Seems like every business event, networking breakfast or any sort of gathering of fellow business owners I attend the subject of GDPR comes up.
I guess this is partly because of my role in digital marketing but also because it’s both imminent and complex. Imminent because the new rules are about to become law in May this year and complex because it’s so far reaching in it’s effects on a business and obfuscated with legal jargon. It’s also scary because the fines for getting it wrong are MASSIVE!
Any data breach, any loss of personal data, has to be reported within 72 hours of you being made aware of the breach or you face a fine of up to €10 Million!
GDPR in a nutshell
So putting it very simply, GDPR is a clarification of, expansion on, development to… the already existing data protection act that we already have in this country and in the European Union. The main changes being some of the phrasing about what personal data is and what you do with it (basically, GDPR now considers anything related to an individual is personal data and anything – and I mean anything – you do with that data is covered by it).
So it really covers every part of your business, every activity you do and every single item of personal data you hold. It’s not just a marketing issue!
How does GDPR effect my website?
You may not even realise it but all websites are collecting data and a lot of that data could be personal in nature or considered personal within the remit of GDPR.
For example, just the act of visiting a website can reveal your general location, your gender, your age, your interests, the technology you’re using to view the website, and much more. Just look at the screenshot below from our Google Analytics account. The wealth of data I can investigate is astounding when you think about it.
Ok, so a lot of that data is anonymous but it’s still personal information about you and your behaviour that you may not want others to know.
If your website has a contact form for customers or prospects to use (and most websites have at least one) then understanding GDPR is even more important for you because as soon as someone completes that form, you have a duty to take care of the data they’ve provided. On top of that, many websites also have functionality that allows users to sign up to services such as Estate Agents websites that allow users to store favourite properties or ecommerce websites that store customers information for repeat purchases and order tracking.
It’s not uncommon these days to have chat boxes, personalised messages and even mouse movement tracking software installed on websites too. All of these added bits of code track and record user actions and arguably come under the GDPR umbrella.
There’s a change to the Cookie Law coming
GDPR encompasses every aspect of how you manage personal data and in addition to the new rules arriving in May we’re also looking forward to changes to the ePrivacy regulations next year. These changes will supersede GDPR when it comes to website privacy and so in the case of your website are actually more important.
You’re probably aware of the Cookies Law – the legislation passed by the E.U. in 2012 that required all websites that use Cookies to require visitors permission and led to millions of websites adding a pop up banner message that states something like “This website uses cookies. Please accept this or leave”. Well, this is changing soon too.
Cookies are small bits of code that store information about your visit to a website whether that’s the pages you visited, the products you looked at, whether you arrived on the site from a Facebook advert or even a username for quicker access at a later date – these are all stored using Cookies and so, according to the current law, require a users permission.
At the moment, website operators can ask a single, broad question to users to get permission. However, the changes coming some time in 2019 will require website operators to get explicit permission for EVERY cookie used on the website and you’ll need to be completely transparent in what Cookies are operating in the background. It’s no longer enough to have a single “Accept” button on a pop up banner. You’ll need to show your website visitors exactly what they’re agreeing to and allow them to opt out.
What do I need to do to make my website compliant?
There’s a number of steps that i’m recommending to my clients to make sure that at least their website is GDPR compliant. Unfortunately we can’t advise clients on how to make their internal systems complaint – but the guys at My Life Digital can help in that respect. So, here I present my to-do list for getting your website GDPR compliant…
- Talk to your website designer about the functionality on your website
This is the first step to becoming GDPR complaint. Have a conversation with your web developer and ask them to provide written descriptions of the following:- Where is your website hosted?
- Where is your domain name hosted?
- Where are your email servers? – for all three of these questions, you want to know the company that provides the servers but also what country those servers are in
- Are there any contact forms on your website and does the website permanently store any of that information?
- Is your website backed up and if so, where are the backups stored?
- Does the site link to any third-party marketing software systems such as Mailchimp, HubSpot, SalesForce etc?
- Does the website allow users to store their information such as usernames, passwords, personal details (customer addresses etc)?
- Does the website use Google Analytics or similar usage tracking systems?
- Run a check for Cookies on your website
You can do this without the help from your website designer (as odd as it sounds, they may not actually be aware of just how many cookies your website uses because in many cases these are created by third-party systems and it’s not always clear what those systems do). Use the link here to sign up to the CookieBot service with a free trial of their cookie scanning service. - Get the correct legal documents on your website.
You’re probably familiar with terms & conditions when using websites but your website also needs a Privacy statement showing how you treat users data. These are the documents we recommend…- Terms & Conditions – depending on what you do with your website this could be one of three documents
- Terms & Conditions
- Terms & Conditions for the supply of services
- Terms & Conditions for the sale of goods
- Privacy Policy
- Email Footer & Disclaimer
- Terms & Conditions – depending on what you do with your website this could be one of three documents
- Secure Socket Layer
A Secure Socket Layer (or SSL) encrypts the information passed between your website and the users computer – vital if you have any forms, ecommerce carts or user dashboards/membership areas on your website as customer data is vulnerable not just on your website but while it’s travelling to and from your server. - Firewall
Your website is vulnerable from attack and it’s highly likely that it’s already victim to malware. Unfortunately, the cases of malware infection on websites is a growing problem especially for smaller businesses where security of their website isn’t a top priority. More often than not, a malware infection turns your website into an email server sending out tons of spammy emails but that infection could also be used to access the data on your website – and if you have personal data then this could mean a data breach and the possibility of a fine! So protecting your site is well worth the investment.
The steps you take to protect your website are steps you’re taking to protect your business and whatever steps you take, make sure that you keep a record of everything so if you do get an issue you at least can demonstrate that you took measures to mitigate the risk and protect personal data.
Resources
- GDPR solutions from My Life Digital
- Cookie Scanning and Reporting from CookieBot
- Website Legal Documents from Rocket Lawyer*
- Spam Filter from CleanTalk
- Firewall hosting
- Secure Hosting Solutions – contact Russell at Lobster
* The current terms & conditions and privacy policies available on the Rocket Lawyer website are not GDPR compliant yet. The GDPR legislation is still under review so as soon as it’s passed into Law then Rocket Lawyer will update their documents accordingly.