The General Data Protection Regulations (GDPR) is European law that puts the emphasis on organisations to protect the data of their Data Subjects (employees, prospects, customers) that your organisation holds personal data on. On almost every website we build, there will be contact forms in place collecting user data. The information gathered is generally emailed but also stored in the site database, this means it will be subject to the new GDPR regulation.
On the 25th of May 2018, new European Data Protection Legislation, GDPR will become law. This new legislation will likely have a significant impact on the way you communicate with your customers and prospects.
In a nutshell, GDPR is all about consent and looking after individual customer data appropriately. The obligations you will have as a website owner will be :
- Tell the user who you are, why you collect the data, for how long, and who receives it.
- Get clear consent before collecting any user data for every purpose that you intend to use it for (i.e.someone agreeing to send an enquiry does not automatically mean they will want to be added to your marketing list).
- Let users access their data and take it with them if they choose.
- Let users delete their data if they wish.
- Let the affected users and the Information Commissioners Office (ICO) know if data breaches occur.
The consequences of failing to comply with the new GDPR legislation can lead to fines of up to €20m or 4% of global annual turnover. Crucially, this data applies to all data records, including historical data collected on the website prior to the new regulations coming into force in May 2018.
BML’s role in GDPR is that of a Data Processor acting on behalf of you. As Data Processors, we have access to that data and can help you to manage it in line with your instructions. However, the responsibility of ensuring GDPR compliance lies with our clients, so it is ultimately your responsibility to ensure you have all legal obligations/measures in place to protect your organisation. Our primary role in relation to GDPR is to comply with your instructions in relation to the handling of data you control.
The actual servers your websites are hosted on are managed by an end hosting provider that we contract. All data is physically stored in the UK. In terms of GDPR, our end hosting provider provide services to us and are technically able to access the end user data too (but in reality, this would only ever be under our instruction). Any sub-contractors BML use (such as freelance web developers we may utilise in very busy periods, or for holiday cover) may also have access to user data, although this is rare. Their role in relation to GDPR is to comply with any instructions we pass on to them, in relation to the handling of data.
To help ensure your websites are GDPR compliant, our advice is that you take the following steps:
- Keep your website updated regularly to minimise the chance of getting hacked. Many of our clients have maintenance packages in place to ensure their websites are kept up-to-date.
- Have a plan of action in case someone requests their information to be deleted or if a data breach occurs.
- We would also recommend you purchase and install an SSL certificate on your website to give greater visitor reassurance on your website.
Where is user data stored and how can it be removed?
In circumstances where BML provide your website hosting, data for your live website is stored in the site database. This is located on a physical server based in a UK data centre.
In terms of accessing user data to delete, you can generally delete stored contact form entries using the normal admin area of the site. This means you can easily remove data for anyone who requests it. You may be advised to delete this data regularly, as it will have been emailed to you anyway. If you don’t have explicit consent from currently stored contacts then it makes sense to remove them well ahead of the deadline.
Copies of user data may also be held on local development and staging servers as part of our normal development process. If a data removal is requested, we will also remove any relevant data that may be held on those machines, along with data held on the machines of any relevant suppliers we have contracted.
We also backup the web server daily, keeping a 30-day history of all information on a separate secure server. If a user requests that their data should be removed, then we will also need to remove the relevant backups where their data may also appear. You will need to instruct us to do this as part of your removal request process.
Third party services
To sum up, we will work with you to:
- Support any Personal Information Audits you need to conduct on behalf of your business
- Change any data capture forms you may have on our website
- Improve the security of your data inline with your approach to compliance with the new legislation
- Work with you to assess and implement removal of Data Subject/s
We will work with you as best we can to ensure your website keeps you on the right side of the new GDPR regulations.
BML Data Processor Compliance Policy How we support our clients in relation to GDPR compliance. BML Data Processor Compliance Policy BML GDPR Policy Our own policy in relation to the data BML collects and process for our own purposes. BML GDPR Policy Hubspot.com Useful resources including guides to move through the GDPR compliance process. https://www.hubspot.com/data-privacy/gdpr-checklist Information Commissioners Office Guide to the General Data Protection Regulation (GDPR) https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/ EUGDP.org Site designed to educate about GDPR. https://www.eugdpr.org/