if they want to do so.

Privacy from the beginning

Data privacy must be considered from the beginning of any systems or processes, when it’s on the design step. This privacy is becoming more and more important with GDPR, so take this into account at the first sight.

DPO – Data Protection Officers

A DPO is required in each company, someone who can understand the whole data processing operations but also who can regularly monitor these processes.

Finally, your organisation must be registered on the ICO – Information Commissioner’s Office– as a data controllerNow that you have all the basis concerning GDPR and the guidelines to be compliant, you must be wondering what will happen for your website.

Here are 14 things that will change with this regulation.

Cookie policy

You must ensure your website contains a page registering what kind of cookies you and your third-parties use but also what data are captured and what are you going to do with those one. It’s not only a list because you can state – and it’s highly recommended – to state how to block cookies.

Privacy policy

This page must state the website’s owner’s whole statement of data captured: when, what these data are used for, the third-parties details and the process, Data Protection Officer details, process of data collection and need also request that these data can be permanently deleted – Right to be Forgotten. Privacy is one of the most precious point following this regulation and telling the truth about how you use these data will help customers better trust in your company. Giving all these details is a proof you’ve got nothing to hide from your customers.

Cookie & Privacy notice

This pop-up notice is not necessarily needed to have but you still need to state your cookie policy and your privacy one arriving on the website. The pop-up seems to be logical in this case. This window also needs to inform the users and giving the right to accept the use of its data set out on your policies. You also need to give the choice to use the website without cookies and decline this use – and explain that several functionalities (which ones) will be lost without using cookies.

Secure Sockets Layer Certificate – SSL

The SSL Certificate is an encryption code process taking place on the hosting space. You’ve probably already seen that, it marks the browser bar display with a secure notice, sometimes it goes green and a padlock symbol. The main goal is to securely encrypt all the details entered on the website and you can purchase this certificate for 99 £ per year.

You need to be aware that different SSL Certificates exist, all encrypting at the same level of data but some of them have further insurances and protections – which justify the price.

You can also find free SSL certificates as part of the “Let’s encrypt” project – provided by GeoTrust and VeriSign for example- but these offers will not last for a long time and doesn’t come with any insurances. Therefore, be protective about these data and choose the most reliable options -even if it’s not the cheapest way to do.

Challenge between anonymisation or pseudonymisation

Most websites that have user account or store data users keep their data in an SQL database- Structured Query Language- which is a web-based database that the websites call to and queries delivers details when the user sign-in.

Except if it’s online banking, these details will not be collected encrypted so if the SQL file was accessed the content could have clearly read.

Concerning GDPR, “pseudonymisation” website will need to start moving towards the users being identified by username only and the rest of the data encrypted so that there’s no possible connection between user and stored details. You can speak to your website developer and how he’s getting on planning this change because it takes time and it requires budget.

Newsletter sign-in

Make sure the tick box that handles the newsletter subscription provide a way for users to opt-in rather than opt-out. You also need to seek consent from users at each step you plan to email them: how it will be used and how to unsubscribe. Separate opt-in tick boxes must be provided for each place you gather the data. Also provide another separate tick box if you five the user’s details to another party. Each mail must deliver an unsubscribe link if case this is what the user wants to do.

Creation of the user account

As an e-commerce website or one of them when an account is needed to access your services, you need to ensure you have both SSL installed and using pseudonyms for data being stored – really try to work towards this point.

Payment online

Payment gateways are used especially in e-commerce website. If your one takes part of the popular payment processes you should make sure the process is followed in line, that its policies are checked and referenced in your own privacy policy. UK or Europe based companies need to be GDPR compliant to make it works. Concerning US-based one, they need to be compliant with the Privacy Shield.

Contact forms & enquiries

If your website contains a contact form for people to send you messages, you should be compliant with the following points.

Indeed, you need to ensure your website has an SSL certificate and that your data are not stored in SQL database unless encrypted. If people sent this information by email, make sure you email service is GDPR compliant and this email is sent following GDPR rules. You can also check their policies because email is one of the most common places where data gets abused, lost or misused. If you print emails with enquiry details on, ensure you have a shredding process in place to not just put those data in the bin. Finally, you need to erase pre-ticked boxes which automatically sign the enquirer for the newsletter.

You need to be careful because you can’t use those data for your marketing database unless the user has given its consent.

Live chats

Live chats present on your website and it’s another way to refer to this third-party service in your cookie and privacy policy. For this service too, you need to review what they are up to in terms of GDPR/ Privacy Shield Policy.

Emails and connection

Connected emails must be stored following the DPA – Data Protection Act – and GDPR guidelines. You need to make sure you store your email data securely by using good antivirus app or archive and delete unnecessary email completely. You can also provide a data retention policy that states what your organisation follows in terms, the way you store data and the length of time you keep these data before deleted.

There are exceptions when it comes to regulated industries such as financial services, medical data records which can keep data a little bit longer, especially in accounting and finance domains. To make sure you follow the right rules, check your regulated body to know in what bracket do you fall.

Social Media Connection

Of course, and thankfully, you don’t need to ask permission from each people who like your posts or follow you online. In another dimension, you need to ensure the information gathered directly from people you interact with. Delete your chat history when done and take the person to email to have a formal connection outside social media platforms.

Plus, make sure your privacy policy refers to third-parties data controllers (the organisations) especially because more and more users log in with SSO – Single Sign-on – into sites. Make sure that if you use the details of your customer or connection within social media page to promote your business you have their consent to do it.

User Tracking Systems & Google Analytics

As said before, always referred in your cookie policy and privacy one the third-party own policy and ensure their compliance. Now we know that Google Analytics will be both compliant with GDPR and Privacy Shield, you need to ensure your one – if not Google Analytics- is compliant with this regulation.

You also must enable anonymisation option in Google Analytics to conform with GDPR. Google Analytics for example, records user’s IP address in visitor reports as “identifiable information”. You don’t really need to turn this one off.

Customer Relationship Management – CRM Connection

If your website captures user’s data and write them into a CRM, you need to make sure all the process is secure and obviously refer to third-parties service in the privacy policy. If your website sends automatically enquiries into CRM – date, time, reason why this data is captured and consent details are also captured.

With GDPR, users have the legal right to ask where you captured their details in an explicit way to make sure they have everything they need to know to understand what will happen to their data and also the details to permanently delete their data. Don’t forget they have the right to be “Forgotten”.

For small businesses, the ICO has dedicated an advice line for GDPR help and advices regarding this new measure.

This is it! Here what will happen soon regarding your website with the GDPR guidelines. Make sure you’ve clearly understood the former points to be compliant.

Related posts

Post a Comment

Your email address will not be published. Required fields are marked *