GDPR for Website Owners
I’m sure by now you’re acutely aware that GDPR’s on its way — but how well developed is your plan for ensuring your business is compliant?
If you don’t have a plan yet don’t panic — you’re certainly not alone. But dedicate the next few minutes of your life to this article and you’ll feel much more prepared!
Otherwise, let’s get cracking.
Data types & user rights
Under GDPR some attributes are classed as “personal data” and others as “sensitive personal data”. Here’s the difference:
Personal Data: Name / Address / Email Address / Social Security Number / Location Data / IP Address
Sensitive Personal Data: Race / Health Status / Sexual Orientation / Religious Beliefs / Political Beliefs
The latter set should be handled even more carefully and securely than the former.
If any of the above data is collected by your website and/or your wider company, here are the personal data rights you need to provide to individuals:
- Right to be informed
- Right of access
- Right to rectification
- Right to erasure
- Right to restrict processing
- Right to data portability
- Right to object
- Rights related to automated decision making including profiling
Further information is available here via the ICO.
So, as a website owner, what do you need to prepare for GDPR?
It’s best to create a spreadsheet that covers every system, application or program used to capture and store personal data — i.e. Web Forms, CRMs, Email Clients, Analytics Platforms, Social Pixels, CMS plug-ins etc.
You then need to work out:
- Is it 1st or 3rd party data?
- How long is it stored?
- How do you use it?
- Do you share it with any additional parties?
- What’s the legal basis for processing this data?
Once you’ve sifted and separated using the criteria above, you should consider:
- Removing any redundant data that is no longer in use – storing data is getting riskier so mitigate wherever possible!
- Are you using any of this data incorrectly? i.e. are you automatically adding people who’ve completed your website contact form in to your mailing list? If so, that needs to stop or have a consensual opt-in added.
- Should you be sharing data with third parties and if so, are they handling it correctly?
- If there is no legal basis, are you seeking the appropriate level of consent to gather and process data?
We then advise completing this stage of your preparation by fully documenting all processes —this makes them easy to evidence if they’re ever requested by an individual or organisation.
Audit existing data capture processes
As briefly touched on above with the Web Form, it’s essential to confirm that all personal data, however captured, is done so consensually — and that in turn, the data is only used as intended by the users giving of consent.
So there are a few things you may need to change:
- Adding Newsletter opt-in boxes to all Contact Forms
- Verbally recording opt-in to mailers if out networking
A crucial rule here is that the Opt-In box should NEVER be pre-ticked.
So your existing policy should be reviewed to ensure that it accurately details:
- How collect data
- Why you collect it
- How you use it
It should be written clearly and accessibly so that it’s easy to digest.
Consent – Opt-in & Opt-out
Consent is all-important — all first party data gathered by you should be given willingly and only used in the manner intended by said consent (so again, no more dropping people who’ve filled out a contact form into your mailing list).
A clear “Opt-out” process should also be provided for people who wish to have their data removed from your records.
An obvious question that arises will be: “but how do I remove someone’s data from my Analytics platform” (Google, Adobe etc).
No process currently exists for Webmasters to action such a request. However, all popular Web Browsers have long offered the ability to “opt-out” of having your behaviour tracked by website analytics systems.
This process is currently believed to be the best way of managing data tracking via Analytics platforms in a post-GDPR world.
After completing the steps above you’ll feel much more informed about managing GDPR in relation to your website.
While there are a few months to go until the regulation hits the books on the 25th of May 2018, the time will pass quickly. So if you’ve not started doing anything remotely similar to what we’ve advised, now’s the time to start!
If you have any further questions relating to how your business needs to adapt for GDPR, feel free to contact our DPO (Data Protection Officer) John-Paul Drake on firstname.lastname@example.org.