A GDPR Summary
As of May 25, 2018, the new General Data Protection Regulation (GDPR) comes into force across Europe, local business websites and their administrators should be ready. The European Parliament spent 5 years working on this reform on data protection. At present, Directive 95/46 CE of 1995 still applies until May 25th, but technological and behavioral changes within the last few decades have led to this directive being re-examined. Think back to 1995 when the Internet young, users communicated with website administrators by signing a ‘guestbook’, every website had a ‘links’ section and the way data was managed was… well, it wasn’t for the most part. Nowadays, data protection at a European level must deal with concepts such as big data, Industry 4.0, robotics or artificial intelligence (AI), hence the need to include new features in the Regulation. The regulation affects both large and small business and it’s important to note that GDPR will change the current Directive into a Regulation.
Do Small Businesses Need to Adhere to GDPR?
Yes, all businesses must adhere to the GDPR, assuming you handle some Personally Identifiable Information (PII), online or offline. A very common example would be data submitted from a contact form on your business website, more complex websites may collect more PII.
This GDPR summary for small business websites is useful for all small businesses owners throughout the UK. The GDPR will affect most large and small organisations that own and operate online as the regulation is broad reaching since it applies to;
- Data processing by companies in the EU regardless of whether or not the controller of the data is in the EU. For example, a US company with servers in Germany;
- Services (even free services) carried out by companies with no presence in the EU if they’re targeted towards European residents, examples;
- By displaying the website in an EU language that is not an official language of the data controller’s operating country;
OR
-
- By offering EU currency payment options;
- Any companies who have a subdivision or representatives within the EU.
There are still unknowns as to how the EU will enforce the new regulation in regards to those outside of the jurisdiction of the EU. Both large and small businesses with a website should want to comply with the regulation, however, even if it’s for the prestige and win over potential customers with a serious approach to data protection.
The regulation strengthens already recognised data rights, such as the notion of consent to the use of data, the power of access, opposition, or the right to be forgotten, but it also defines new rights. The below GDPR checklist has been written with small businesses who administrate a website in mind.
GDPR Checklist Summary for Small Business Websites
Website Data Collection
If you run or manage a small business website you need to be aware of and document what Personally Identifiable Information (PII) from the business website you store, handle and distribute. For small businesses with less complex websites, this shouldn’t be too taxing but there are some things you need to consider;
- Contact form submission data
- Newsletter subscription data
- Targeted remarketing tracking and integration
- Online payment platform information
If your website is managed externally by a 3rd party such as Awe Web Design they should be happy to help you identify the information collected on your small business website. You should have a contract in place with them if they have access to tracking data from your website that integrates with internal data such as CRM. You need to also appoint a member of staff responsible for GDPR and ensure that you are compliant, it is their responsibility as the data ‘controller’ to document the information and conduct any audits or data risk assessments where applicable.
Website Users Rights
As with Directive 95/46 CE, the General Data Protection Regulation (GDPR) ensures the rights of the users of your business website including;
- Providing the information that you hold on an individual should they ask for it in a commonly accessed format. This data can then be used to inform you of inaccuracies or object to you handle their data completely.
- Consent needs to be granted by the website visitor specifically (rather than a passive consent). You should also inform the user of ways that you will use their data and who you are sending their data to (3rd parties), if applicable.
- Your business website opt-in and opt-out options should default opt-in requests to “no” and you need to make it clear for users of your website or communication that they can opt-out and make it easy for them to do so.
- How the data that you hold on an individual will be deleted should they request
It is the Data Controller’s responsibility to ensure your business has procedures put in place for the timely execution of your website users’ rights under the GDPR. The GDPR sets out a Subject Access Rights timeframe of 1 month for you to give access to the held personal data.
Your Website’s Privacy Policy and T’s & C’s
The appointed data controller within your business should check the privacy policy and the terms of conditions on your business website to ensure that they are GDPR compliant. A summary of which is;
- Your privacy policy and terms and conditions are easily accessible and not hidden away in a dark corner of your business website.
- Identify the legal reason, if you currently don’t, of your need to collect your website users personal data i.e legitimate business operation.
- Make it clear to the website user what you do with their information online and offline, how it is processed and how long you keep the website users data. Remember the GDPR states that you need to name 3rd parties if any are involved.
If your business website is managed by a third party (such as ourselves) you will need to collaborate with them. Make sure that you know what their policy and practices are in regards to IP logs, contact form submission data, and backups. Its common practice to collect or backup this information for legitimate security and troubleshooting purposes but make sure its written into your privacy policy. This brings us to the next topic.
Your Website Data Security
Once you have identified the data (PII) you collect on your website you must secure it as best as possible. Data breaches are not uncommon among small business websites as these types of websites don’t tend to have adequate security (something we take seriously with our business website design). You may need to carry out a Data Protection Impact Assessment (DPIA) within your organisation depending on the sensitivity of the data you process.
- Find out if you need to carry out a DPIA
- Make sure your employees know what a personal data breach is and how to report it as quickly as possible to the assigned Data Controller
- Report any internal data incidents to the Data Cotroller quickly
- Assess your business website security measures, consider adding additional security to your website. You should already be using SSL encrypted connections (the green bar) on your website as google tends to favour SSL websites v’s ‘not secure’ websites.
If your small business relies on a 3rd party agency for the operation of your website you should investigate whether they are compliant with GDPR. Put into place a contract in order to protect yourself somewhat from fines should they fail to adhere to GDPR.
Getting Help With GDPR Compliance
We are more than happy to help you become GDPR compliant, get in touch with us to find out more. If you are a small business looking to become GDPR compliant yourself then you should read further on all the topics covered in this summary. The best resource is the Information Commissioner’s Office website, as a public office their duty is to explain the GDPR and help businesses comply, you can find relevant links to the GDPR there.