First thing’s first, if you’re familiar with the General Data Protection Regulation (GDPR), then you will know the deadline has long passed.
However, if you find yourself asking the question ‘what is GDPR?’, then this blog is essential reading - plus we have a full suite of articles and GDPR related downloads for you to enjoy. It’s safe to say, we know our stuff on GDPR.
Whilst the Information Commissioner’s Office (ICO) would claim that there has been ample opportunity for businesses to make sure their systems and website compliant with GDPR, many businesses, especially smaller ones, are yet to commence their GDPR compliance and now risk incurring fines and penalties from the ICO.
If you are one of the businesses that have struggled to apply the complex rules surrounding GDPR and are yet to implement even the correct privacy and cookie policies, don’t worry, you’re not alone - but you are behind
So, without further ado, this blog is going to explain how you can make your website GDPR compliant, with no corners cut. You will learn about the correct documents your website needs to make sure you stay on the right side of the law and then find out how to get them.
- General Data Protection Regulation: At a Glance
- How to Become GDPR Compliant
- How to Make Your Website GDPR Complaint
General Data Protection Regulation: At a Glance
If you are up to speed with the General Data Protection Regulation you will know that the aim of GDPR is to protect all EU citizens from privacy and data breaches in today’s data-driven world.
When it comes to making your website GDPR compliant, it is all about knowing what you can, can’t, and must do when it comes to collecting user information on your organisation’s website.
Realistically there are two main themes to GDPR: keep customer data secure, and make all your marketing communications as clear as possible.
It first starts with understanding whether you are processing personal data and understanding whether the GDPR applies to your activities. If you have a website or database, the chances are that you collect EU residents’ personal data.
In such a case, you must identify valid grounds, under the GDPR (known as a ‘lawful basis’), for collecting and using personal data. It is crucial that, from the very start, you must be clear, open and honest with people about how you will use their personal data.
GDPR is a day-to-day responsibility. It starts by implementing the correct policies and documents on your website. You will want to get it right the first time, that way you can rest easy afterwards.
How to Become GDPR Compliant
As mentioned, if your website is non-compliant with GDPR, we recommend rectifying this situation quickly to ensure compliance.
GDPR stands out from all existing regulations because of its breadth of client data protection. Coupled with its severe repercussions for compromised data security, GDPR has transformed the way data-driven companies handle customer data.
So, below are six important steps that will demonstrate how to make your business and website GDPR complaint. At the end, we will offer you our cost-effective solution, simple solution to GDPR compliance.
1. Analyse and Review Your Company’s Use of Data
In your first step to making your business and website compliant with GDPR, you need to analyse and all of your company’s data that you use.
We recommend undertaking a GDPR Protection Audit. This audit provides you with the framework to review whether your organisation is following good data protection practice. The audit will check if you’re following the GDPR and will allow you to focus on areas that need improvement.
A GDPR Protection Audit is also great to have on file, showing the ICO that you have taken the time and identified the steps necessary to become compliant with GDPR.
A good GDPR Protection Audit covers data protection governance and policies, compliance with data protection legislation, the processes for managing both electronic and manual records, and the process for responding to any request for personal data including those made by third parties.
Following a GDPR Protection Audit, you will establish the areas your business needs to focus on to ensure compliance with GDPR.
2. Six Lawful Bases and Website Consent
GDPR is designed to end to mass data collection where, (as the news tells us organisations like Facebook used to do) companies would collect as much information as possible on users - often without consent and keep this in a database for future use.
The General Data Protection Regulation requires businesses to be specific about the personal data they collect and have a valid lawful basis in order to process personal data.
To make sure your website and business is GDPR complaint when processing data, there are six available lawful bases you must adhere to (depending on the type of data your processing).
- Consent: Offering individuals real choice and control. Genuine consent should put individuals in charge, build trust and engagement, and enhance your reputation (more on consent later in this point).
- Contract: Rely on this lawful basis to fulfil your contractual obligations to them; or because they have asked you to do something before entering into a contract
- Legal Obligation: A lawful basis for your business if you need to process the personal data to comply with a common law or statutory obligation.
- Vital Interests: A lawful basis for personal data to protect someone’s life.
- Public Tasks: This lawful basis is most relevant to public authorities. This covers public functions and powers that are set out in law
- Legitimate interest: This is the most flexible lawful basis for processing, but you cannot assume it will always be the most appropriate.
You must always determine the lawful basis before you begin processing any personal data.
Remember: Once you have chosen a lawful basis for your data processing, you should not swap to a different basis without good reason. The ICO states you cannot usually swap from consent to a different basis.
Now, if you choose consent as your lawful basis there are further guidelines you need to follow. You must give people a genuine choice and control over how you use their data. People must be able to refuse and withdraw their consent easily at any time.
For example, contact forms on your website must justify why you are asking for any details/data. Further, it is recommended to collect individual consent for different forms of communication, for example, consent to email and separate consent for telephoning.
The overarching principle is to always make sure that consent should be explicit and well informed with full transparency on the intended purpose and use. No more, auto consent, or ‘opted-in unless you opted-out’ consent.
If you want to explore consent more in-depth read our article on GDPR and Marketing Consent.
Now, cookies are unfortunately not the chocolatey round food snacks but rather small text files that are placed on your computer by websites that you visit. Cookies make websites work more efficiently as well as provide information to a website’s owner.
Cookies are subject to the General Data Protection Legislation only if they contain personal data. A business must account for all cookies if there is a legitimate, specific reason for using them.
To make sure your website’s cookies comply with GDPR, you want to give your website visitors the opportunity to act before cookies are sent. We recommend a soft opt-in and notice before the visitor continues to browse your website.
4. Data Controller or Data Processor?
As the owner of an active website, you will adopt the role of a data controller and/or data processor. Under new obligations of the General Data Protection legislation, both roles and their responsibilities vary. First, let’s look at each definition.
Is a natural or legal person, public authority, or other bodies which determine the purposes and means of processing personal data.
Is a person who processes personal data on behalf of the controller.
To understand this clearer, the data controller has ownership of customer data and determines how such data, like email addresses and contact telephone numbers, are collected and used.
The data processor on the other hand processes data on behalf of the controller but cannot undertake any activity with customer data unless the controller has given permission.
So what does this mean for you and your business with GDPR? Put simply, only data controllers collect personal data from data subjects. Because of this, data controllers are also responsible for determining their legal authority to obtain that data. You must establish a legal precedent for collecting personal data using the six lawful bases (see point 2).
GDPR also requires the data controller and processor to outline the measures in Article 32 - “Security of Processing”. To comply with GDPR, as a business, you must ensure a level of security appropriate to the risk. This includes improving your encryption of data, assessing the appropriate level of security in the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services.
This further includes the ability to restore the availability and access to personal data in a timely manner, in the event of a physical or technical incident.
GDPR also holds data controllers accountable for the disposal of personal data in most cases. The ICO actually recommends appointing a dedicated Data Protection Officer (DPO) to oversee all of this for organisations with more than 250 employees.
5. Report Breaches
A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data, anyone’s worst nightmare.
This point is pretty straightforward. Under the new GDPR legislation, as a data controller, if you experience a personal data breach you need to consider whether it poses a risk to people. Following your assessment, if it’s likely there will be a risk, you must notify the ICO (The Information Commissioner's Office).
These breaches can be the result of both accidental and deliberate causes. Note: you don’t need to report every breach to the ICO, it needs to have a ‘significant impact’. But, if your business is found to have not notified the ICO about a breach of significant risk to personal data, you will be liable for penalties and fines that can reach €20,000,000 or 4% of your annual turnover.
6. Document Your Compliance
Finally, because GDPR contains explicit provisions about documenting your processing activities, you must maintain a record of processing purposes, data sharing and retention.
The legislation states that you must keep your records in writing so that you can justify your data collection practices. We recommend that your business maintains records electronically as well.
In your documentation, you should keep records of consent, controller-processor contracts, the location of personal data, records of personal data breaches, information required for privacy policies, and data protection impact assessment reports.
To make sure you’re documenting your processing activities, follow this GDPR documentation checklist.
- Conduct an information audit to find what person data your organisation holds.
- Hold discussions with business employees to get a more complete picture of your processing activities.
- Review your business policies and procedures.
- Document your processing activities in writing in a meaningful and granular way.
- Conduct regular reviews of the personal data you process and update your documentation accordingly.
How to Make Your Website GDPR Complaint
Now that you have an understanding of the important procedures to make your website and business compliant with GDPR, time is of the essence to make this happen.
Following significant demand from our clients, we are rolling out our GDPR Protection Pack for all businesses. This offers amazing value and includes these GDPR document templates to make your website and business compliant.
- GDPR Data Protection Audit
- GDPR Audit Guidance Notes
- Legitimate Interest Assessment (LIA)
Employee GDPR Protection:
- GDPR Employee Data Protection Policy
Website GDPR Protection:
- GDPR Data Protection Policy
GDPR Security Policy:
- GDPR Data Security Policy
Subject Access Request (SAR):
- Subject Access Request Form
SAR Initial Replies:
- Fee and/or Additional Time
- Receipt of ID
- No Data Found
We’ve made making your business GDPR compliant easier than it has ever been. Our templates have all been drafted by legal experts and will help you take step-by-step actions to make sure you set up all the correct documentation across your website. This represents a significant saving over instructing solicitors to create all of these documents for you.
Our mission is to ensure as many businesses, big or small, have GDPR complaint websites and our GDPR Protection Pack is how we are achieving this.
Don’t leave making your website complaint to the new year. The ICO could come knocking tomorrow. You have just learnt how to make your website GDPR compliant, so, what is stopping you acting upon this urgent need right now?
Want to discuss how GDPR affects your marketing then schedule a free 30-minute call with one of our marketing experts today