How to make sure your website is GDPR compliant.

The EU’s General Data Protection Regulation (GDPR) became law on the 25th May 2018, its aim to improve the protection of individuals’ data and privacy, which is of course something everyone wants.

This new regulation also comes with a sting. Any business that falls foul of the law runs the risk of a fine of 20Million Euro’s or 4% of their turnover (whichever is greater). Therefore it makes sense to ensure that your website (and business, as GDPR covers a lot more than just internet sites) is compliant.

So, you need to ensure you follow and keep to the regulations, but unpicking and understanding the EU’s 260 page directive is not easy. Some areas are confusing and as yet not fully tested in the courts.

With this in mind the Rouge team have produced this document to inform all of what is needed, whilst demonstrating how Rouge have approached the matter for their own site. We hasten to add that we are not legal experts, and that you should, if you are concerned about GDPR, seek your own legal advice.

So what are the areas you need to focus on when considering whether a website is compliant or not? Well, there are a number of rules / regulations which need to be adhered to, which fall into the following areas:

• Consent. This is one of the corner stones of the regulations. The changes being made are in essence, to stop businesses adding people’s details to databases and then using this to ‘pester’ them with offers, or worse still, pass / sell on their details to others.
• Here the purpose of the change is to ensure that individuals have to opt in and give permission for their personal data to be used, and be in full control about how it will be used (see below).
• Processing. This follows on from Consent. When any user does give you permission to store their data, you have to tell them how it is going to be used.
• In theory, this only covers ‘personal’ data, but even using Google Analytics, which does not track users at a ‘personal level’, is by some thought to be included, hence the need to include the appropriate ‘warnings’ in a sites Privacy Statement.
• Securing all user data. We have seen numerous ‘hacking’ scandals recently, with companies as varied as Yahoo and Butlins being affected. The principle here is all about ensuring organisations protect an individuals privacy by protecting their personal data. One way of doing this is to delete it as soon as it is no longer needed, or after a reasonable time. As mentioned above, Google’s Analytical data is not deemed to be truly ‘personal’, but even they only now hold records for a limited time and suggest that some companies may want to delete their analytics data after just 14 months.
• Also, it must also be remembered that most Ecommerce sites use third party transaction ‘gateways’, but some do hold personal data on their own servers too. In such instances, this data has to be held securely, with the user being told that the data is being held (see Consent above)
• Breach notification. Unfortunately there is no way of ensuring that data is 100% safe. The hacker will get through in some instances no matter how well the data is defended.
• This part of the GDPR regulations ensures that when such breaches are discovered all the affected individuals (and the authorities) are told. This stops companies from hiding the facts and thus putting users at risk.
• Right to access personal data. Another of the aims of GDPR is to enable anyone to request access to the personal information held by any business.
• Right to be forgotten. This follows on from the Consent and Right to Access sections, as it allows a user to request that they are removed from your records.
• Having the procedures in place. This is all about ensuring that a business has defined procedures to follow (what and how long personal data will be stored) and has appointed individuals that are to be responsible for actioning them.

All of the above makes it seem that ensuring compliance is an almost impossible task. That is until you start to understand the underlying reasons for the regulations. Basically it is to protect users whilst not making it impossible for any business to operate.

For instance a business can gather data if it is required for functional purposes, this is defined as ‘Legitimate Interests’ by the ICO, see:

https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/legitimate-interests/

One of the most important sections of wording here, in our view, is that a legitimate interest:

“is likely to be most appropriate where you use people’s data in ways they would reasonably expect and which have a minimal privacy impact, or where there is a compelling justification for the processing.”

This covers things such as server logs that hold very little really ‘personal information’ (an IP address is not necessarily personal), this is also the case for Google’s Analytical data, because there is a compelling justification for holding the data.

Basically, as long as a business is ‘not doing harm’ to any user (e.g. invading their privacy) and just simply trying to run a business then the rules are not difficult to comply with, or as ‘scary’ as they first seem.

So what do you need to do to your website?

Gaining consent.

One of the key principles of GDPR is that you need to tell people what you are gathering, plus why and how you are using it. Here perhaps the best way is to inform users that your site uses Cookies and where possible allow them to change their permissions, either allowing them to use the site with less functionality or not at all.

The ITProPortal takes the matter very seriously:

And if you feel you need to go to this length, Rouge can do the necessary programing, but going this far is, for most sites, a bit like using a sledge hammer to crack a nut.

Online forms – more consent.

If you are gathering data in the form of name, email address and telephone number, then we need to allow the user to control how the data will be used, e.g if they give you permission to send them news updates by email or allow them to contact you by text, by post etc.In short you need to document the consent they have given you.

This ‘consent’ must be positively given, filling out a tick box for them is no longer allowed, they have to physically tick the box.

Here you can see how Rouge handle this on our contact form.

As you can see, the user has to tick the box if they want to be able to receive information in the future, plus until they say they have reviewed our privacy policy (we cannot force them to read it of course, but they have to say they have) the form cannot be sent.

Server logs.

These are not (at the time of writing) deemed to be a problem area, unless you are using them to try to identify particular users (in which case you would need to make that clear and gain their consent).

Google analytics or other tracking systems.

Google Analytics does not track individuals, so that is not a concern, plus when you also ask users to Accept Cookies (or not use the site) then you are covered here by gaining their consent. However, to be fully compliant you need to tell users what you are doing with their data in your privacy statement.

Other third party tracking / marketing software providers such as Lead Forensics or Leadfeeder, state that they are fully GDPR compliant, but in the opinion of some lawyers this has yet to be proven. The only suggestion here would be to include a clause in your privacy statement that says explicitly that data is being collected in order to identify users at a personal level and that this may be used to contact them at a later date.

This box as used on ABC Awards, shows how Consent is gained to allow communication in a ‘granulated’ way (contact allowed by various means) AND – this is important – asking for permission before the data can be shared with a named third party:

Besides these third party tools, you have to be aware that things like Facebook buttons and Online chat services, you may use on your website, may be gathering and processing data. Here ignorance is no defence and you must therefore ensure that they too are GDPR compliant, whilst also following all the pre-notification and consent issues previously covered in your privacy statement.

Keeping data secure.

Simply put, if you hold personal data about an individual then it is your responsibility to keep it safe and secure. This means that you need to ensure that your website (Server, CMS, databases etc) and all the data you store on it is fully secure. This includes usernames and passwords as well as personal details could be used to gain access to other systems.

Reporting any breaches.

Not keeping the data secure could mean you are in breach of the GDPR regulations, but if there is a breach you must take steps to inform users and the authorities within 24 hours so that they can take steps to mitigate any risk.

Rights to gain access to data, to be forgotten and having the systems in place

All users have the right to request what information you hold about them and to have this removed. This in turn means that you not only have to have the system in place to handle such requests, but also the staff to carry out the necessary actions.

• If you apply some good old fashioned common sense and follow the principles laid out above, it is not too hard to make sure your website is compliant. Just remember to:-
• Only record and store the data that you have to
• Check any services / third party systems that you use, like webchat, analytics, social media buttons to make sure they too are GDPR compliant.
• Be clear what data you are gathering (IP’s GA, Cookies etc), as well as why and how you will use it, then make sure this is clear in your privacy policy.
• If you do decide to gather truly personal information about your users make sure you tell them what you are going to do with this data and ensure you have their implicit agreement (and remember a pre-checked box is not enough).
• Always keep the data secure and,if a data breach does happens, make sure you have processes in place to inform all those affected within 24 hours.

Please do contact us if you require any more information on making sure your Website is GDPR compliant.