Getting your site ready for GDPR

First, I’d like to apologise for taking so long to get this blog out to you all as this is a really important subject. Luckily, being a small business, getting yourself ready for the new laws and legislations won’t take too much work. I would like to make it clear that this blog will include guidelines only; we cannot yet be completely sure of some facts yet as the law has not yet been enforced.

So, what is GDPR?

General Data Protection Regulation – GDPR will bring outdated personal data laws across the EU up to speed with an increasingly digital era. More information can be found online at about online privacy in this new internet generation. The previous data protection laws were put in place during the 1990s and haven’t been able to keep pace with the levels of technological change. It is a new regulation that comes in to force on 25th May 2018 and it has two key principles.

  1. Allowing EU Citizens & Residents more control over their personal data)
  2. A Unifying Regulation for international businesses across the EU

This applies to all businesses that have possession of personal data of EU citizens. You should also be aware that Brexit and the UK leaving the EU does not affect the GDPR start date and the UK’s own law will directly mirror GDPR. So, in short everyone must adhere to it.

There are lots and lots of media attention surrounding GDPR and it is all quite overwhelming. Don’t let this scare you! Elizabeth Denham, the UK’s information commissioner, who is in charge of data protection enforcement, says she is frustrated by the amount of “scaremongering” around the potential impact for businesses. “The GDPR is a step change for data protection,” she says. “It’s still an evolution, not a revolution”. She adds that for businesses and organisations already complying with existing data protection laws the new regulation is only a “step change”.

GDPR Checklist for UK Small Companies

We have put together a checklist for small UK companies but please remember that this applies to all data held. This will even include all past, present and current employers & suppliers ect.

  • You should document what personal data you hold,

This includes how you required it, who you share it with. For example, if you have inaccurate personal data and have shared this with another organisation, you will have to tell the other organisation about the inaccuracy so it can correct its own records. You won’t be able to do this unless you know what personal data you hold, where it came from and who you share it with.

  • You should review your privacy policy

It is essential you are clearly stating what information is held, how you collect it and what happens with that data both offline and online.

  • Users need to be able to request their data

GDPR is essentially giving the right to know what data is held on an individual but it is also giving the right to say what can be done with personal information. You need to be able provide data and deal with requests to delete data, how you handle this needs to be made clear in privacy policies.

  • Prepare to meet access requests

All requests of data must be dealt with within one-month. Your users have to right to their data, Deletion of data, right to object and the right not to be subject to profiling.

  • Consent

You need to review how you get consent off users to use their data whether this is for marketing or contacting.

Firms with over 250 employers must have a nominated Data Protection Officer (DPO) or employ one to handle and oversea that data is always being used and stored correctly.

Breaches in data must be reported to the ICO within 24 hours if possible or within 72 hours

Failure to comply could mean serious fines the UK’s Information Commissioner’s Office (ICO) can fine up to 500,000 for malpractice but the GDPR will be able to fine up to €20 million or 4 per cent of annual turnover (whichever is higher)

Are you still holding on to old data?

GDPR requires companies not to hold on to old data for longer than necessary or process it without the user’s consent. You need to be aware of what data you have, why you have it and if it’s no longer needed.

What defines consent?

Consent has got a lot tighter, you can no longer have pre-ticked checkboxes for contact forms & newsletters, no more “small print” under submit buttons. Their now needs to be two unticked checkboxes clearing stating “i DO give permission” & “i do NOT give permission”

Consent is also required for any data you currently hold if you acquired it via pre-ticked checkboxes or any other means.

So how can you get your site ready?

  • GDPR Privacy Policy,

You need to be stating what data you collect, store and how you handle this data. You need to be including any third-party plugins you may be using that stores users personal data (Google Analytics, Facebook Ad’s, Contact Form 7 DB). There are many templates out there which can help and guide you. Privacy policy’s must be written in a simple manor and clearly outline what data you hold, when it’s deleted and how you handle it both online & offline.

  • Audit your site

Go through your site. You need to be making sure any software, platforms, frameworks, plugins are also GDPR compliant. and make reference to their compliancy.

  • OPT-IN Check box with link to Privacy Policy & Terms and conditions on ALL forms before the submit button. for example ….

– i do not want to revice promotial material.

– i do want to receive promotional material

– i agree to the privacy policy (link to privacy policy)

  • Users MUST be able to request their data, we suggest a contact form clearly displayed on the site or your contact details highlighted within your privacy policy.
  • WordPress

If you are using WordPress good news! WordPress if going to be GDPR compliant after 15th May so make sure to update your WordPress install and any other plugins. However, please keep in mind that this is just the core and does not mean the front end is GDPR ready. Most if not all plugins will be revising their privacy policy’s so be sure to update them.

  • If you store customers details in an online database make sure they are fully encrypted and secure and deleted after a certain time frame.
  • Make sure your hosting & site is secure and all plugins, frameworks and systems are up to date.

Of course, this is just a rough overview and GDPR law will change depending on your company and how you deal with data, so we recommend hiring a GDPR Officer to audit your company or contacting a lawyer. Do not take this as legal advice and we cannot be held responsible for any actions or repercussions.

We have put together a list of useful blogs so you can get a better understanding on what GDPR is and how you go about dealing with it.

GDPR for small businesses

ICO – GDPR for Small organisations

ICO – Preparing for GDPR

A handy tool

ICO –Data Protection self-assessment

A tool kit to build a new privacy policy

GDPR – Build your own privacy policy

Privacy template

Website Contracts – Buy a Privacy Policy

GDPR for Woocomerce

12 Step guide for woocommerce

GDPR by Woocomerce

This is our idea of being compliant, we have no legal background and you should contact a lawyer. You also need to be GDPR compliant throughout your whole company, not just online. We take no responsibility regarding GDRP compliant and an audit of your site should be carried out by yourselves, these are simple steps to prepare you for it.

Lets have a chat?
Click to scroll to the top of the site