Does GDPR affect me?
The simple answer is yes. If you run a business or work in one, you will hold data on someone – the data in question is even applicable to your employees (or you as an employee).
GDPR cuts across lots of different areas of your operations, whether you’re a big business or an SME, so you need to know about it as the consequences are pretty hairy if you’re unfortunate enough to get reported and fined! If you want to know more about GDPR, there are loads of resources online that cover the broader issues.
Here, we are focussing on a far more specific element – how GDPR affects your website.
How does GDPR affect my website?
The chances are that you have an inquiry form or two on your website capturing the data of potential customers. In many cases, you may also have a gateway pop-up form that captures data in return for a download or some free resources. These details then go into the back of your website database where they should be secure, but if your site is hacked, they become compromised. Equally, if you have a number of people that have access to the content management system, they also have access to personal data from these forms which will at the very least, require some sort of robust policy.
SEO, Tracking and Automation
SEO (Search Engine Optimisation) is a key element in the approach that many businesses have to market these days, which includes a vast array of activities and tools to reach, identify and market to potential customers. This might be advanced tracking through cookies, or perhaps automated marketing which involves a database containing personal contact details. There are six lawful reasons that personal data can be held so you need to be sure you’re holding it for a valid reason:
- Contractual – you have a contract with someone
- Compliance – you must record dealings with a person
- Vital interest – to record health information for a member, employee or guest
- Public interest – journalists investigation questionable dealings
- Legitimate interest – including competitor analysis
- Consent – required if none of the other five reasons apply
The days of buying databases for large-scale automated and direct mail campaigns are over my friends.
You need to have a really solid policy in place to make sure that those who have access to your company website have a really robust password and that security of this password is compliant. Believe it or not, we have heard about companies who have a sticker on each monitor with the website login details for anyone to see and use – even external people. Getting into the site means accessing a database of inquiry form details and therefore, a data breach, punishable by up to 4% of turnover or €20 million.
There are also instances where on a shared drive, there is an excel spreadsheet titled ‘passwords and logins’ or something similar – which makes it easy for unauthorised individuals to get in, locate and access data that they shouldn’t, which again, is a breach.
Make sure passwords to anything which lead to more login information or personal data (like LastPass or 1Password) are really secure, including that of your own staff.
We’ve addressed some of the human concerns around website safety such as passwords, but having a technically secure website is also very important. You need to make sure that it is secure, using reputable and updated plugins, on a secure server along with some sort of security feature such as WP Cerber to help prevent access to the data stored within. One other consideration is to apply an SSL Certificate to your website to encrypt data flowing to and from the site.
You absolutely need to make sure that you have a robust and credible website backup system in place. There are a great many reasons for this, most of which are pretty obvious (like losing your site completely) but some backup regimes are not as robust as they need to be. A website is generally comprised of a series of site files and then a database. Some automated processes take a database backup but back it up to the website instead of a different server, which doesn’t solve the issue and makes your data vulnerable.
So with a ‘standard’ website, there is the likelihood that you have contact forms that will require some level of personal data, however, with e-commerce sites, there is a whole host of other personal data required to make a transaction happen. As such, the policy and security of this, along with the storage of customer details will really need to be examined and made secure – and Dropbox is not the answer as it isn’t compliant with UK requirements.