Things to MUST do:
Register on the ICO (Information Commissioner’s Office) website as a data controller (you may also be a data processor, too).
There are 14 points in the checklist:
2. Cookie & privacy popup notice
Each new website user needs to come to an agreement of the use of the data and agree to the terms in order to fully use the website. A user will have the right to request to the website owner to disclose what information is hold about the user, and to be permanently deleted, if requested.
The website owner states what data is captured, when it was captured, what the data is used for, the third party’s details and the process, including the Data Protection Officer’s details as well. https://www.local.gov.uk/our-support/general-data-protection-regulation-gdpr
4. SSL certificate
Secure Sockets Layer certificate – it’s the encryption code process when installed on a web server, it activates the padlock and the https protocol and allows secure connections from a web server to a browser. The purpose is to securely encrypt all the details that are entered into any forms or fields on a website. A variety of SSL certificates are available at different prices, all encrypting the data to the same level of security (256 bit – 2048) but some have further protection and insurances.
5. Pseudonymisation or anonymization
Most websites that have user accounts and store information about its users (like your Amazon account storing your name, address, date of birth etc) store the data in an SQL database. This is a web-based database that the website calls to, queries and delivers your details when you sign in. In most instances, unless it’s online banking, these details will not be stored encrypted and so if the SQL file was accessed the content could be clearly read.
It’s very hard to both store and retrieve data in an encrypted way and is why most sites don’t. However, as part of GDPR, ‘pseudonymisation’ means that websites will need to start moving towards the users being identified by a username only and that the rest of the data is encrypted so that there is no possible connection between the user and the stored details.
6. Newsletter signups
Make sure that the emails you send out all have an unsubscribe link, too.
7. User account creation
If your website is an eCommerce one or allows a user to set up an account for access to services behind a login area, you will need to ensure that you have both the SSL installed (please refer to point 4) and also work towards the data being stored using pseudonyms.
8. Payment gateways
9. Enquiry & contact form
If your website has an enquiry form for people to send you messages, you need to ensure the following are adhered to:
The website has an SSL
The details are not stored in the website’s SQL database unless stored encrypted
If they are sent to you by email, your email service provider adheres to GDPR rules and that the email is stored and sent according to GDPR secure methods.
Do you print out the email with the enquiry details on? If you do, this is also a data risk. Ensure you have a shredding process in place to make sure that emails with user’s private details aren’t just put in the bin!
Make sure you have no pre-ticked boxes to automatically sign the enquirer up to a newsletter. You cannot then add the user’s details to your marketing database unless they have explicitly agreed to it using a separate tick box.
10. Live chats
11. Connected email
Whilst not strictly website-related, all email services and the storage of email from all with whom you are connected, must be stored in accordance with DPA (Data Protection Act) & GDPR guidelines. Make sure you store your email data securely, use good anti-virus applications and archive and delete unnecessary email completely.
Have Data Retention policy – a statement by which your organisation follows in terms of how you store data and for how long before it is deleted. Typical business data retention policies are 12 to 24 months.
12. Social media account connection
Using social media sites you do not need to seek permission from each person who ‘likes’ your page or ‘follows’ you, you do need to ensure that any information gathered directly from people with whom you interact on Social Media sites is handled in accordance with the GDPR privacy guidelines. If you’ve had a chat using Facebook Messenger with someone about an enquiry, make sure the chat history is completely deleted when it’s done. Get the person to email you so that you can hold the formal connection outside of a social media channel.
13. Google Analytics (and other user tracking systems)
You must enable the anonymisation option in Google Analytics to properly conform to GDPR. Google Analytics records user’s IP addresses in visitor reports and this is taken as ‘identifiable information’.
14. CRM connection
The Information Commissioner’s Office (ICO) has actually launched a dedicated advice line to help small organisations prepare for the new data protection laws (GDPR). The service is aimed at people running small businesses or charities and recognises the particular problems they face getting ready for the new law.
You can find out more here: https://ico.org.uk/for-organisations/resources-and-support/getting-ready-for-the-gdpr-resources/