One data regulation for all…
Having a company website is a necessity for any business – no matter the shape or size! As we live and continue to grow in a digital world, it is very likely that you could be losing a number of great opportunities for your business if you don’t have a good quality website.
The internet has a far broader reach than any other form of advertising and while it can take a while to build up enough traffic to your website to make a worthwhile impact on your company`s marketing campaign, having a brilliant company website has the potential to gain effective results.
However, with GDPR (General Data Protection Regulation) soon to come into force, on May 25th this year, it is imperative that business owners ensure their website follows best practices in order to conform to new regulations.
The GDPR is the most significant and comprehensive data privacy regulation to date and compliance is compulsory. Owning a website that violates data protection puts you at risk of heavy sanctions. Those who do not adhere to new regulations are at risk of large fines (up to €20 million or 4% of their global annual turnover, whichever is greater). So, with that in mind, what things do you need to make sure you are doing and what things will you have to change?
1. Web Forms: It’s Opt-In, Not Opt-Out!
A good place to start with utilising best practices, is with web forms. Most websites use web forms because they can be useful for collecting things such as email addresses from visitors that you may later use in marketing campaigns, they are also useful for getting enquiries through your website that could lead to business opportunities.
In the past, after ordering something from a website, many companies have used the tactic of having pre-ticked boxes that will automatically subscribe you to their newsletter if you do not actively un-tick the box. For example, if you had just bought some Jelly Beans online, you may be familiar with something like;
‘Thank you for your purchase of x6 bags of Jelly Beans’ followed by a statement ‘I would like to subscribe to marketing correspondence, text messages and monthly updates from The Jelly Bean Company’– with a tick placed in a box next to it.
Under GDPR legislation, this would not be classed as explicit consent, and is therefore unlawful. This is because any personally identifiable information being collected via your website(s), needs clear and explicit consent, meaning the person should actively opt-in, not be forced to ‘opt-out’. Personally identifiable information can be factors such as first and second names, home address, email address, phone numbers etc.
Specific and Unambiguous – It must be extremely clear as to what the data subject is signing up for when filling out web forms
Granular opt in- Forms must not be pre-ticked and the data subject must actively ‘opt-in’ to receive any further marketing correspondence. This opt in box must also not be ‘clustered consent’ in that there must be separate boxes that a user must select for the different types of correspondence. For example, separate opt-ins for receiving newsletters and receiving text messages from a company
Easy to withdraw consent– It must be as easy to withdraw permissions as it was to grant them. (Make sure your contact preferences page is extremely easy to find)
Named parties – What exactly is the data subject agreeing to? Web forms must identify each individual party that consent is being granted to. It isn’t enough to say specifically defined categories of third-party organisations, they now need to be named
For example, John Lewis’ web forms ask for permissions for itself and sister companies John Lewis, Waitrose and John Lewis Financial Services to contact the customer. This is good practice.
Other things to consider when it comes to the forms on your website:
- Ensure you have updated the send processes of your contact forms so that data is sent and stored to the minimum number of places.
- Create the ability within your admin area to search, export and delete personal data as required.
- Allow users to submit a request to view or delete data you hold on them.
2. Encryption is key – Get your website encrypted
Any data that is submitted to your website must be encrypted. One of the major benefits of HTTPS (the ‘S’ stands for secure) is that it protects users against man-in-the-middle attacks that can be launched from compromised or insecure networks. It is this kind of attack that can lead to data breaches and therefore fines, so an encrypted website is essential.
Your website developer should be able to install the necessary measures to ensure this is the case. This would be a case of fitting an SSL certificate to your site to encrypt the data. You can check whether you have an SSL certificate already by looking for the padlock symbol in the URL bar of your browser when you visit your site’s homepage, if this appears to be missing then speak to your web developer to resolve this.
Another thing worth mentioning of course, is that Google favours HTTPS websites over those that are not secured when it comes to ranking websites in search results. A user searching for ‘Cake Makers’ would be directed to the cake maker website that is encrypted, as opposed to the one that is not, and if yours isn’t, you could be the one losing business. Finally, as of July this year, Google Chrome will start labelling all HTTP pages as not secure, and will change the HTTP security indicator to the red triangle used for broken HTTPS when users enter text into a form on an HTTP page. This warning can be damaging to eCommerce sites as many people will not be willing to input sensitive data after being warned that the website is not secure, yet again this could mean you losing business.
3. Access to data – Who has access to customer data?
Important things to consider:
- Data subjects will need to be able to access their personal data quickly and simply. You may also have to explain which other organisations have handled their data, and why this was needed for the process.
- Organisations will need to make sure they offer any data for download where possible, and without any unnecessary delays.
- As companies are not permitted to store data that is no longer necessary, a robust process for deleting data that is no longer required should be implemented.
It is vital to be aware of who has access to personal data that is logged and stored on your website in the content management system and it is good practice to understand and document exactly who these people are and compile a list. Then, by examining the list, work out who genuinely requires access to the data. If there are employees on the list who do not need access to the data, then ensure that permission is revoked.
Business owners should also audit any outsourced companies that could potentially have access to their data and check that their procedures are also compliant. As the data controller, you are responsible for this, even if you have outsourced elements of the process. It is recommended that you document the measures you have taken to ensure everybody is acting in line with GDPR regulations. Likewise, outsourced companies should be able to explain clearly what measures they have taken to ensure the data you have provided with them is held securely.
4. Online payments: What information are you storing?
If you’re an e-commerce business using a payment gateway, (a secure way for your customers to enter their payment information, including credit and debit card details) for financial transactions, you need to be aware of your own website collecting any personal data before these details are passed on to the payment gateway.
If your website stores personal details after the information has been passed on, then you’ll need to modify your web processes to remove any personal information after a reasonable period.
5. Third-party tracking software: Is it compliant?
Third party tracking software is a grey area when it comes to GDPR. A lot of businesses use third-party marketing automation software solutions these days. This could include things such as lead-tracking or call-tracking applications.
The reason this is a grey area is because this kind of software tracks website visitors in ways they are not aware of, and therefore, users have not technically granted consent. There are many third-party tracking suppliers that claim they’re GDPR-compliant and will advise their clients to display banners which state clearly that cookies are being used. However, it’s always good to double check your supplier has got your back when it comes to GDPR, so make sure you look over your contract with your software providers very carefully.
6. How Clear are your Privacy Policies?
You must let users know:
- What personal information you collect
- How and why you collect it
- How you use it
- How you secure it
- Any third parties with access to it
- How users can control any aspects of this
- Who your data controller is
- Data controller’s contact information
- Whether you use data to make automated decisions (i.e. credit scoring)
- Inform user of the 8 rights they have under the GDPR
- Whether providing user data is mandatory for the user to use the website
- Whether you transfer data internationally
- What your legal basis is for data processing
7. Does your business have an app?
Do you have a mobile app? GDPR regulations also apply to personal data collected through mobile devices and apps. Spend some time reviewing the data your mobile app collects, where it goes and why it is collected, all while making sure it complies with the GDPR.
All in all, websites (and apps) should include privacy by design, meaning a user’s privacy should be considered the number one priority at all times, through every level of your website. By default, privacy settings should be set to their highest level and the ability for a user to downgrade from this level of security should be available.
The GDPR might seem intimidating and over the top, but it’s important to remember where this stems from. Ultimately, this is about protecting people from cyber-crime and data breaches. The internet is still a highly unregulated space that needs far greater levels of international legislation and the GDPR is a substantial contributor to this.
The above is not an exhaustive list and there is an abundance of information on the official ICO website that looks at many other factors that are important to consider as we near the ‘go live’ date. It is recommended that you familiarise yourself with this information so you are completely aware of what is expected of your business under the new regulations.
Get a health check
If you’re a business owner and are unsure of what you need to do under the new legislation, contact the team at Pyranet UK. Pyranet are a Nottingham based IT Solutions provider and Cyber Security Specialists, who are able to offer Cyber Awareness Training, GDPR Training, IT health checks and GAP analyses – a great service for those who want to know how they’re currently performing under GDPR regulations and want to know what areas they would like to improve, Pyranet can help form a remediation plan to address the gaps and risks.