GDPR Website Compliance

GDPR WEBSITE COMPLIANCE

"Identifying key issues and rolling out an easy fix"

Every company has a different website, and it's unique in many ways for a particular reason. However, the way in which a website can collect data and personal data is generally very similar. Depending on your data requirements, your web developer will probably utilise spam protected email forms, database driven sign-up forms and various cookies for tracking purposes including Google Analytics. Becoming GDPR (General Data Protection Regulation) compliant for most website owners might seem like a major issue, however after running a website survey and identifying the key issues, the majority of websites can get away with an easy fix.

GDPR: On 25th May 2018, the UK’s data protection act will change to the General Data Protection Regulation, commonly referred to as GDPR. When the GDPR takes effect, it will replace the 1995 EU Data Protection Directive (also known as Directive 95 /46/ EC). In our opinion, and in respect to personal data being submitted over the web and collected by websites, this new law is well overdue. GDPR places much tougher restrictions on how a website uses and asks for personal customer data, and enforces clarity, transparency and user control.

The development of this regulation has emerged following the hacking of organisations including Linked-in, eBay, Equifax, Uber, Yahoo etc, the list goes on! Most people will remember the Uber cover-up in 2016, hackers stole the data of over 50 million Uber customers, and it is alleged that the company paid them $100,000 to cover it up! Data breaches against companies and individuals is rising year-on-year and the GDPR will now punish website owners that collect data via their website without user consent, use data without their consent, or via opt-in default scripts, which are now banned under the new regulation.


GDPR Website Compliance

So that you understand what you need to achieve before May 25th deadline, Studio-1 has put together some general pointers that will help you reach GDPR website compliance without pulling your hair out. Please remember that GDPR website compliance is a vital step in aligning your company to the new regulation. In accordance with GDPR, we look at some of the key issues that you may identify when trying to make your website compliant with the law. Depending on how your website is structured, you may need to implement all or some of the following.


E-MARKETING & WEB FORMS

Do you have a newsletter sign-up area or an e-mail contact form? One vital change to web data protection now mean that you 'cannot' add subscribers to your mailing list without them opting in. Consent requests now need the user to provide a clear positive action. For example, if they are filling out a web form to sign up to your newsletter, they need to be made aware of your privacy policy and how their data will be stored, used, and how they can unsubscribe if required.

A strategy by web marketeers is to automatically subscribe you (without consent) to a 'database' if you have made a web enquiry, comment, purchase or have been given your details by another source. This is not the same process as signing up and giving your consent! Websites working towards GDPR compliance need to ask for your consent, and they must inform you in detail at the time of consent, what the data will be used for.

Fix! This can be achieved on your website by creating a web form with the required fields of data that you need, accompanied by a brief (at a glance) statement of 'Terms', including a read-more link to a detailed Privacy Policy GDPR notice.

There is an ongoing debate as to whether companies should ask their current database subscribers to opt-in, especially if they feel that some of their database subscribers were added without consent. Companies will lose thousands of subscribers overnight if users are unresponsive, so this might be an issue, but for us, this is a no-brainer. Regardless of the relationship that you have with your database contacts, you must ask them to opt-in with the correct consent, it makes your database content more manageable, your analytics more accurate, and it will make your website database GDPR compliant.


COOKIES

Do you use cookies on your website, or maybe you're unsure? Cookies are mentioned once in the GDPR Document, however, those few lines have a significant impact on the compliance of cookies.

(30): “Natural persons may be associated with online identifiers […] such as Internet protocol addresses, cookie identifiers or other identifiers […]. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.”

Ok, so what does this mean? .... only when cookies can identify an individual, it is considered personal data under GDPR.

Cookies are small files that are automatically dropped on your computer as you browse the web. They are harmless bits of text that are locally stored and can easily be viewed and deleted. Cookies can give insight into your daily, weekly, monthly web activity, and can be used to identify you without your consent. This represents a major breach of GDPR, and as technologies grow more sophisticated every year, your privacy as a web user is increasingly compromised.

I don't want to focus on why pre GDPR cookies are not compliant, so let's delve straight in and discuss how you can make your website cookies compliant with the new regulation. Similar to your privacy policy on E-Marketing and Web Forms, the General Data Protection Regulation means that you will need to revise your cookie policy too, so that it is aligned with the regulation. Again, similar to your Web Forms, the biggest change to cookies and online tracking is that consent must be given by a clear user action, an action that must have an opt-in and opt-out facility for the user. In our opinion, this must be accompanied with a comprehensive overview of 'cookies' for complete transparency by the user. Consent must be given as a positive action after reading the cookie policy, and rejecting cookies must be an actual option that the user can select.

Fix! To meet the requirements, you can either build your own consent setup based on the GDPR, or you can sign up to a Cookie-bot, a fully GDPR compliant cookie and online tracking solution.


PRIVACY POLICY

Do you have a privacy policy page on your website? Every website should have a strong and transparent privacy policy, especially if you're collecting data and personal data. The privacy policy page should clearly inform web users what their data will be used for, and it should clearly state the contact of the 'Data Controller' so that they can make contact if required. To be GDPR web compliant, websites should give users a simple way to view the data stored about them, the ability to edit this data, and the ability to automatically delete this data from the database.

Being transparent by providing a privacy notice is an important part of fair processing. You can’t be fair if you are not being honest about what you're going to do with the personal data you collect. The information that you should legally provide has also changed under GDPR, so you need to explain the basis for your data collecting, storage, how long you intend keeping the data for, and the user's right to opt-out or complain.

Fix! You might want to consider the following questions when writing a GDPR privacy policy notice: What information is being collected? who is collecting it? how is it collected? why is it being collected? how will it be used? who will it be shared with? Make sure the Privacy Policy page can be easily found in the footer of your website.


SSL ENCRYPTION

Are you concerned about data safety and security? Website owners are strongly encouraged to add extra (https) encryption to their website to avoid the threat of hackers or data breaches. To be honest, this is something that has been recommended for many years, however the GDPR means it could become compulsory.

Fix! Website owners can purchase an SSL certificate which makes the site start with (https) instead of (http) and this adds a layer of encryption, making it harder for hackers to access the back-end of the website. When installed on a web server, it activates the padlock and the https protocol, and allows secure connections from a web server to a browser. This is important because the information you send on the internet is passed from computer to computer to get to the destination server. Any computer in between you and the server can view your sensitive information if it is not encrypted with an SSL certificate.


HELP AND SUPPORT

Studio-1 can carry out a web survey on your website to identify your particular GDPR compliant issues, every website is different. For more information please contact Studio-1.

GDPR / Key Changes
consent transparency
Consent transparency

Companies will no longer be able to use long illegible terms and conditions full of legalese. The request for consent must be given in an easily understood and accessible form, with the purpose for data processing attached to that consent. Consent must be clear and distinguishable from other matters, provided in an easily accessible form, using clear and plain language. Also, it must as easy for the user to withdraw consent as it is to give consent.

privacy by design
Privacy by design / data minimisation
Privacy by design as a concept has been around for many years now, but it has only just become part of a legal requirement of GDPR. In basic form, privacy by design calls for the inclusion of data protection from the onset of the designing of systems, rather than an addition. More specifically - 'The data controller shall implement appropriate technical and organisational measures in an effective way in order to meet the requirements of this Regulation and protect the rights of data subjects. Article 23 calls for data controllers to hold and process only the data absolutely necessary for the completion of its duties (data minimisation), as well as limiting the access to personal data to those needing to act out the processing.
right to be forgotten
The right to be forgotten

Also known as Data Erasure, the right to be forgotten entitles the data subject (user) to have the data controller erase his/her personal data, and potentially have any third parties halt processing of the data. The conditions for erasure, as outlined in (Article 17), include the data no longer being relevant to original purposes for processing, or a data subjects withdrawing consent. It should also be noted that this right requires data controllers to compare the subjects' rights to "the public interest in the availability of the data" when considering such requests.

https://www.eugdpr.org/key-changes.html

STUDIO 1

01224 647888