Every company has a different website, and it's unique in many ways for a particular reason. However, the way in which a website can collect data and personal data is generally very similar. Depending on your data requirements, your web developer will probably utilise spam protected email forms, database driven sign-up forms and various cookies for tracking purposes including Google Analytics. Becoming GDPR (General Data Protection Regulation) compliant for most website owners might seem like a major issue, however after running a website survey and identifying the key issues, the majority of websites can get away with an easy fix.
GDPR: On 25th May 2018, the UK’s data protection act will change to the General Data Protection Regulation, commonly referred to as GDPR. When the GDPR takes effect, it will replace the 1995 EU Data Protection Directive (also known as Directive 95 /46/ EC). In our opinion, and in respect to personal data being submitted over the web and collected by websites, this new law is well overdue. GDPR places much tougher restrictions on how a website uses and asks for personal customer data, and enforces clarity, transparency and user control.
The development of this regulation has emerged following the hacking of organisations including Linked-in, eBay, Equifax, Uber, Yahoo etc, the list goes on! Most people will remember the Uber cover-up in 2016, hackers stole the data of over 50 million Uber customers, and it is alleged that the company paid them $100,000 to cover it up! Data breaches against companies and individuals is rising year-on-year and the GDPR will now punish website owners that collect data via their website without user consent, use data without their consent, or via opt-in default scripts, which are now banned under the new regulation.
GDPR Website Compliance
So that you understand what you need to achieve before May 25th deadline, Studio-1 has put together some general pointers that will help you reach GDPR website compliance without pulling your hair out. Please remember that GDPR website compliance is a vital step in aligning your company to the new regulation. In accordance with GDPR, we look at some of the key issues that you may identify when trying to make your website compliant with the law. Depending on how your website is structured, you may need to implement all or some of the following.
E-MARKETING & WEB FORMS
A strategy by web marketeers is to automatically subscribe you (without consent) to a 'database' if you have made a web enquiry, comment, purchase or have been given your details by another source. This is not the same process as signing up and giving your consent! Websites working towards GDPR compliance need to ask for your consent, and they must inform you in detail at the time of consent, what the data will be used for.
There is an ongoing debate as to whether companies should ask their current database subscribers to opt-in, especially if they feel that some of their database subscribers were added without consent. Companies will lose thousands of subscribers overnight if users are unresponsive, so this might be an issue, but for us, this is a no-brainer. Regardless of the relationship that you have with your database contacts, you must ask them to opt-in with the correct consent, it makes your database content more manageable, your analytics more accurate, and it will make your website database GDPR compliant.
(30): “Natural persons may be associated with online identifiers […] such as Internet protocol addresses, cookie identifiers or other identifiers […]. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.”
Ok, so what does this mean? .... only when cookies can identify an individual, it is considered personal data under GDPR.
Cookies are small files that are automatically dropped on your computer as you browse the web. They are harmless bits of text that are locally stored and can easily be viewed and deleted. Cookies can give insight into your daily, weekly, monthly web activity, and can be used to identify you without your consent. This represents a major breach of GDPR, and as technologies grow more sophisticated every year, your privacy as a web user is increasingly compromised.
Fix! To meet the requirements, you can either build your own consent setup based on the GDPR, or you can sign up to a Cookie-bot, a fully GDPR compliant cookie and online tracking solution.
Being transparent by providing a privacy notice is an important part of fair processing. You can’t be fair if you are not being honest about what you're going to do with the personal data you collect. The information that you should legally provide has also changed under GDPR, so you need to explain the basis for your data collecting, storage, how long you intend keeping the data for, and the user's right to opt-out or complain.
Are you concerned about data safety and security? Website owners are strongly encouraged to add extra (https) encryption to their website to avoid the threat of hackers or data breaches. To be honest, this is something that has been recommended for many years, however the GDPR means it could become compulsory.
Fix! Website owners can purchase an SSL certificate which makes the site start with (https) instead of (http) and this adds a layer of encryption, making it harder for hackers to access the back-end of the website. When installed on a web server, it activates the padlock and the https protocol, and allows secure connections from a web server to a browser. This is important because the information you send on the internet is passed from computer to computer to get to the destination server. Any computer in between you and the server can view your sensitive information if it is not encrypted with an SSL certificate.
HELP AND SUPPORT
Studio-1 can carry out a web survey on your website to identify your particular GDPR compliant issues, every website is different. For more information please contact Studio-1.