is your website gdpr ready

Is your website GDPR-ready?

April 4, 2018 2:21 pm Published by Comments Off on Is your website GDPR-ready?

You’ve no doubt heard lots about the new GDPR which is launching on 25 May.

As the main focus is on the way you source, store and share data, there are implications for your website so we’re here to make sure you’re fully prepared.

How GDPR affects your website

GDPR is all about consent. When you collect personal data on your site, you need to get permission to use it. People who use your website must understand how you plan to use their data, and give their consent.

So if you’ve got someone’s email address because they’ve placed an order with you, you can only market to them if they’ve actively agreed to this. Not just because they bought something from you once upon a time.

As this is all so new, the ramifications aren’t yet clear. Nobody has professed to be an expert at GDPR and there’s no one size fits all solution yet… believe us, we’ve checked!

5 key areas for GDPR compliance

To help you understand what it will mean for your website, we’ve put together a quick check list:

  1. Your documents are likely to need updating, starting with forms, privacy notices and cookies. All the small print. You’ll want to tell your visitors what sort of data you’re collecting and why. Take a look at our privacy notice to see how it’s changed.
  2. It’s also wise to make sure that any data submitted to your website is encrypted through a Secure Sockets Layer (SSL). This not only secures your website’s connection and protects personal data by making it unreadable, it can also boost your Google rankings. If you don’t already have this, talk to John about it. He knows exactly what to do to put this in place so that you have peace of mind about every transaction.
  3. Consent is a big part of GDPR. You’ll need to make sure all consent forms are unchecked by default and that’s it’s absolutely clear about what your visitors need to do to ‘opt in’. Keep these forms separate from your regular terms and conditions for optimum transparency.
  4. Under the GDPR, you’ll need to appoint a Data Protection Officer (DPO) if you are a public authority, or if you carry out certain types of processing activities. This role can be an existing employee or someone external. Make sure that their contact information is clearly listed on your site so that people can easily get in touch. There’s more about what’s required at ico.org.uk
  5. Are you clear about the Right to be Forgotten? The GDPR states that “a data subject should have the two rights. The right to have his or her personal data erased. And no longer processed where the personal data is no longer necessary in relation to the purpose for which they are collected or otherwise processed.”
    As a result, your visitors can request to have all the data held about them deleted, including back up systems. According to research by Solix, 82% of organisations don’t know where their most sensitive personal data is stored… and only 55% maintain audit trails for data consents, collections updates, and deletion. It’s a bit of a risk for non-compliance. Therefore, getting to grips with what you need to do in bite size chunks makes a lot of sense.

Still unsure about the GDPR and your website?

If you’re not clear how all this will affect your website, don’t worry. It’s not too late…

We can help you and your website get ready for 25 May. Just give us a call on 0330 088 9277 or email john@ketchup-marketing.co.uk.

data protection

Data protection: what’s all the fuss about?

January 22, 2018 1:00 pm Published by Comments Off on Data protection: what’s all the fuss about?

On 25 May 2018,  a new era in data protection will begin. This is when new rules around collecting, storing and handling personal data come into effect.

Under the General Data Protection Regulation (GDPR), organisations will need to keep transparent records of how (and when) an individual gives consent to store and use personal data.


Built in, not bolted on

This isn’t just an evolution of the Data Protection Act – it has wider implications for the way that companies operate. It ensures that data is protected by design and default at a very intrinsic level.

Organisations will need to know exactly what personal data they hold and where it is located (on PCs, servers or in the Cloud). They must also have procedures in place to remove it permanently when an EU citizen requests this.


Why now?

We’ve moved on. The current Data Protection Act dates from the 1990s when only the largest companies had the means to collect and store significant amounts of data. Times have changed and the digital revolution is upon us. Thousands of SMEs now routinely access and store data about their customers.

As many of our clients are SMEs, we figured it would be useful to outline some key points about the new regulation. You have better things to do than read the official document’s 200+ pages.


What will the new data protection law mean for your business?

You will need to use simple language when asking for consent to collect data. You must explain clearly to customers what you do with their information. You’ll also need to have the functionality in place to respond to requests to delete data. In the future, all software will need to be capable of erasing data, rather than suppressing it. Quite a challenge.


So what’s changed?

The world has changed. Huge amounts of digital information are collected, exchanged and used every second around the globe. The GDPR will include,  for the first time, things such as genetic, mental, cultural, economic or social information that can be used to identify an individual.

It doesn’t matter where your business is based – after 25 May 2018, if you’re processing data about someone in the EU, you’ll need to follow the rules.

We’re all familiar with the small print on marketing materials. Things like the pre-ticked boxes that imply consent unless customers choose to opt out. Under the new rules, individuals have to actively give consent – and they can also withdraw this consent at any time. When this happens, their details must be permanently erased – not just deleted from mailing lists. It’s the right to be forgotten.


What happens in the event of proven non-compliance?

The penalty for breaching the regulation is eye-watering.

Serious violations will set you back up to £17 million or 4% of your annual global turnover, whichever is higher.

Here in the UK, the Information Commissioner’s Office (ICO) will enforce the GDPR. It’s worth following their updates here before 25 May 2018.

Their intention isn’t to make early examples of organisations for minor infringements or to threaten big fines. There are other sanctions that they’ll use in cases of non-compliance… reprimands, warnings, corrective orders. As a result, it’s your reputation rather than your bank account that’s more likely to suffer.

Final guidance was published in December 2017 which you can see here.

Let’s end on a positive. You’re very likely to already comply with the terms of the Data Protection Act, so you’re well on the way to being ready for GDPR. If your website stores information about your customers, it’s a good idea to get in touch for an audit so we can help you identify the changes – if any – you need to put in place.

Signup to our Newsletter

Your privacy matters to us. We promise to keep your information safe and we’ll only get in touch with you according to your preferences.
You can read more about how we store and use data in our privacy notice.

It’s all about the results