By now you’ve probably heard about GDPR (The General Data Protection Regulation) which comes into effect on the 25th May 2018.
If you have a website that collects any information about your visitors, then you need to make sure your site is as GDPR compliant as possible by this deadline, or you could face some serious fines.
Does GDPR apply to you?
Yes, if you have a website (or anything else that collects data for that matter) then you need to be compliant.
Important note. We are not legal experts, this post is not legal advice, it’s an outline of what your website needs to have on it to comply broadly with the GDPR.
The broad reach of GDPR can be distilled into something like this:
- You much obtain explicit permission to send any contact any emails (we think this is the safest approach)
- You are not allowed to collect someone’s data for X and then email them stuff about Y
- If you have a mailing list (email) you must be able to show that everyone on it gave their explicit consent to be on it (they must have opted in)
- You must have a clear mechanism in place to allow people to find out what data you store about them
- You must have a Privacy statement on your website that explains what you collect and what you do with data
Are you a data controller?
If you process any form of personal data (forms from your website etc) then you are a data controller (or at least someone at your company needs to be).
The GDPR states that you have to have policies and paperwork in place to cover-off your storage and use of that data.
We recommend getting some professional advice on this subject.
The only advice that we can legitimately give you on this subject is this:
You have to do something about your GDPR compliance. It is not going away, and it most certainly does affect your business.
Are we your data processor?
If you have a website that’s hosted by Toast, then we are your data processor (in regard to the website only).
If your site collects personal information, we process this for you (by way of the forms on your site).
This is where it gets even more complicated.
- You host your site with Toast, on our servers.
- In turn, we pay third-party providers to provide us with the hosting infrastructure
- Again, in turn, our third-party providers have their own third-party providers.
If you also have additional functions on your site such as a CRM (HubSpot or SalesForce for example) these companies are also your data processors.
It doesn’t matter where in the world your processor is, if they are processing EU (UK) data, then they have to comply with GDPR as it protects the data irrespective of the location of said data.
This also goes for everyone else that might touch data. These would include:
- Your bookkeeper, if they are contracted rather than employed
- Call centres
- Third-party credit checkers
- and so on
So what do you do?
There is much concern that there may be pop-up companies specifically designed to try and fast-track claims for people who claim you’ve mismanaged their data.
With so much of the GDPR open to interpretation at this stage, we think a belt-and-braces approach is the best method of dealing with everything initially.
At the very minimum, we would suggest (and please remember that this should not be seen as legal advice):
- Only store data where you need it to be stored and only store it for a period of time that makes sense
- Don’t make copies of peoples data and put them on USB sticks or non-secure cloud storage
- Don’t automatically add everyone that emails you to a mailing list (this is a big no)
- Decide on how long you need to keep the data for
- Devise some automated what of deleting data when you no longer need it
- Make sure your site has a cookies policy
- Make sure people can delete your cookies
Those are the absolute basics – you might also want to consider:
Conducting a data audit review and list everywhere that stores, and everything that processes your data.
Cut non-essential things out of the above.
Do you really need that email marketing list? Are there better ways to communicate with your audience?
So what next?
It’s been widely documented that it’s better to be seen as trying to comply with GDPR than doing nothing at all.
It’s also important to remember that if you have a contract with a customer, then you are allowed to contact them in regard to that contract. GDPR does not stop you contacting people, but it does try to ensure your reason for contacting someone is valid and expected.
If you are a Toast client, we’ll be contacting you shortly with further information about what you need to do on your websites.
If you have a website that’s not hosted by Toast, we can still help you make your site more compliant with GDPR.