GDPR and what it means for your website

07 February 2018

Share this post:

Posted by

On the 25th May 2018, new European Data Protection Legislation will become law. This new legislation will likely have a significant impact on the way you communicate with your customers and prospects.

The General Data Protection Regulations (GDPR) is European law that puts the emphasis on organisations to protect the data of their Data Subjects (employees, prospects, customers) that your organisation holds personal data on.

On almost every website we build, there will be contact forms in place collecting user data. The information gathered is generally emailed, but also stored in the site database, this means it will be subject to the new GDPR regulation.

GDPR and what it means for your website

You – the Data Controller

In a nutshell, GDPR is all about consent and looking after individual customer data (the Data Subject) appropriately. The obligations you will have as a website owner (and therefore the Data Controller) will be as follows:

  • Tell the user who you are, why you collect the data, for how long, and who receives it.
  • Get clear consent before collecting any user data for every purpose that you intend to use it for (i.e.someone agreeing to send an enquiry does not automatically mean they will want to be added to your marketing list).
  • Let users access their data and take it with them if they choose.
  • Let users delete their data if they wish.
  • Let the affected users and the Information Commissioners Office (ICO) know if data breaches occur.

The consequences of failing to comply with the new GDPR legislation can lead to fines of up to €20m or 4% of global annual turnover.

Crucially, this data applies to all data records, including historic data collected on the website prior to the new regulations coming into force in May 2018.

GDPR Website data responsibility diagram

Us – Data Processors

BML’s role in GDPR is that of a Data Processor acting on behalf of you, the Data Controller.

As Data Processors, we have access to that data and can help you to manage it inline with your instructions. However, the responsibility of ensuring GDPR compliance lies with the Data Controller (our clients), so it is ultimately your responsibility to ensure you have all legal obligations / measures in place to protect your organisation.

Our primary role in relation to GDPR, is to comply with your instructions in relation to the handling of data you control.

Our suppliers – Sub Processors

The actual servers your websites are hosted on are managed by an end hosting provider that we contract. All data is physically stored in the UK. In terms of GDPR, our end hosting provider is known a Sub Processor as they provide services to us and are technically able to access the end user data too (but in reality this would only ever be under our instruction).

Any sub-contractors BML use (such as freelance web developers we may utilise in very busy periods, or for holiday cover) would also be termed as Sub Processors. They may also have access to user data, although this is rare.

Their role in relation to GDPR is to comply with any instructions we pass on to them, in relation to the handling of data.

Action Points

To help ensure your websites are GDPR compliant, our advice is that you take the following steps:

  • Make sure any contact forms have an explicit opt in check box stating exactly how the data is going to be used (the exact wording will need to be provided by you), linking to your privacy policy for more information. Please email our quotes team if you would like to obtain a cost for implementing this on your website.
  • Update your privacy policy (or create a new one if it doesn’t already exist) to say how personal data is being used and explain how people can request access to the data you have and request removal if they wish (i.e. by emailing someone). You should be able to do this do this yourself via the admin area of your website.
  • Keep your website updated regularly to minimise the chance of getting hacked. Many of our clients have maintenance packages in place to ensure their websites are kept up-to-date. Please email our quotes team for details.
  • Have a plan of action in case someone requests their information to be deleted or if a data breach occurs.
  • We would also recommend you purchase and install an SSL certificate on your website to give greater visitor reassurance on your website. Again, please email our quotes team for details.

Where is user data stored and how can it be removed?

In circumstances where BML provide your website hosting, data for your live website is stored in the site database. This is located on a physical server based in a UK data centre.

In terms of accessing user data to delete, you can generally delete stored contact form entries using the normal admin area of the site. This means you can easily remove data for anyone who requests it. You may be advised to delete this data regularly, as it will have been emailed to you anyway. If you don’t have explicit consent from currently stored contacts then it makes sense to remove them well ahead of the deadline.

Copies of user data may also be held on local development and staging servers as part of our normal development process. If a data removal is requested, we will also remove any relevant data that may be held on those machines, along with data held on the machines of any relevant Sub Processors we have contracted.

We also backup the web server daily, keeping a 30 day history of all information on a separate secure server. If a user requests that their data should be removed, then we will also need to remove the relevant backups where their data may also appear. You will need to instruct us to do this as part of your removal request process.

Third party services

Whilst this is not our responsibility, it will also be important that you take into account any tools you are using on your website that may collect individual user data and information (i.e. tools such as Google Analytics, Lead Forensics, Hubspot etc.).

This should be accounted for in your privacy policy and your deletion and information access processes. Cookie notification warnings should be implemented to cover this. Please email our quotes team if you do not currently have cookie notifications in place on your site and need to add them.

Summary

To sum up, we will work with you to:

  • Support any Personal Information Audits you need to conduct on behalf of your business
  • Change any data capture forms you may have on our website
  • Add or update your Privacy Policy on your website
  • Improve the security of your data inline with your approach to compliance with the new legislation
  • Work with you to assess and implement removal of Data Subject/s

We will work with you as best we can to ensure your website keeps you on the right side of the new GDPR regulations.

Useful Resources

Hubspot.com
Useful resources including guides to move through the GDPR compliance process.
https://www.hubspot.com/data-privacy/gdpr-checklist

Information Commissioners Office
Guide to the General Data Protection Regulation (GDPR)
https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/

EUGDP.org
Site designed to educate about GDPR.
https://www.eugdpr.org/

Looking for help to make your website GDPR compliant?

Get in touch with BML today

Join the discussion

Leave a Reply

Your email address will not be published. Required fields are marked *