17 May How to get your website ready for GDPR
The General Data Protection Regulation (GDPR) is getting business owners in a frenzy.
What exactly do you need to include on your website and how do you ensure customers are communicated with legally and that their data is held securely?
Undoubtedly this has raised concerns, but as long as a documented process is in place and appropriate measures are taken to inform customers and keep their data safe then you should be compliant.
We recommend carrying out your own research but the following steps are a guide to keep you on the straight and narrow and make sure your website is ready for the GDPR coming into force on May 25, 2018.
Publically available documents
Several key documents need to be accessible on your website to be legally compliant. Documents can easily be uploaded to the ‘media’ section of your site and displayed via a link to a PDF or you can create a new page on your website. You will need:
This can vary depending on whether you operate an e-commerce site or an information site and whether you collect data or use a contact form.
Important business information to include will comprise of:
- The company name and registration number
- The registered office address and country of registration
- The VAT number (if applicable)
- Contact details – telephone, email – and a means of non-electronic contact
- Details of any trade body or regulator registration such as the Financial Services Authority (FSA)
If your website is an e-commerce platform, a full explanation about the products and services offered, including delivery processes and charges, must be clearly visible. Supplier details and cancellation rights need to be freely available and you must also provide the buyer with information pertaining to the use of their data and transaction including:
- Written (email) confirmation of their order
- Cancellation and cooling off period
- Steps required to complete a transaction
- The opportunity to correct mistakes or change details before order completion
- Details on whether a contract will be permanently filed and/or accessible by the buyer
This information is required by law and consumers must agree to your terms before completing a transaction. If this step is missed you could be liable to refunds and cancellations months later.
Privacy Notice for your website
Make sure you have an SSL Certificate to show your website is secure. This will confirm to the search engines that you have a safe site as well as showing visitors the little green padlock in their browser instead of a large ‘unsecure’ proceed at your peril message.
It’s important to note that some data collection forms store data within website files. It is recommended to avoid this type of plugin or software so that once an order has been placed, details are only stored in a secure facility.
Under fire from all sides
Terms and conditions form a common business document that is highly recommended, although there is no definitive guidance of what is required by law. A document is still recommended and its contents will depend on your business and website type. A safe bet will be to include:
- A copyright claim or trademark
- A basic disclaimer to limit your liability against errors on the site
- A condition that user-published content (if allowed) is not endorsed
The main thing to remember is to spend time conforming to website obligations because if the worst should happen, this is where the courts will turn. And what is the worst that could happen? Non-compliance could result in a maximum 20,000,000 Euros or up to 4% of your annual worldwide turnover (whichever is the greater sum). Obviously the big boys will be in the line of fire first but we wouldn’t recommend you putting anything to chance.
One final thought
Your website is a visual digital entity and it’s likely that you may showcase images with people.
Individuals can be identified from images and contextual information included as a caption or descriptive paragraph. This will be classed as personal data if the focus is on one person or a group of individuals therefore it’s recommended to gain written permission to use the photographs and to explain where the images will be publically visible and for how long.
This is a requirement for photographs with children so it should be an easy introduction for all ages.
For images that include people in the background or large groups of people, such as at a concert or football crowd, written permission is clearly unobtainable and therefore reasonably acceptable to use. The person or organisation taking the photos (if its purpose is professional) should advise people through signage and/or prior notification.
Purchased stock images will have their own copyright and usage requirements so double check the small print.
Need help with the legal documents for GDPR?
Members of the FSB can log in to view over 200 factsheets and in excess of 500 legal documents including some GDPR essentials.
Eliminate uncertainty with an audit
If time has got the better of you or you’re unsure about your website’s construction let’s have a chat to see if we can help. Send an email to contact the team today.
Download our GDPR Checklist
Want to make sure that you have all the aspects in this blog covered on your website? Download our quick GDPR checklist.
Want more advice?
Receive hints and tips on how to improve and protect your website – Sign up today