Displaying items by tag: GDPR

Here’s a reminder highlighting some much discussed (read: boring), yet essential GDPR things you should know about:

1. Reminder about your GDPR responsibilities

2. Adding a Privacy Policy to your website (if we've built your website, we will add yours on for free)

3. Add SSL certificate compliance

1. Reminder about your GDPR responsibilities

As you will have had drilled into your consciousness, the GDPR (General Data Protection Regulation) will be enforced on 25 May 2018 for all businesses in the EU.

Businesses must address the following:

• what personal data do you collect

• how do you collect it

• what purpose do you collect data for and ensure you only use it for that purpose

• how you protect the data at all stages of processing

• how you delete the data securely when it is no longer needed.

You can read GDPR for website owners on our website for further details.

2. Privacy Policy

As part of the new regulations, websites needs to have a Privacy Policy that tells users how data is collected, stored and used. Because not every business collects and handles data in the same way, each business is responsible for ensuring their own compliance, just as they are responsible for compliance with the laws that apply to them today.

Our Privacy Policy is now in place and we used GetTerms to create it. You can use it too, but we are not in any way endorsing this site and you can use it at your discretion!

3. Add an SSL certificate

These are websites with ‘https’ or a ‘lock’ in the web address bar, that allows data to be sent over an encrypted connection. If your website has an SSL (Secure Sockets Layer) certificate, you’re making steps towards GDPR compliance.

An SSL certificate is a digital certificate that authenticates the identity of a website and encrypts information sent to the server using SSL technology. Encryption is the process of scrambling data into an undecipherable format that can only be returned to a readable format with the proper decryption key. A certificate serves as an electronic ‘passport’ that establishes an online entity's credentials when doing business online. When a visitor attempts to send confidential information to a web server, the user's browser accesses the server's digital certificate and establishes a secure connection.

While having a SSL certificate is not an essential requirement, you will be making yourself more GDPR compliant if you implement one.

As you will have noticed already by now, the GDPR (General Data Protection Regulation) will be enforced on 25 May 2018.

The GDPR replaces existing data protection regulations on how businesses collect, store and use the personal information of clients. The new regulations mean control of data is handed back to people, rather than the interests of businesses. So it’s essential for us and our clients to make the necessary changes so we all comply with the new legislation.

You need to comply if your business operates within the EU and handles and stores personal information. Simply, businesses must address the following:

• what personal data do you collect

• how do you collect it

• what purpose do you collect data for and ensure you only use it for that purpose

• how you protect the data at all stages of processing

• how you delete the data securely when it is no longer needed.

As as website owner, ensure that you:

• Gain explicit consent before collecting data, where consent is requested using an opt-in system, e.g. in a newsletter.

• Provide a clear and accessible privacy policy, that informs users how data is collected, stored and what it will be used for

• Have a mechanism in place for users to request to view their data

• Put into place a ‘Right to be Forgotten’, where users can withdraw consent and request removal of personal data that has been collected.

Regarding what website owners need to do, we suggest undertaking the following activities to ensure you are compliant:

1. Conduct a data audit of what data you are collecting

• This includes data collected from your ‘Contact us’ forms such as names, email address, telephone number, company, etc.

• Third party data collection from Mailchimp, Infusionsoft, AWeber, etc.

• An online store you use to collect customer data to process orders.

2. Record where data is stored

• Contact forms storing personal details on your website database. Are these storing unencrypted data?

3. Is the data you have stored necessary?

• Keep your data collection to a minimum and you’ll limit data breaches and GDPR non-compliance. Collect only information you are going to use.

4. Write a privacy policy

Your website will need a privacy policy page that tells users how data is stored and used. It should inform customers how they can request access to their data and what they have to do to withdraw consent for their data use and storage.

5. Add an SSL certification to your site

These are the websites you see that have ‘https’ and send data over an encrypted connection. This isn’t a required step, but you will be making yourself more GDPR compliant if you implement an SSL certificate.

6. Understand what you do in the event of a breach

The data controller needs to have defined processes in place in the event of a data breach and report it within 72 hours.

For more information, visit the Information Commissioner’s Office website for a useful guide written in plain English. Check out the ‘12 steps to take now’ PDF:

https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr