Recently we have been helping out a number of clients update their websites to get up-to-date with the new GDPR regulations that come into effect on the 25th May 2018.
Here is our step-by-step guide to become more compliant with the new GDPR regulations, some useful links to resources are included.
We realise that this guideline is not the definitive consent checklist, but may aid as a reminder to help your organisation be more GDPR compliant.
I think the NHS has gone through a similar process by allowing patients to be able to request their own hospital records.
Many people may be panicking at the moment, but from what I understand the new law is going to take a softer approach as the new regulations come into effect.
1. Becoming aware of the new GDPR regulations.
The first thing to acknowledge is what the GDPR is and what it aims to achieve. The emphasis is on giving end-user’s/clients’ potential contacts more freedom over the data you hold on them and applying tighter security measures to that end.
These can be outlined as:
- The right to be forgotten, delete data you may hold.
- The right to update and change any data held by you.
- The right to request copies of data held by you.
2. Identify where your data is kept.
The first thing to do is run an audit as a bullet point and identify where sensitive data may be kept. If a client asks you to delete their information you won’t want it hanging around everywhere – see point 7 below.
These could be:
- In emails.
- In outlook or gmail contacts, tasks and notes.
- In Sharepoint, Hubspot databases.
- In WordPress, Joomla, Drupal or any contact form submissions stored online.
- Post-it notes, offline documentation.
- Word/Excel/PDF Documents.
- Mailing lists such as Mailchimp.
- Accounting software that keep contact information such as Xero.
We know that the larger your organisation is the more people and the more systems you may already have in-place.
Perhaps your business has already been involved in this activity.
This is not just about trying to come to a better understanding but is also about protecting yourself and your online users.
You have the right to request your data be removed from our database systems if you feel it is no longer necessary for us to hold the data.
Full details of this can be read in our GDPR Policy.
Please email email@example.com with your request.
If you would like to discuss what data we hold and how we handle it please do get in touch either by email to firstname.lastname@example.org or Phone telephone number.
If you would like to see/read the Eggbox Designs Ltd GDPR policy please email email@example.com or Phone telephone number.
Eggbox Designs Ltd will store your details in order for you to gain access and use our online services.
You can choose to no-longer use our services at any time and Eggbox Designs Ltd will completely remove and delete your login details, private folders and any reference to you in accordance with the GDPR laws May 2018. You can sign up again at any time.
More information on GDPR Laws in the UK: “https://www.gov.uk/government/consultations/general-data-protection-regulation-call-for-views
4. If you collect sensitive data via an online form you should be making use of an SSL certificate.
The GDPR law stipulates how your business values the collection of data, names, addresses, emails and telephone numbers. You should take all due care and attention to how said data is collected.
We advise to make your website as secure as possible. This means making your website use the https protocol instead of http.
Any data sent over the standard http is not encrypted and is therefor more likely to be pried upon. Your e-commerce site, if you submit payment details, should definitely be https by now.
While using your website’s SSL is not 100% full proof, it is better than http, and will show a willingness to comply with the new regulations. Upgrading to https will not only let your end users feel more secure about using your website, but will also net better rankings in SEO results.
Chrome’s new interface will help users understand that all HTTP sites are not secure, and continue to move the web towards a secure HTTPS web by default. Pretty soon many websites could appear lower in the rankings or will indicate that your site is not secure in the search results from July 2018 as stated on Google’s blog.
5. Add a checkbox to existing forms for people to opt-in.
The GDPR law now states that people have to opt-in and give you their consent when contacting you via any online form. So if you use an online form you should add a tick box that states something along these lines:
I authorise you to use my details to contact me.
The box must be required and not be pre-ticked!
6. Consider if you need to contact previous clients for consent.
You are not required to automatically ‘repaper’ or refresh all existing DPA consents in preparation for the GDPR. But if you rely on individuals’ consent to process their data, make sure it will meet the GDPR standard on being specific, granular, clear, prominent, opt-in, properly documented and easily withdrawn. If not, alter your consent mechanisms and seek fresh GDPR-compliant consent, or find an alternative to consent.
If you have a contact list in your database you may well think it prudent to remind those clients that you keep information on them and that you require their consent before the 25th May 2018.
If you do not get an email back you could try contacting them by telephone. It is polite and shows initiative that your organisation is doing its best to comply with the new regulations (it’s also a good way to ignite new business).
7. Make sure historical forms submissions that were stored in your online database, CMS or CRM, are tidy.
If you want to appear thorough you should go through and remove redundant data. Ideally, don’t keep usernames and passwords in old emails.
Furthermore, you need to make sure any private data is secured in one place, on CRM or CMS. This is regardless whether this be a database or spreadsheet, an outlook contact folder or otherwise.
This is particularly important if you have been sent login details to third-party online services belonging to clients in the past. Having these in your deleted items is not the best so you should sort these.
Migrate any private data in your emails (sent items, inbox, drafts, deleted items, post-it notes, printed documents) by searching for keywords such as, “Password”, “PWS”, “PSWD”, “Login”, “User” etc.
Drag these emails to a new folder called “GDPR”, or “data to sort”.
Then go through them and copy those details to a single contact database, whether it be a spreadsheet, Sharepoint or Outlook Contact list, check any logins (if they no longer work remove the email, shred the paperwork anyway).
Once this exercise is complete delete these emails, including the trash.
Now your third-party data will be in one place so it can be easily updated or removed.
If the data was particularly sensitive you should contact each of those clients to say you have data on them, and if they would like to keep, update or remove it.
8) Make sure you confirm the use of Google’s Analytics policy or you may lose crucial data.
This is more focused on website design, development and SEO businesses. If you use Google Analytics or your Google account is linked to other client’s analytics, Sign in to Google and accept the terms here:
You also need to save the data retention policy.
9) Make sure your data is up-to-date and give your clients the chance to opt-out and hide your details from public search.
This is also aimed at service providers and their clients. With the 25th of May looming closer it is time to make sure any client’s data is up-to-date.
I would advise you should always use a third-party hotmail or gmail account to register a domain and not an email tied to that domain, I will explain why in another post.
10) Remove any third-party saved logins from your browsers.
If you provide services for other people where you need to log into their accounts, now would be a good time to make sure your record of this is stored offline and not saved in your browsers auto fill data.
I will advise how to do this later in another post.
Note – we aim to keep this a living document and update it from time-to-time when the GDPR is updated or we will otherwise find information that may be of use or correct that which might be incorrect. At this time we believe this to be correct.