So, you think data protection is nothing for you to worry about?
Is GDPR even on your radar? (Be honest, do you even know what GDPR stands for?)
If you answered yes to my first question, then you need to think again. Your website’s code is almost certainly more compromised than you think; and you’ll need to act soon, as the effective date for GDPR is 25 May 2018. The clock is ticking…
If, like most websites, you’ve used an open source platform to build it, then much, if not all, of the additional functionality on your site will be enabled through third-party plug-ins.
And? I hear you ask…
Well, the Media Trust – an independent organisation that scans websites for security and policy violations – reports that even simple websites now average ten third-party vendors.
In truth, many of you will have dozens scattered throughout your site.
You might even have an issue with something you thought had been replaced long ago, as some cookies have a lifespan of decades and may be lingering within your code still, unauthorised perhaps – but unrecognised.
The bottom line is that the EU’s General Data Protection Regulation (GDPR) has a real issue with all this and small businesses like many of our clients – dental practices, independent retailers, B&Bs, trades – are all just as accountable as the multinationals. So, you need to be considering how it impacts you now, not next April.
So, what is GDPR?
It is the first EU-wide regulation to address the personal data protection rights of all EU residents. It gives them enhanced rights over the information that is collected, used and stored about them.
To be clear therefore, every business with EU involvement – be it your direct customers, prospects, employees, suppliers – will need to comply, not just those registered or based in the EU. Brexit will be no excuse for failing to act.
And if you don’t? Well, GDPR includes a penalty structure for violations: it rises to 4% of your total annual turnover (not just the turnover with the client affected), up to a ceiling of €20m... Still want to risk ignoring it?
So, how can you make your website GDPR compliant… in 20 steps?
In truth, you need to dramatically change your approach to managing consumer data; and almost certainly change the way you manage your site’s user interface.
Here, are some key steps to take in order to be ready. But remember, this is offered as general guidance: you need to identify and mitigate your own risks as a business owner.
1) Undertake a personal data audit of your existing site
This will help to identify the data you currently gather; how that data is used; and who acts as its ‘data processor’.
Processors are defined as anyone who is involved in determining how personal data is handled, regardless of whether they collect the data. So data you gather may be shared with an external third-party, with your knowledge, such as an ecommerce or CRM platform. As you audit the data being used across your organisation (remember, this isn’t just about websites, but also the business use of any/all personal data) you can tag each ‘data processor’ with a 1 or a 3. That identifies what you’ll need to act on yourself, and when you’ll need to contact a third-party.
2) For every data processor ask:
- What are they using that data for?
- Do you still need them to use that data in future?
- Where is the data being stored now?
- Where should it be stored in future?
- How should it be shared in future?
3) For each third-party data processor you’ve identified (Lead Forensics, MailChimp, Shopify etc) satisfy yourself that they are/will be GDPR compliant by May 2018.
Do this by contacting them directly. Most already believe they are, but remember, if challenged at a future date, you must hold clear, documented, and verifiable evidence for you to demonstrate you complied with your responsibilities as a data controller.
4) At this point, it’s worth noting that if you use any US-based data processor (MailChimp, for example) then they need to be Privacy Shield compliant by 25 May. The US Privacy Shield framework has been co-developed by the US Department of Commerce and the European Commission to protect the flow of personal data between the EU and the US.
Contact these parties directly as well, and find out if or when they plan on becoming compliant. If they don’t or won’t confirm their plans, you should replace them with a similar but compliant provider. (Remember ‘verifiable evidence’.)
If this applies to you, find your new provider, then ask your current provider in a verifiable way to provide you with a copy of all the data that they hold for you, and insist they subsequently delete it securely from their systems – including backups.
5) Bottom line, data going forward is potentially a liability: so unless you need it, delete it.
6) Having identified what data you will still need to hold, take steps to ensure it is being stored securely.
Check your server status – and firewalls – you’ll not want a shared server if you’re serious about storing customer data securely. And yes, that will be more expensive. But much cheaper than a fine.
7) If you are storing personally identifiable data within your website, then you might consider taking the identifying field(s) within your database and replacing it with an artificial identifier.
Known as ‘pseudonymising’ the data, it is not a straightforward step, but does add an extra level to your security.
8) Next, you need to review your site’s user interface. Digital systems should adopt privacy by design.
What this means is that you ask only for what you need in order to complete the task the user wants you to fulfil, and recording their specific permission for you to do this.
By default, privacy settings throughout your site should always be set to the highest level after May 2018, with a user given options to downgrade if they wish.
Remember, at the core of the new regulation is the idea of strengthened consent. If you collect or manage any EU citizen’s data, you must have obtained Explicit Consent before any (and every) data collection takes place. Just because they granted permission to host a piece of data for one purpose, it does not confer permission for you to use that bit of data for another purpose. Every request for data must be made in clear, plain and easily understandable language – no fancy legalese or jargon – and the context must be next to the appropriate form or action point on the page. The Information Commissioner’s Office (ICO) has a sample privacy notice that is concise, transparent, and could be used as a template for your website. It should appear where it is easily accessible.
9) Explicit consent must be obtained before the user submits the form. They must be made aware that you are collecting their personal data with the intent to store it, and the purpose for which you need it.
It bears repeating: each usage of data must be explicitly and individually consented to, (referred to as Unbundled or Granular Opt-in). If an email isn’t required for the intended purpose of a specific form, then don’t ask for it; if you do (perhaps to track their master permission record we discuss at point 16) then don’t send them an email newsletter just because you have that email! What was bad practice in the past will potentially land you with a fine after May 2018. It only takes one upheld complaint.
In terms of your website’s user experience, unsubscribing can consist of granular withdrawal as well: it needn’t be a case of all or nothing. Phrase your unsubscribe message appropriately, enabling someone to selectively withdraw consent from specific streams of communication e.g. post, email, telephone or text.
For example, if someone wants to unsubscribe from a newsletter, before confirming it has been done, prompt them through a form to confirm if a less frequent email would be preferred? Or if they are withdrawing because they are also registered under another email; or if they are no longer interested.
Users must also give you specific permission to pass their details on to a third party (eg MailChimp for those emails). It is important too to note that it isn’t enough to simply define categories of third-party organisations: you need to name each one specifically.
10) It’s pretty obvious by now that every form on your website needs to be re-thought. If you ask for a name, email, address, phone, they are all applicable data.
If you’re using any email marketing or CRM extensions in a form, it’s affected.
Save Progress: it’s affected.
And any form that deals with commerce of any type will always be affected (see 11).
Forms that invite users to subscribe to newsletters or indicate contact preferences must default to “no”, or be blank.
You need to check ALL your current forms to ensure this is the case.
11) If you use e-commerce, then you are likely to be using a payment gateway for financial transactions.
Your own website may collect personal data before passing the details onto the payment gateway and if your website is storing these personal details after the information has been passed along, then you need to modify your web processes to remove that personal information after a reasonable period, for example 60 days. The GDPR legislation is not explicit about the precise number of days: it is your own judgement as to what can be defended as reasonable and necessary.
12) It’s clear by now that a big part of GDPR is about communicating how and why you’re collecting and using data.
So always be clear and concise in telling data providers; give them a way to request a copy of what you’re holding; and explain clearly how they can have it deleted if/when they wish.
- The data subjects’ right to access all the data you hold about them: if asked you should be able to show them what you hold, relate that information to its purpose, identify how and when they authorised this, and confirm who you’ve shared their data with to meet that instruction. The simplest way to do this is to create a form that details all this information at the point of request and personalise it through a specific email address.
- Add their ‘Right to be Forgotten’. (How they can contact you to have their data deleted, both by you and any involved third-party.)
- Data portability. (How you manage those third-party shares), and
- Breach notification. If the data you hold is breached, or an unauthorised access of personal data takes place that is likely to “result in a risk for the rights and freedoms of individuals”, then you must notify all those individuals affected within 72 hours of becoming aware of the breach.
14) Previously gathered data is also a fresh issue.
You might have a record from a contact form submission saved some time ago.
If that data will not be acted upon again, it should now be destroyed. But, if you want to keep it, you should get new permission, for the specific purpose you have in mind, even going so far as a double opt-in for your existing email subscription lists.
Whatever the weak links are in terms of permissions, you should aim to resolve them now, or remove them.
15) To keep track of all this, designate a Data Protection Officer (DPO): a person responsible for monitoring internal compliance with GDPR for your organisation.
They should be trained appropriately: BUT as the business owner, you can’t shift legal responsibility for compliance onto your DPO. You will still be accountable! So pay attention.
16) The responsibility of being able to associate submitted data with the individual submitter falls to you (even if you’ve delegated it to your DPO).
17) GDPR compliance requires that you can be reached and are responsive to user requests for data that you’ve collected on them, either to view or delete.
18) Your data audit might also identify other site weaknesses, such as unencrypted email accounts or website traffic.
You will then need to move to https and get an SSL certificate.
19) Finally, let’s turn to tracking software.
You should also amend any banner on cookies, to clearly explain the description and purpose of cookies used, so that continued browsing can be interpreted as informed consent.
But remember, if someone complains to the Information Commissioner in the future, and the software is deemed to be doing something illegal, then it is your responsibility as the data controller for your business, not the third-party that is accountable.
The real issue here is to identify the GDPR compliance risks in using this kind of software, and to mitigate your risks as a business owner. As a result, review your contract with these software providers carefully.
20) Google and GDPR:
Google Analytics is an anonymous tracking system, and is therefore exempt from GDPR constraints, but if you are interested in Google’s commitment to GDPR then start with How Google complies with data protection laws
Google Tag Manager is another powerful tool that inserts small amounts of code to enable your website to send information to third-party applications. You can integrate in-house data repositories, as well as external remarketing and retargeting systems, and a host of other services. The issue here is to ensure you have a contract in place with all parties that have access to your Tag Manager (which may include your web designer or digital marketing agency) to ensure they understand their legal responsibilities as a data processor on your behalf.
To help conduct your audit, and get you started on the road to GDPR readiness, talk to us at Inspire today. Our team of consultants can help with any of the issues raised… But the clock is ticking!
The Information Commissioner has an excellent set of resources on GDPR