GDPR and your website
A new data protection law, called the GDPR comes into effect on 25 May 2018. This has big implications for any organisation that collects personal information.
The way we can legally collect and store people’s personal data is changing with potentially large fines for organisations that do not abide by the new regulations.
The GDPR (General Data Protection Regulation) is far reaching and complex and effects many aspects of your organisation. The GDPR is a European Union law that will still apply even when the UK leaves the EU and The Information Commissioners’s Office (ICO) is the body responsible for advising and policing the regulation in the UK.
Your website is an important part of GDPR compliance and we’re listing some things you need to consider and some actions you need to take.
What is ‘personal data’?
Personal data can be something obvious like a name or an email address but it applies to anything that can be traced back to a living individual. This could be an IP address, a car registration number or even a photo. There are special rules if you collect ‘sensitive’ personal information such as details about a person’s health.
Key changes
GDPR aims to protect all EU citizens from privacy and data breaches by allowing citizens (or data subjects) to know and control the information that is held about them. GDPR applies to data controllers who decide on what information will be collected and what happens with it, and data processors who collect, store or use that information on behalf of the controller.
With regards your website, you are the data controller and Bananadesign are the data processor. We both have responsibilities for managing the data in line with the data protection principles.
Transparency and documentation
The key principle is transparency, so that data subjects know what data you will use and for what purpose, and if it is shared with any third parties. It is best to be as clear as possible about what data you will collect, how you will use it, where you will store it and for how long. If data is shared with a third party (such as MailChimp, a hosting company or a website backup service), this must be stated as well including where the data is kept and for how long too.
You must also be able to show documentation for decisions that were made and consent that was obtained…
Lawful basis
There are six lawful bases for collecting and processing personal data. The main ones that are likely to affect you are:
- Consent (because the data subject has given clear and explicit consent for you to use and store their data)
- Contract (because it is necessary to perform a contract with the data subject. Website account logins or e-commerce purchases are covered by this for example)
- Legitimate interests (because it is reasonable and necessary to carry out a task such as replying to a contact form submission)
- Legal (because it is required under law)
Under all lawful bases you may only use the data for the specific purpose of the basis. For example you cannot send marketing emails to someone because they submitted a contact form on your website.
Individual rights
GDPR also gives data subjects individual rights. The main ones that are likely to affect your website are the right to be informed about what data you hold, to have information updated, deleted or moved (to provide it in a format that the data subject can use for instance if they want to move an account to a different provider). So you will need to have processes in place to deal with these.
Breach notification
If there is a data breach (this could be a website hack or a file being emailed to the wrong person) you must inform the ICO within 72 hours. If the data subjects are likely to experience ‘high risk to their rights and freedoms’ from a breach then you must notify them as well.
Security
Data must be processed and stored securely using ‘appropriate technical and organisational measures’. GDPR doesn’t specify what these are so it is important to follow best practices including:
Website
- Firewalls and other security systems to prevent unauthorised access
- Ensure activity logging is in place so you can spot an intrusion or malicious activity
- Ensure your server, your content management system (such as WordPress) and plugins are patched and up-to-date
- Only give access to staff that need it and ensure that their level of administration privileges is as low as possible to their needs
- Only keep what data you need online
- Do not transmit personal data via email
- Use an SSL security certificate on your site to encrypt all website traffic
- Use a two-factor authentication (2FA) app such as on a mobile phone to login to your website
- Pseudonymise personal data if possible
- Encrypt databases if possible (or encrypt specific sensitive data)
Office
- Ensure only relevant staff have access to personal data
- Secure all computers with a username and password login
- Encrypt hard drives
- Ensure you have malware and anti-virus software in place and that it is up-to-date
- Have security and password policies in place
- Use a password manager (such as 1Password or LastPass) to ensure unique strong passwords for each website you use
- Do not share login details via email
- Encrypt your office backups
- Ensure you have a suitable security and privacy policy for staff that work off-site or from home.
Website actions
Blog comments
For sites that have public comments, we can add a checkbox that commenters must click in order to give consent for their data being used on the website and agreement to the updated privacy policy. This isn’t required for sites with member areas where commenters have to login (as this is covered by the contract lawful basis).
Cookies
Update: the ICO has issued new guidance about cookies and you can read our blog post about it here.
The situation with cookies is still somewhat unclear as these are currently covered by the e-Privacy directive (or PECR). So if you have a cookie policy that follows the ICO guidance then this is likely to be sufficient for now. However it depends on the type of cookies your site uses, for example if you use tracking or analytics that collect IP addresses this is personal data and requires consent. The ICO haven’t issued new guidance and an updated e-Privacy directive is expected in 2019 to clarify the situation. In the meantime to ensure compliance there are a few things that can be done:
Google Analytics uses anonymous data but does collect IP addresses. Google provides an option to anonymise the last part of an IP address as well, but this reduces accuracy of the geographic location information available to Google Analytics.Use a paid service like CookieBot or Civic’s Cookie Control to monitor what cookies your site uses and to give users options to control which cookies are set.We can also create a cookie settings pop-up such as the example here.
Contact forms and other notification emails
When a contact form is submitted it is emailed to the website owner and often stored in the website database (this is a belt-and-braces approach to ensure no form submissions are lost over email). Usually the email contains the data submitted in the form and as email is insecure this is no longer acceptable. So we need to update all contact forms to:
- inform the user how their data will be used
- strip the form data from the email sent to the website owner (and the person who submitted the form). The email will just contain a notification that an email has been submitted and for you to login to view the data.
Data Processing Agreements
You must use GDPR compliant suppliers who process data on your behalf, and you must have a Data Processing Agreement in place for each data processor. Bananadesign will provide a Data Processing Agreement to each client.
E-commerce
Store purchases or donation payments are covered under the contract and/or legitimate interest lawful bases. We never store credit card data on any of our servers as this is always managed by the payment processor (such as Paypal).
Mailing lists
Email service providers such as MailChimp and Campaign Monitor are now providing GDPR compliant sign-up forms. It is unlikely that your current mailing lists are compliant (because your privacy policy, consent and transparency about data usage and storage will not have been in place). So you will need to re-consent these lists before the 25 May.
Privacy policy
This will be your key policy and where you will show your GDPR compliance. You must update your privacy policy to include details about what data you will collect, how you will use it, where you will store it and for how long and this needs to include any third parties as well.
Plugins
Additional services and functionality may have been added to your website (for example to add donation payments or event bookings). Each one of these services will need to be assessed individually for GDPR compliance.
Third parties
If you use third party services such as Dropbox, Google Drive, MailChimp or a CRM system to store or process personal data then you need to ensure they are GDPR compliant and have a Data Processing Agreement in place with them.
Users
Review your lists of website users both administrators and others (such as members) and delete any that are no longer relevant.
Other actions
- Read about how GDPR impacts on your organisation and practices
- Do a data audit of the information you currently hold
- Consider whether you have a suitable lawful basis for holding that data and delete, or reconsent it if you do not
- Consider if you are storing sensitive personal information (such as a person’s health details) and if so review the extra security measures that GDPR requires
- Do a Data Protection Impact Assessment (what effects would a data breach have… this includes thinking about what harm might potentially come to a person if their data was breached)
- Update your website Privacy Policy, Cookie Policy and Terms and Conditions
- Ensure your internal systems have appropriate security measures in place
- Update your website to a more modern system if it is out-of-date
- Use a SSL security certificate if you aren’t already
- Consider whether your current hosting arrangements are suitable for the type of data you are collecting and storing
- Check to see if you need to register with the ICO
- Identify if you need to appoint a Data Protection Officer
- Ensure you have Data Processing Agreements in place with any company that processes data on your behalf
- Check that you have suitable insurance to cover data breaches or cyber attacks
Next steps
We are currently auditing websites we manage and our own internal processes. In the meantime if you want to discuss any aspect of your website as always, please do get in touch…
Disclaimer
This information is offered in good faith but we are not data protection or legal experts and can take no responsibility for actions or inaction you decide on. Please ensure you obtain suitable legal advice from a qualified solicitor.