When you’re setting up your business website, checking that you’re GDPR compliant may be lower down on your list of priorities.
However, even as a one-person operation, you must be in line with the law – or else you could be slapped with a serious fine.
We want to take the intimidation out of the process by guiding you through these nine steps to GDPR compliance for your new site.
1. Establish where your data comes from and how to handle it
As a quick reminder, personal data is defined as any information which can be used directly or indirectly to identify a person. It could be a name, photo, email address, bank details, medical information, computer IP address, cookies or social media posts.
Your starting point is to know where data comes from and what you do with it. Data can be collected through Google Analytics and GPS location trackers as well as through email sign-ups. Next, pinpoint where the information is stored and who can access it.
Work out your procedures for:
- Proving someone has given you consent
- What to do if someone wants their data to be erased
- What to do if you suffer a data breach
At this point, think about the type of data you’ll be collecting. If you’re asking about their favourite food and you’re not a food or drink business, that teeters into the territory of unnecessary information. The data you collect must have a ‘lawful basis’, which can be one or more of the following:
- Legal obligation
- Vital interests
- Public tasks
- Legitimate interests
Ensure you’re able to handle requests for a person’s data to be removed or changed.
2. Make your marketing emails GDPR compliant
To draw people to your site, you’re likely to include marketing emails in your business strategy.
The most important consideration here, as with any area of GDPR, is consent. You must be able to prove that a user or customer has given you consent to send them marketing emails. This includes everyone on your email database.
As well as ensuring everyone has consented it’s got to be easy and fuss-free for them to opt out. This could include an unsubscribe link at the bottom of emails or an option to edit email preferences through their online account. Include unsubscribe options in every email.
3. Perfect your opt-in forms
It’s crucial that opt-in forms are not pre-ticked – users must actively tick the box themselves. Label the checkbox in a way that isn’t confusing, avoiding the ‘if you don’t want to receive marketing emails, don’t tick the following two boxes’ trap.
To save yourself from an accidental subscribe situation, you could go for a double opt-in process. This could be a tick box to sign up to your mailing list and a follow-up email to confirm subscription.
Be careful with automation too. If an email gets sent to someone who has opted out, that could land you with a penalty.
You’ll need to say what personal information you collect, how you collect it, use it and whether you share or sell it. Be clear in your language and avoid jargon as far as possible. Formatting clearly is important too, such as bullet points. Include the lawful basis, or bases, you use as well.
Next, tell users that their data is stored securely. You don’t have to go into specifics here, but it’s reassuring for them to know. Outline user rights, including making amendments to their data, deleting data and to having their information erased on request.
Finish up with a contact information section should anyone have questions about the handling of their personal data.
A cookie is a file which is saved to your device and stores the website’s name, giving you a unique ID to show that you’ve been there before. It can also store how long you’ve been on a website, which links you’re clicking on, preferences and settings, accounts you log on to, pages viewed and items in your shopping basket. When you revisit a site, they’ll remember you and give you a more personalised experience.
You must have an opt-in checkbox here too. Like your emails, it must be easy to opt out of cookies – give users the option to change preferences in their settings.
6. Protect yourself from data breaches
You can protect data by encrypting it, restricting sharing and data retention policies, minimising the amount of data you hold and maximising user privacy as standard. With less data to steal, the risk of theft will be lower. To further protect data from hackers, you can’t store it across multiple devices and programmes and check that only authorised members of staff can access the info.
Privacy Impact Assessments (PIAs) also need to be carried out if there are changes to the company like a business acquisition, a new IT system or a new surveillance system.
At every stage of the process, you should encrypt, pseudonymise or anonymise personal data where you can.
It’s just as important that you know what to do in the event of a data breach. Contact ICO within 72 hours of becoming aware of the breach and notify all customers that may have been affected as soon as possible.
7. Train your staff
Staff must have training and awareness of GDPR. This could be done by bringing someone in to lead training or by giving employees an online training course with a quiz.
8. Set up a GDPR compliance folder
This is where, if requested, you can prove how you obtained permission to gather someone’s personal data, what you use it for and how you keep it safe. It’s the place to store opt-in forms, privacy policies, pop-ups and other ways users have actively engaged to give you consent.
In your folder, you should include:
- The name and address of data controller
- The name of your data protection officer (if you need one)
- A record showing how your business processes personal data and what you do to protect it
- Personal data impact assessment template
- Privacy notices
- Data retention policy
- Procedure for subject access requests
- Responses to data breaches
- A data breach log
- A notification template for the Information Commissioner’s Office (ICO) in case you need to report a breach
- Records of staff training
- Third party processors and copies of their contracts
The whole folder should be stored on the company’s file system and be ready to send to ICO at short notice.
9. Create a regular review process
It’s a good time to review who wants their data removed and any data that you have and no longer use. Look at whether you might be holding on to more information than you need and if so, get rid of it.
This should give a sense of what you need to do to make your website GDPR compliant. For more detail, have a glance over the following links: