GDPR and your website

What is the GDPR?

The EU General Data Protection Regulation (GDPR) comes in to effect on 25 May 2018 and has been designed to unify data privacy laws across Europe and give greater protection and rights to individuals.

Basically, if you are a business who offers goods and services to citizens of the EU, you need to look after their personal data or you may receive a fine if you get a breach. 

Type of data that falls under the General Data Protection Regulation:-

  • Name
  • Photo
  • Email address
  • Social media posts
  • IP address
  • Bank details
  • Personal medical records

The regulation specifies that data processors and data controllers will be impacted by the GDPR. This means that information that is stored in a “cloud” or in a separate physical location is still subject to penalties. Heavy fines will be levied against any business who does not meet the guidelines set forth by the GDPR.

A significant part of GDPR is about transparency and informing individuals about what and how their personal data is being used, by whom and for how long.

Provable consent must be given by an individual before their data can be processed. The data must also only be used for the purposes that consent has been given. For example, if someone contacts you through your website with an enquiry, that does not give you permission to add them to your email marketing list. Consent must be able to be withdrawn by the individual at any time.

How does this affect my website?

If you are not storing any customer data on your website and don’t use a contact form then you probably don’t need to do much at all. That said, it would be a good idea to add a privacy policy to your website if you don’t already have one.

If you have any of the following though, you will need to make some changes:

  • Contact form
  • Registration form
  • Members area
  • Online shop
  • Forum
  • Mailing list sign up

In most cases you will just need to review wording and ensure you have an up to date privacy policy.

Key things to do to ensure you are meeting guidelines:

  • Ensure you have an easy to understand privacy policy outlining your data practices.
  • Add an opt-in to all website forms with clear link to privacy policy
  • Make it easy for users to contact you to request removal of data
  • Avoid storing unnecessary data in your website database (e.g. contact enquiries)
  • Ensure double opt-in on mailing list sign ups
  • Ask subscribers to opt-in to your mailing list again (if your list is more than just current customers/clients)
  • Review your own data practices (data audit/data map)
  • Ensure your website plugins and software are kept up to date frequently
  • Ensure you have adequate website security
  • Install an SSL certificate if you haven’t got one
  • Always use strong passwords for any logins and change regularly if you can

What about my mailing list?

We’ve already seen a large influx of ‘opt-in’ emails land in our inbox this last week or two. If you have a mailing list then you will need to do an audit and contact all those people that did not give you permission to add them to the mailing list. The requirement here is that you must provide an opt-in to continue receiving emails, just a link to unsubscribe is not sufficient. On the flip side, if your mailing list contains only subscribers who signed up of their own accord and current customers / clients then they don’t need to opt-in again. Our suggestion is to send them an email with a link to your updated privacy policy and an option to unsubscribe should they wish. Also, see this as a good opportunity to connect with your customers and keep them up to date on what you are doing.

If you need help making the changes to your website, please contact us today.

Please note that the information in this article is only a guide and you are advised to contact a lawyer or the ICO direct if you require further advice about GDPR.