GDPR: How will it affect web design?Sophia Walker
GDPR (General Data Protection Regulation) is an upcoming rule that governs the handling of personal data. GDPR will be enforced in May 2018, across the EU, including the UK (regardless of its Brexit status at the time).
The GDPR regulations will replace existing regulations that dictate how companies are allowed to collect, store and use the personal information of their clients. The new regulations are designed to give control of personal information back to ordinary people, prioritising them over the interests of businesses.
Therefore, it’s important for web design companies, and their clients, to be aware of this new legislation and adhere to it accordingly.
What are the provisions of GPDR?
The legislation included in these new regulations include:
- The right for people to access, correct, delete or transfer any personal information held about them on any company system.
- The need for companies to gain explicit consent from citizens for their personal data to be held. The company must then save this consent.
- The legal obligation for companies to inform data authorities and consumers about breaches of data security, within 72 hours of them occurring.
Who needs to comply to GDPR?
Simply put, any company that operates within the EU which handles and stores personal information will need to adhere to the new rules. GDPR does not discriminate between business giants and small businesses. Furthermore, the penalties for not complying to GDPR will be very severe. Violation of the terms of GDPR can result in a penalty of 4% of your company’s annual turnover or a fine of 20 million euros (depending on whichever’s highest).
How will GDPR affect web design and website owners?
In order to avoid these severe penalties, website owners will need to ensure that:
Explicit consent of any user is requested before data collection takes place: consent needs to be freely given, specific, informed and non-ambiguous. There must be positive opt-in consent given; consent cannot be inferred from pre-ticked boxes or inactivity
Have a means for users to request to view their data: This needs to be possible for your users, and requests for data must be granted.
“Right to be Forgotten”: Provide your users with a way to withdraw consent and purge the personal data you have collected about them.
While all of this may seem overwhelming, there are steps to take to ensure that your website is conforming to GDPR.
Conduct a personal data audit
Ask the following questions about the data collected on your website:
What data am I collecting?
This includes data collected and stored through your own website, or data collected by a 3rd party.
- Do you have a contact form collecting email addresses, phone numbers, names etc?
- Do you collect personal details on a third party email marketing service i.e. Mailerlite, MailChimp?
- Do you operate an online store and collect customer data in order to process orders?
Where is it stored?
Do your contact forms store personal details on your website database? If your website has an eCommerce facility, personal customer information is likely being stored on your website database. These databases are often stored unencrypted so if the database is breached, personal information about your customers can be exposed and collected.
Is all of this data necessary?
If you limit the amount of data you collect, you also limit your potential for breach and non-compliance with GDPR. If you feel that some of the information you currently collect and store on your website isn’t strictly necessary, you can take steps to stop collecting it and purge it from your databases.
Implement SSL certification
Websites that use HTTPS send data over an encrypted connection. If your website has an SSL certificate, you’re making steps towards GDPR compliance. Without HTTPS, data from a contact form (for example) will be sent unencrypted, and can therefore be intercepted by a 3rd party in transit. This blog post will tell you more about the importance of HTTPS.
Understand what must be done in the event of a breach
GDPR requires the data controller to have defined processes in place in the event of a data breach. The data controller has a legal obligation to report a data breach within 72 hours. For more information about this, take a look at this article on the reporting of data breaches.
GDPR, for the first time, brings in special protections for children’s personal data – particularly in regards to commercial internet services such as social media. If your organisation offers online services to children and relies on consent to collect information about them, you will need to gain the parent or guardian’s consent in order to process the child’s data lawfully. GDPR sets the age at which a child can give their own consent to this processing at 16. This means that your privacy information page must be written plainly enough for a child to understand.
Data Protection Officer
Where possible, you should designate someone in your company to take responsibility for data protection compliance. You will need to designate a DPO if you are:
- A public authority (except for courts acting within their judicial capacity);
- An organisation that carries out regular and systematic monitoring of individuals on a large scale;
- An organisation that carries out large scale processing of special data categories including health records, or information about criminal convictions.
How will GDPR affect email subscriptions and newsletters?
GDPR will require provable consent for someone being on a mailing list. For new subscribers to your list, gaining consent will be easier, but what about existing email marketing clients? The original consent might not have been kept.
Current customers – demonstrate the “existing customer relationship”
Email subscribers with provable consent – keep and maintain records that prove their consent
Email recipients without provable consent – if the email programme can be considered a service, the act of opening and clicking (i.e. ongoing recipient email engagement) could be enough to show an “existing customer relationship” with your email programme. In this case, you will need to be able to demonstrate the ways in which your email programme is providing a valuable service for your customers. This will take into account the value and use of your emails, and the financial damage or detriment to your customers if the emails were to stop.
Lapsed customers – No legal basis for storing he data without clear consent, customer engagement or consistent email activity: Delete unnecessary details.
Inactive email subscribers – With no recent consent, customer relationship or ongoing email activity, you have no legal basis for storing the data: Delete unnecessary details.
3rd Party Email Systems
3rd Party email systems come under the definition of “data processors”, as they hold and process personal data on your behalf for the purpose of sending out emails. It is important to check the privacy policies of any 3rd party email system you use to ensure that they are GDPR compliant. Most of the major 3rd party email systems are based in the US and will likely already be GDPR compliant, or on the way to becoming so. US companies require Privacy Shield compliance, which has been developed by the US Department of Commerce and the European Commission to protect the flow of personal information between the EU and the US.
Contact a Professional For Advice
GDPR is a drastic overhaul of current EU privacy and data regulation; so naturally, the entire process can appear a little daunting. To speak to a professional, and see what steps need to be taken to make your site GDPR-ready, simply get in touch today.