Thank you for your submission!
Make Your Website GDPR Compliant
26th April 2018
What is GDPR?
The GDPR (General Data Protection Regulation) is the new EU Data Protection regulation that replaces the Data Protection Act 1998 and comes into force on 25th May 2018. It enhances the protection of the personal data of EU citizens and increases the obligations for organisations who collect and process personal data of these citizens.
The ICO has published an excellent set of webpages aimed to inform you about GDPR, which you can find here. But we aim to give you an overview of some key points and practical tips to help your website become GDPR compliant.
Q. What is personal data?
A. Personal data is any information relating to an identified or identifiable natural person for example, name, address, email address, phone number and so on.
Q. I’m only a small business, do I have to comply?
A. Yes, if you hold and process personal information about your clients, prospects, employees or suppliers, you are legally obliged to protect that information in line with the regulations.
Under GDPR, you will need to have a lawful basis to collect & process any personal data, and importantly document that this is what you have decided. There are six lawful bases’, which are: -
GDPR Considerations for your Website
Methods of Contact
Users should be able to provide consent for different types of contact. Giving your customers the option to be contacted by post, email, or phone.
It must be easy for customers to remove their consent. Having an un-subscribe button at the bottom of your emails, and a clear un-subscribe procedure on your marketing documentation is essential. We would also recommend an area within the website where users can amend their preferences.
You must ensure that your website software is on the very latest version available. It is essential that security updates and patches are completed as soon as possible to ensure that the website stays secure.
Right to be Forgotten
The GDPR requires that data be forgotten / deleted from the system at the customer’s request. In Magento, it is possible to implement a module that would allow for the removal of this data from Magento with ease. This will ensure that data that should not be stored under new laws is also removed from the system. It’s worth pointing out that this is not an absolute right to have data erased and can be a bit confusing, for example you will need to process your customers data so that you can process their order. You can read more about when this right applies here.
If your website is transactional, it is important to check that your payment gateway provider is GDPR compliant and document the evidence that you've made contact with them to confirm this. It is important to be able to provide evidence which demonstrates that you have taken adequate action to ensure compliance is met.
Third Party Software
Similarly, and in addition to the above, it is essential to ensure that all third-party software in connection with your website (I.e. module extensions, email marketing software, live chat functions, etc.) are GDPR compliant. You should also need to state if data is being passed to or via a third party software. There is also a requirement to ensure you have a contract or agreement in place with any processors that details what they are allowed to do with the data, and other accountabilities under the GDPR, you can see a simple checklist here.
Terms and Conditions
SSL Certificate & Server Security
Ensuring that your website is protected from hackers who can steal your customers personal information is essential and means that both your website and the hosting server have to be of GDPR standard. SSL stands for Secure Sockets Layer and it is a technology that uses the encrypted connection between server and web browser. An SSL certificate can be easily purchased and installed on a website's server. When this is done, every connection between the web server and browser is encrypted, which means that all data sent via submitted forms is protected.
If you have any specific questions on GDPR, please contact our GDPR team at email@example.com.
The information provided here is our views of the GDPR. It does not constitute legal advice and our views may change as the Information Commissioners Office publishes more guidance. You should consider taking your own legal advice as you see appropriate.