Posted on: 30th April 2018
This blog was originally written by Pyranet for Frogspark, as a guest blog. Read original article here.
Having a company website is a necessity for any business – no matter the shape or size! As we live and continue to grow in a digital world, it is very likely that you could be losing a number of great opportunities for your business if you don’t have a good quality website.
The internet has a far broader reach than any other form of advertising and while it can take a while to build up enough traffic to your website to make a worthwhile impact on your company`s marketing campaign, the results of having a brilliant company website has the potential to gain effective results.
However, with GDPR (General Data Protection Regulation) soon to come into force, on May 25th this year, it is imperative that business owners ensure their website follows best practices in order to conform to new regulations.
The GDPR is the most significant and comprehensive data privacy regulation to date and compliance is compulsory, however, it is important not to disregard the pre-existing PECR data protection guidelines now that GDPR is coming into play. PECR stands for The Privacy and Electronic Communications Regulations and in scenarios where the GDPR may not apply, PECR will still apply.
Owning a website that violates data protection puts you at risk of heavy sanctions. Under GDPR, those who do not adhere to new regulations are at risk of large fines (up to €20 million or 4% of their global annual turnover, whichever is greater).
So, with that in mind, what things do you need to make sure you are doing and what things will you have to change?
A good place to start with utilising best practices, is with web forms. Most companies use web forms on their website(s) because they can lead to enquiries through your website and therefore brings the potential for business opportunities. Web forms are also a good way to pull customer details which can then be added to email marketing lists.
But when can this become an issue? Is it okay to automatically subscribe people to your newsletter and start marketing to them if they fill in a form on your website?
Marketing to an individual that is an existing customer (B2C)
Marketing to an individual that is an existing customer or somebody who is in the process of a transaction would be classed as a soft opt-in, where you can then use the lawful basis of legitimate interests for this processing. Soft opt ins apply when you have obtained an individual’s details during a sale (or negotiations for a sale) of a product of a service. The option to opt out of any email marketing should always be simple to do and obvious to the individual.
Business to business marketing with no personal data in email address or email body
Emailing a general email address such as email@example.com where the email body also contains no personal data, GDPR doesn’t apply in this example because GDPR relates to personal data and there is no personal data present. PECR does apply in this case, however legitimate interests can be used as the reason for processing. The option to opt out of any email marketing should always be simple to do and obvious to the individual.
Business to business marketing containing personal data
Emailing a business using a named contact such as Simon.Gallagher@examplecompany.co.uk is where GDPR guidelines become relevant. PECR outlines this is still legitimate interests – and GDPR does mirror the PECR guidelines, meaning consent is not required. However, with this example, it is good practice to keep a record of your legitimate interests assessment (LIA) to help you demonstrate compliance if required. The option to opt out of any email marketing should always be simple to do and obvious to the individual.
Marketing to individuals (non-customers/cold prospects);
PECR already advises that you need consent to send marketing emails to cold prospects. GDPR has introduced a much clearer and less ambiguous form of consent than before. If you are planning on sending marketing emails to individuals who are not customers, nor involved in any form of transaction with your company, then you must follow the bellow requirements;
Specific and Unambiguous – It must be extremely clear as to what the data subject is signing up for when filling out web forms
Granular opt in- Forms must not be pre-ticked and the data subject must actively ‘opt-in’ to receive any further marketing correspondence. This opt in box must also not be ‘clustered consent’ in that there must be separate boxes that a user must select for the different types of correspondence. For example, separate opt-ins for receiving newsletters and receiving text messages from a company
Easy to withdraw consent– It must be as easy to withdraw permissions as it was to grant them. (Make sure your contact preferences page is extremely easy to find)
Named parties – What exactly is the data subject agreeing to? Web forms must identify each individual party that consent is being granted to. It isn’t enough to say specifically defined categories of third-party organisations, they now need to be named.
For example, John Lewis’ web forms ask for permissions for itself and sister companies John Lewis, Waitrose and John Lewis Financial Services to contact the customer. This is good practice.
Other things to consider when it comes to the forms on your website:
- Ensure you have updated the send processes of your contact forms so that data is sent and stored to the minimum number of places.
- Create the ability within your admin area to search, export and delete personal data as required.
- Allow users to submit a request to view or delete data you hold on them.
Encryption is key – Get your website encrypted
Any data that is submitted to your website must be encrypted. One of the major benefits of HTTPS (the ‘S’ stands for secure) is that it protects users against man-in-the-middle attacks that can be launched from compromised or insecure networks. It is these kind of attacks that can lead to data breaches and therefore fines, so an encrypted website is essential.
Your website developer should be able to install the necessary measures to ensure this is the case (hey, that’s us!). This would be a case of fitting an SSL certificate to your site to encrypt the data.
You can check whether you have an SSL certificate already by looking for the padlock symbol in the URL bar of your browser when you visit your site’s homepage, if this appears to be missing then speak to your web developer to resolve this.
Another thing worth mentioning of course, is that Google favours HTTPS websites over those that are not secured when it comes to ranking websites in search results. A user searching for ‘Cake Makers’ would be directed to the cake maker website that is encrypted, as opposed to the one that is not, and if yours isn’t, you could be the one losing business.
Finally, as of July this year, Google Chrome will start labelling all HTTP pages as not secure, and will change the HTTP security indicator to the red triangle used for broken HTTPS when users enter text into a form on an HTTP page. This warning can be damaging to eCommerce sites as many people will not be willing to input sensitive data after being warned that the website is not secure, yet again this could mean you losing business.
Access to data – Who has access to customer data?
Important things to take into account:
- Data subjects will need to be able to access their personal data quickly and simply. You may also have to explain which other organisations have handled their data, and why this was needed for the process.
- Organisations will need to make sure they offer any data for download where possible, and without any unnecessary delays.
- As companies are not permitted to store data that is no longer necessary, a robust process for deleting data that is no longer required should be implemented.
It is vital to be aware of who has access to personal data that is logged and stored on your website in the content management system and it is good practice to understand and document exactly who these people are and compile a list. Then, by examining the list, work out who genuinely requires access to the data. If there are employees on the list who do not need access to the data, then ensure that permission is revoked.
Business owners should also audit any outsourced companies that could potentially have access to their data and check that their procedures are also compliant. As the data controller, you are responsible for this, even if you have outsourced elements of the process. It is recommended that you document the measures you have taken to ensure everybody is acting in line with GDPR regulations. Likewise, outsourced companies should be able to explain clearly what measures they have taken to ensure the data you have provided with them is held securely.
Online payments: What information are you storing?
If you’re an e-commerce business using a payment gateway, (a secure way for your customers to enter their payment information, including credit & debit card details), for financial transactions, you need to be aware of your own website collecting any personal data before these details are passed on to the payment gateway.
If your website stores personal details after the information has been passed on, then you’ll need to modify your web processes to remove any personal information after a reasonable period.
Third-party tracking software: Is it compliant under GDPR?
Third party tracking software is a grey area when it comes to GDPR. A lot of businesses use a third-party marketing automation software solution these days. These might be lead-tracking or call-tracking applications.
Track website visitors in ways they wouldn’t expect, and therefore, users have not technically granted consent. There are many third-party tracking suppliers that claim they’re GDPR-compliant and will advise their clients to display banners which state clearly that cookies are being used. However, it’s always good to double check your supplier has got your back when it comes to GDPR, so make sure you look over your contract with your software providers very carefully.
How Clear are your Privacy Policies?
You must let users know:
- What personal information you collect
- How and why you collect it
- How you use it
- How you secure it
- Any third parties who share it
- How users can control any aspects of this
- Who is the data controller?
- Data controller’s contact information
- Whether you use data to make automated decisions (i.e. credit scoring)
- Inform user of the 8 rights they have under the GDPR
- Whether providing user data is mandatory for the user to use the website
- Whether you transfer data internationally
- What your legal basis is for data processing
Does your business have an App?
Do you have a mobile app? GDPR regulations also apply to personal data collected through mobile devices and apps. Spend some time reviewing the data your mobile app collects, where it goes and why it is collected, all while making sure it complies with the GDPR.
All in all, websites (and Apps) should include privacy by design, meaning a user’s privacy should be considered the number one priority at all times, through every level of your website. By default, privacy settings should be set to their highest level and the ability for a user to downgrade this level of security should be available.
The GDPR might seem intimidating and over the top, but it’s important to remember where this stems from. Ultimately this is about protecting people from cyber-crime and data breaches. The internet is still a highly unregulated space that needs far greater levels of international legislation; the GDPR is a significant contributor to this.
The above is not an exhaustive list and there is an abundance of information out there that looks at many other factors to consider as we near the ‘go live’ date and it is recommended that you familiarise yourself with this information.