GDPR compliance – is your website ready?
GDPR is the acronym on everybody’s lips at the moment. But what does it mean for website owners and how can you ensure you’re compliant?
We’ve put together the following question and answer guide to help you through this complicated issue.
Q. What do I need for my website to be compliant?
Q. What are my responsibilities as a website owner?
A. You are responsible for all data collected from your website. As a result, you’ll need to explain who you are – this is usually clear on a website but check this. How long you’re keeping the data is also important. We suggest saying that you’re keeping the data for one year and have an internal programme of data deletion. Finally, you’ll need to say why you need the data. An acceptable answer is you’re collecting it so that you can complete their order or request.
Q. What about the rest of my team?
A. GDPR requires you to list who on your team has access to personal data. This is usually internal admin or sales staff or anyone that’s involved in completing orders. However, it also covers external organisations who have access to it e.g. PayPal/merchant bank account/order delivery company.
Q. How do I ensure I have consent to use personal data?
A. You need explicit and clear consent to collect data and the best way to do this is through an opt-in form. This should include separate boxes that the user must tick themselves.
Q. What would I need to do if there was a security breach?
A. GDPR requires you to let all users know immediately if there’s a hack or security breach and you need to make this clear in your Privacy Statement
Q. What about cookies?
A. It’s important that your Privacy Statement covers cookies. Although the user has stored these small files of text on their own electronic device, GDPR still views this as personal information that you have indirectly stored on their device, whilst they were exploring your website. It’s important to make this clear from the outset, which is why the cookie prompt policy works well for website owners.
Q. Are there any other important considerations?
A. Yes – you need to give users access to their own data so that they can download or delete it from your records completely. We suggest this is an opt-out option included in all email correspondence. As well as this, you should include an email address which they can use to request access to their information within your Privacy Statement.