If you run a business, you likely have a presence on the web, a website, in other words.
For some, that site might be an online store where visitors can purchase your products directly. For service providers, it may be a site promoting those services and informing potential customers about your quality and the benefits your services bring.
A well-crafted, engaging website is all about credibility; it is an opportunity to make that critical first impression. We tend to focus on those things when creating our sites or working with those who can do it on our behalf.
Many, though, tend to forget the importance of GDPR compliance, or at least put it on the back burner; the result, of course, is that an alarming number of websites aren’t as compliant as they should be…
Here are some of the most overlooked areas of website compliance:
Cookies & Consent
Cookies are classified as a type of identifier, one which can often (in the case of authentication cookies) contain personal data used to log in to accounts. They might also collect information such as unique IDs and site preferences to better tailor content to a user’s tastes.
The regulations around cookies relating to GDPR and PECR (Privacy and Electronic Communications Regulations) are complex and wide-ranging depending on your business and the purpose of your site. They might not always be classed as personal data, which confuses many site owners.
SSL: Secure communication between a site’s server and the device your users browse on is essential. You might notice some sites display a padlock icon in the address bar, and that icon means the connection is encrypted using HTTPS (not the older, less secure HTTP) protocol.
Securing your website is crucial to guarding your data as well as sensitive information from your customers. Taking preventative measures to protect your site can save time and money and protect your brand reputation. It does not matter if you collect payments or personal data; it should still be secure.
Passwords: One other way to secure your website is by logging in. Ensure that you use a strong password AND multi-factor authentication. Ensure anyone with access to the website has a unique and strong password.
Back up your website or automate the backing up of the site. Your hosting provider can provide this.
Updates: Ensure you update your website regularly or automate the updates. Updates are released to improve your site’s security and the plug-ins you use.
Privacy Policies
Disclosing how you gather, store, use and manage your visitors’ data is an essential aspect of good GDPR practice, making your privacy policy a vital working document.
It should contain
your contact details,
the types of personal information you collect,
how it is obtained, and why you have it.
The policy should also state how the data is stored along with the rights of the individual and how to make a complaint if they feel it necessary to do so.
It also needs to be easily accessible for all to see.
Opting-In & Opting-Out
Online marketing can be challenging to understand the regulations (PECR). As a rule of thumb, do not rely on legitimate interests to send emails.
When adding a sign-up form, it is crucial to give them a choice to opt into specific types of communication. Remember that opting in is always preferable, and being specific is essential.
You might send different types of emails, such as newsletters, marketing, product updates or essential emails. Subscribing and unsubscribing from some or all of these should be as easy as possible for your users.
Are you doing enough to ensure your website is compliant? If you need advice and support, I’d be delighted to help make your website GDPR-compliant. Get in touch today to schedule a chat.
Have a conversation with your website designer/tech, who will be able to ensure the site is secure. If you would like support, advice or guidance on policies, then why not book a free discovery call with us?
Our Services What We Do Best We create a service specific to your needs to implement standard processes, review systems to ensure they meet their needs and budget, and ensure compliance and ensuring things run smoothly for everyone. Enquire NowAbout Us Be Business...
Privacy management can be a contentious issue. Isn’t it the business’s data when I have it? The data is out there, so why can’t I use it? Why should businesses care about the management of data and privacy?
History
The Universal Declaration of Human Rights in 1948, has one of the earliest statements towards the right to an individual’s privacy.
That was over 70 years ago, and the rights of an individual, in relation to privacy, are still being defined and redefined; 1973 and the first Data Act, in Sweden. The 1998 Data Protection Act in the UK and then, subsequently, the 2018 General Data Protection Regulations (GDPR), led to countries around Europe updating their own data protection laws.
Businesses have adapted and changed in 70 years, especially with the advancement and speed in technology. Hence the changes and updates in legislation, especially in relation to information sharing.
Privacy conflict
Businesses need data to run their businesses. Ideally, many businesses would say, they need to gather information to contact prospective clients and use that data as they want within their business. Look at the big tech companies, like Meta, Google and Amazon, who rely on the collection and ‘reusing/distributing’ of data as a fundamental cornerstone of their business. The selling of data can be a considerable income stream.
It is no wonder that businesses, no matter how big or small, have difficulties with privacy; especially when you have to balance the needs of the business with the needs of the individual. The individual has rights!
And there is the conflict. Many businesses argue either the information is out there or that the person has given it to them, so why can’t I use it the way they want to?
Good data management is good for business. Having everything in place can mean that things run smoother, and ore importantly, it can help reduce costs (especially in relation to software).
Who’s data is it?
GDPR set out to clarify the importance of privacy and data security. More importantly, it determines who the owner of the data is. The individual owns the data, and not the business. Businesses are, in effect, custodians of the information held by a living person. As a result, they have to follow the principles of the regulations.
Lawfulness, Fairness and Transparency
Purpose limitation
Data minimisation
Accuracy
Storage limitation
Integrity and confidentiality
Accountability
In short, that means that businesses need to
Identify the legal reason for collecting and storing the information AND have a way of informing the individuals.
Ensure individuals’ rights are protected and acted upon.
Only use the information for the purpose it was collected. This means we can not collect information and then use it for whatever reason we want, regardless of it being in the public domain.
Only collect and store the bare minimum we need for the minimum amount of time we need to store it
Ensure that the information we keep is accurate and if not correct it
Ensure that the data is not lost or destroyed
Being able to show compliance with the legislation.
Managing privacy
Saying we are data protection compliant is not enough. Businesses need to prove it. Some key areas to look at are
Know your data
Map out what data you collect, save and keep; for what reason, and where it is.
Only use it for the purpose collected
One example of this is, networking contacts can not be added to your email marketing or send sales emails. They consented for you to have their details; they did not consent for you to add them to your email marketing
Keep it up-to-date and accurate
Account status, contact information, and payment history.
Assess, review, and update
Assess what documentation you have and need
Review for updates and changes in practice
Look at trends in data security
Secure it
Ensure that physical material is locked away securely
Ensure digital devices are secure and backed-up
Training
Train your staff on what is data protection, and IT security
Have policies and processes in place, so they know what to do
Keep records
log incidents and lessons learned
keep records of equipment, software
risk assessments and DPIAs
Sounds complicated?
It doesn’t need to be complicated. Help is at hand. As a data protection specialist, I am here to support and assist with your data protection woes. Why not get in touch?
If GDPR and compliance are a concern for you or your organisation, don’t worry. Taking all the different aspects in at once can (and probably has) caused everyone to feel a little overwhelmed at some point. But it doesn’t need to. Here are the five tips to know about and why they matter.
Transparency
When it comes to GDPR, transparency is a fundamental principle. The reason why that’s the case is simple. It gives individuals as much control over their data as possible and facilitates their rights.
Control and rights are both fundamental underpinning principles of GDPR.
How does a company demonstrate transparency? The content of privacy notices is a good start. Good, compliant examples include
the contact details of the company;
if required, the Data Protection Officer,
the purpose and lawful bases for processing the data
and the categories of personal data you hold to name a few.
Mapping your data
Data mapping confuses some, but its principle is relatively easy. Mapping your data means establishing what information you hold and exactly how it flows through your company. This type of audit (also known as a mapping exercise) should be performed regularly by assigned individuals.
Doing so ensures it is maintained and amended as needed by a person or persons who are aware of their responsibilities.
Reporting breaches
Breaches can unfortunately happen, and on a long enough timescale, something similar to the list below probably will.
Data breaches can take many forms, such as:
Device loss or theft
Phishing scams
Hacking
Lost or stolen external USB drives
Breaches can also result from carelessness or lack of awareness, such as unattended computers and, especially recently, working from home on unauthorised personal devices and unprotected networks.
Reporting breaches of personal data have been mandatory since before the GDPR came into force. It just became more visible,, and the assessment for reporting changed. The Information Commissioner’s Office has a dedicated section for more information about breach reporting.
Knowing your subject’s rights
Data subjects have a wide range of rights relating to the data you hold about them, making it essential to know why you are processing the information you hold about them.
Data subjects have some or all of the following rights:
The right to be informed (Including why you are processing their data, how long you intend to retain it and who you might share it with.)
A right of access (Typically referred to as a Subject Access Request or SAR which must be dealt with in a timely way.)
The right to rectification (If the subject feels their data is incomplete or inaccurate.)
A right to erasure (Also known as the right to be forgotten, sometimes for legal reasons this may not always apply)
The right to restrict processing (In certain circumstances, an individual as the right to store their data but to stop you using it.)
A right to portability (The right to obtain their data and reuse it for another purpose or service.)
Being accountable
For both controllers and processors, demonstrating compliance and putting measures in place to meet the requirements for accountability will mitigate the risk of enforcement action. Still, it will also build trust in your business and its services and raise you above the competition.
For help and advice around transparency, avoiding breaches, mapping the data you use, subject’s rights and accountability, get in touch today; I’d love to offer you help and advice in the field I specialise in.
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behaviour or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional
Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes.The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
