GDPR Compliance coming 25th May 2018!

Please note: This is a living blog post and will change from time to time as the landscape changes about the GDPR.

What’s happened?

The GDPR (General DATA Protection Regulation) comes into force on 25th May 2018. If your organisation collects or stores any type of personal data from people in the EU – you will need to comply with GDPR regardless of the Brexit status at the time. If you don’t comply – there can be financial penalties. The information you collect could include names, email addresses, contact details, postal and digital IP addresses etc. The new regulations are designed to give control of personal information back to ordinary people, prioritising them over the interests of businesses.

Therefore, it’s important for us as a web design company, and you as our client to be aware of this new legislation and adhere to it accordingly. There are some positives – being compliant shows your audience that you are a trustworthy organisation that respects their privacy and personal information.

What does this mean for me and what should I do?

We have outlined what this means for you:

  1. Conduct a personal data audit. List what data you collect about your clients either through your website or through 3rd parties – basically list every single possible way you obtain client data whether that is through your website or 3rd parties.In terms of your core website, this typically includes a contact form.  Depending on which contact form we have implemented in your website, the large majority of forms will simply submit data directly to your email address whilst others will also store the information – if in doubt ask us to confirm.  The identifiable information submitted through forms usually include name, email address, telephone number and IP address. If your contact form is submitting data to an email address associated with your domain name, then this information is stored in your mailbox on our servers which you access directly via webmail or through your computer/phone email client.TAKE ACTION: You will need to implement an UNTICKED mandatory checkbox in your contact form along the lines of “I consent to my submitted data being collected and stored“.  This is so that your visitors explicitly give authorisation for their data to be submitted/used/stored.  We include forms where you can manage form fields yourself, however if you prefer we do this for you then a small £15 charge will apply. Please note this you should always ensure you request explicit consent when asking for personaly identifiable information from your visitors/clients.Additionally, how about 3rd party services like newsletters from Mailchimp?  Do you have a newsletter feature in your site? Do you operate an online store and collect customer data in order to process orders? Where is that data stored? Does it go directly to your email or stored in a database in your website? Think about whether all the data you collect is necessary.  If you feel that some of the information you currently collect and store on your website isn’t strictly necessary, you can take steps to stop collecting it and purge it from your databases.

  2. You will need to add a privacy policy to your site – many GDPR privacy policy templates are available by searching Google.  We have also created one which you can modify to your needs and download here: privacy-policy-template (opens in new tab). You can also refer to our own privacy policy (opens in new tab) and take elements you feel are relevant to your own policy. We suggest you create a page in your website called PRIVACY POLICY which will appear in your main website menu or you can hide the page from your menu by unticking “show in menu” option.  You can then create a link to this page anywhere in your site such as your footer.

  3. Your website must be SSL compliant – if it starts with https:// and has a padlock next to the website address in your browser then you’re fine… if not, contact us to upgrade.

  4. Companies are contacting all their clients making them aware of GDPR, their new privacy policy and requesting consent to be able to continue to communicate with them.  We firstly advise that you delete all information from clients you no longer service and then consider contacting your existing clients making them aware of your privacy policy changes and request authorisation to continue communications with you. You can either do this my emailing everyone and asking them to reply back confirming its ok for you to process and store their data or you can ask them to click on a link requesting them to opt-in using a newsletter facility such as mailchimp.com.

  5. Understand what must be done in the event of a breach.  GDPR requires the data controller to have defined processes in place in the event of a data breach. The data controller has a legal obligation to report a data breach within 72 hours. For more information about this, take a look at this article on the reporting of data breaches.

  6. Children.  GDPR, for the first time, brings in special protections for children’s personal data – particularly in regards to commercial internet services such as social media. If your organisation offers online services to children and relies on consent to collect information about them, you will need to gain the parent or guardian’s consent in order to process the child’s data lawfully. GDPR sets the age at which a child can give their own consent to this processing at 16. This means that your privacy information page must be written plainly enough for a child to understand.

Further Reading

As the deadline gets nearer, there will inevitably be more talk and clarity about GDPR so it is important to keep informed.

In conclusion

The GDPR is not designed to stop businesses from communicating with their customers.

Put simply:

  • Don’t assume people want to hear from you just because they downloaded something from your website.
  • Don’t email users about your business unless they opted in and gave you permission to do so.
  • Don’t send them irrelevant information that they didn’t ask for.
  • Make sure all data-driven marketing you do complies with GDPR

In fact, GDPR is a great opportunity to grow your marketing list with quality leads.  At the end of the day, when users land on your website and they like what they see, then they’ll gladly opt-in to receive further information from you – much like the value of this amazing blog post we have put together for you ;). You will then have a marketing list of qualified leads who are genuinely interested in your business, your products, services and your content – after all, that’s what makes a marketing list valuable.

Disclaimer:

The information above is our opinion and own interpretation of how to best prepare for the GDPR.  We are not lawyers so please carry out your own due diligence.