Recently we have been helping out a number of clients update their websites to get up-to-date with the new GDPR regulations that come into effect on the 25th May 2018.
This is our step-by-step guide to become more-compliant with the new GDPR regulations and some links to resources that you might find useful.
We realise that this guideline is not the definitive consent checklist, but may aid as a reminder or extra pointers that could help your organisation to become more GDPR compliant.
I think for some time now we think that the NHS had gone through a similar process by allow patients to be able to request their own hospital records.
Many people may be panicking atm but from what I understand that the new law is going to take a softer approach as the new regulations come into effect.
1. Becoming aware of the new GDPR regulations
The first thing is to become aware of what the GDPR is and what it aims to achieve. The emphasis is on giving end-users/clients potential contacts more freedom over the data you hold on them and applying tighter security measures to that end.
These can be outlined as:
- The right to be forgotten, delete data you may hold
- The right to update and change any data held by you
- The right to request copies of data held by you
2. Identify where your data is kept, make sure you know where it is
The first thing to do is run an audit as a bullet point and identify where sensitive data may be kept. If a client asks you to delete their information you won’t want it hanging around everywhere – see point 7 below.
These could be:
- In emails
- In outlook or gmail contacts, tasks and notes
- In Sharepoint, Hubspot databases
- In WordPress, Joomla, Drupal or any contact form submissions stored online
- Post-it notes, offline documentation
- Word/Excel/PDF Documents
- Mailing lists such as Mailchimp
- Accounting software that keep contact information such as Xero
We know that the larger your organisation is, the more difficult this will be to think about as the larger the business the more people and the more systems you may already have in-place.
Perhaps your business has already been involved in this activity.
You should also consider its not just trying to become better understanding but also about protecting yourself as much as it is about your online users.
You have the right to request your data be removed from our database systems if you feel it is no longer necessary for us to hold the data.
Full details of this can be read in our GDPR Policy.
Please email email@example.com with your request.
If you would like to discuss what data we hold and how we handle it please do get in touch either by email to firstname.lastname@example.org or Phone telephone number.
If you would like to see/read the Eggbox Designs Ltd GDPR policy please email email@example.com or Phone telephone number.
Eggbox Designs Ltd will store your details in order for you to gain access and use our online services.
You can choose to no-longer use our services at any time and Eggbox Designs Ltd will completely remove and delete your login details, private folders and any refence to you in accordance with the GDPR laws May 2018. You can sign up again at any time.
More information on GDPR Laws in the UK: “https://www.gov.uk/government/consultations/general-data-protection-regulation-call-for-views
4. If you collect sensitive data via an online form you should be making use of an SSL certificate
The GDPR law stipulates how your business values the collecting of data, names, address, emails and telephone numbers and that you should make all due care and attention to how that data is collected.
We advise to make your website as secure as possible. This means making your website use the https protocol instead of http.
Any data sent over standard http is not encrypted and therefor more likely to be pried upon. Your e-commerce site if you submit payment details should definitely be https by now.
While using your websites SSL is not ever 100% full proof, it is better than http, and it will show a willingness to comply with the new regulations. Upgrading to https will not only give your end users a better feeling about your website but also is going to be better ranking in SEO results.
Chrome’s new interface will help users understand that all HTTP sites are not secure, and continue to move the web towards a secure HTTPS web by default. Pretty soon many websites could appear lower in the rankings or will indicate that your site is not secure in the search results from July 2018 as stated on Google’s blog.
5. Add a checkbox to existing forms for people to opt-in
The GDPR law now states that people have to opt-in and give you their consent when contacting you via any online form. So if you have any online form you really need to add a tick box that states something like:
I authorise you to use my details to contact me
The box must be required and not be pre-ticked!
6. Consider if you need to contact historical clients for consent
You are not required to automatically ‘repaper’ or refresh all existing DPA consents in preparation for the GDPR. But if you rely on individuals’ consent to process their data, make sure it will meet the GDPR standard on being specific, granular, clear, prominent, opt-in, properly documented and easily withdrawn. If not, alter your consent mechanisms and seek fresh GDPR-compliant consent, or find an alternative to consent.
If you have a contact list in your database you may well think it prudent to remind those clients that you keep information on them and that you require their consent before the 25th May 2018.
If you do not get an email back you could then try contacting them by telephone. It is polite and shows initiative that your organisation is doing its best to comply with the new regulations and also its not a bad way to maybe ignite new business.
7. Make sure historical forms submissions that were stored in your online database, CMS or CRM is tidy
If you want to appear really thorough you should go through and remove redundant data. you should ideally not keep usernames and passwords in old emails, including those who sent you those and you have responded.
Ideally you may need to make sure any private data are secured in one place, one CRM or CMS. Whether this be a database or spreadsheet, or a outlook contact folder or other.
This is particularly important if you have been sent login details to third-party online services belonging to clients in the past. Having these in your deleted items is not the best place so you should ideally sort these.
Migrate any private data in your emails (sent items, inbox, drafts, deleted items), post-it notes, printed documents, in your emails by searching for keywords such as, “Password”, “PWS”, “PSWD”, “Login”, “User” etc this will help.
Then drag these emails to a new folder called “GDPR”, or “data to sort”
Then go through them and copy those details to a single contact database whether it be a spreadsheet, Sharepoint or Outlook Contact list, check any logins (if they no longer work remove the email, shred the paperwork anyway)
Once this exercise is complete delete these emails, including the trash.
Now your third-party data will be in one place so it can be easily updated or removed.
If the data was particularly sensitive you should contact each of those clients to say you have data on them, and if they would like to keep, update or remove it.
8) Analytics make sure you confirm the use of Googles Analytics policy or you may lose crucial data.
Ok so this is more specifically focused on website design, development and SEO businesses. If you use Google Analytics or your Google account is linked to other client analytics Sign in to Google and accept the terms here:
You need to also save the data retention policy and that is all good.
9) We make sure you who is data is up-to-date and give you or your clients the chance to opt-out and hide your details from public search
This is also aimed at service providers and their clients. With the 25th May looming closer maybe it is time maybe its time to make sure any clients who-is data is up to date.
I would advise you should always use a third-party hotmail or gmail account to register a domain and not an email tied to that domain, I will explain why in another post.
10) Remove any third-party saved logins from your browsers
If you provide services for other people where you need to log into their accounts, now would be a good time to make sure your record of this is stored offline and not saved in your browsers auto fill data.
I will advise how to do this later in another post.
note – we aim to keep this a living document and update this from time-to-time when the GDPR is updated or we otherwise find other information that may be of use or correct that which might be incorrect. At this time we believe this to be correct.