GDPR Compliance Checklist for Irish SMEs

This GDPR Compliance Checklist is an easy way to check if your website is compliant with the new GDPR rules.

First, find out if you need to register with the Data Protection Commissioner as a data controller/data processor and then use this handy checklist to ensure that your website is compliant with the new regulations which come into force on 25th May, 2018.

SSL Certificate

SSL (Secure Sockets Layer) certificate is the encryption code process on the hosting space of your website which results in a secure notice on the browser bar – it’s green and often displays a padlock symbol. This means that any details entered into any forms or fields on the website will be securely encrypted. There is a range of SSL certificates available all of which encrypt the data to the same level (256 bit – 2048) though some offer further levels of protection and insurances.

Privacy Policy

A privacy policy is a detailed document of the website owner’s full statement on what data is captured, when it was captured, what the data is used for, the details and process of the third party, including the Data Protection Officer’s (DPO) details. The privacy policy should also include the process of requesting a user’s details and how to request that they be permanently deleted (the Right to be Forgotten).

Cookie Policy

This is a page on a website that describes what cookies are used on the site, both the website owner’s and from third parties, what type of data is captured with the cookies and what is done with this information.

Cookie and Privacy Popup Notice

This is a notice that pops up the first time a user visits your website, stating that cookies are used on the site and that the user needs to agree to the use of the data as described in the privacy and cookie policies. The page should state what cookies are used (your own and third party cookies) and that the user needs to agree to these terms in order to gain full use of the website. As some cookies are purely functional, rather than data gathering tools, that the site won’t work properly for you. However, a user does have the right to request that the website owner discloses what information is held about the user and that it be permanently deleted. Moreover, use of the website must not be limited to those who accept the use of cookies, any user must have the option to decline the use of cookies whilst using the website, though it should be explained that declining the use of cookies may cause a loss of functionality.

Pseudonymisation

Most websites that have user accounts and store user information (as in an Amazon account storing name, address, date of birth, etc.) store the data in an SQL database which is a web-based database. In most instances (other than online banking), these details are not stored encrypted meaning that if the SQL file were accessed, the content could be clearly read. Storing and retrieving data in an encrypted way is difficult but, as part of GDPR, “pseudonymisation” means that website will need to start moving towards users being identified by a user name only and that the rest of the data is encrypted so that there is no connection between the user and the stored information. Speak to your website developer and host to plan this change as it will require planning, time and a budget.

Newsletter Signup

If your website contains an function for users to sign up to receive a newsletter (whether sent out individually from your desktop email app or from an automated system such as Mailchimp, e-Shot, Sharpspring, etc.), you need to make sure that the tick box default handling subscriptions is set so that the user has to opt in, rather than opt-out. You must seek user consent for each method that is used to email them, detailing how it is to be used and how they can unsubscribe. You cannot include the automatic sign-up and agreement to the newsletter service in your website’s standard terms and conditions. There must be separate opt-in tick boxes for each place on your website where data is gathered. For example, if a user signs up to a service they purchase on your website, they will need to tick a box to accept the terms of that service. Should you offer a monthly marketing newsletter, there must be a separate tick box for users to elect to receive the newsletter. These options must not be a “required” field. You must also provide a separate tick box if you give users’ details to another party. All emails sent to users must contain an unsubscribe link.

User Account Creation

If your website is an ecommerce one or allows users to register an account for services behind the login area, you must ensure that you have the SSL certificate installed and that your work towards the data gathered being stored as pseudonyms. Your website developer will advise you on adopting this process.

Payment Gateways

If you have an ecommerce website that uses a payment gateway (such as PayPal, Worldpay, Sagepay, etc.) you must make sure that the payment gateway privacy policies that you offer are checked and referenced in your websites’ privacy policy. If the payment gateways are UK- or European-based, they must be GDPR compliant, or if they are US-based, they must be Privacy Shield compliant. Any storage of actual payment details on a website is regulated by PCI compliance.

Enquiry/Contact Forms

If your website features an enquiry form enabling users to send you messages, you must ensure that:

· The website has an SSL certificate

· User details are not stored in the website’s SQL database unless the data is encrypted.

· If the enquiries are sent to you by email, you email service provider must adhere to GDPR rules and the emails must be stored and sent according to GDPR secure methods. Many email service providers (such as Outlook 365 and Google mail) are updating their terms of service in accordance with GDPR, however you should check your email service provider’s policy to ensure compliance.

· If you print out emails with enquiry details you must have a shredding process in place to ensure that emails with users’ private details are destroyed.

· The enquiry form should not feature a tick box that will automatically sign up a user to a newsletter.

Any enquiry is explicit to that instance alone – you cannot add the user’s details to your marketing database unless the user has explicitly agreed to this in a separate tick box.

Google Analytics/Tracking Systems

If you use any tracking service on your website, such as Google Analytics, you must ensure that this is referred to in you the cooking policy and the privacy policy and you must ensure that the third party’s own privacy policy is compliant with GDPR. Google Analytics will be GDPR and Privacy Shield compliant, but other tracking services may not.

Social Media Account Connection

Any social media accounts used for your organisation are also required to be GDPR compliant. Although you don’t need to seek permission from those who “follow” or “like” your page you must ensure that any information directly gathered form those with whom you interact on social media platforms is handled in accordance with GDPR privacy guidelines. You must also ensure that your privacy policy refers to these third-party data controllers, as people often use SSO (Single Sign On) to log into sites which also use their social media account logins for convenience. You must seek consent from customers or connections on your social media pages if you use those details to promote your business.

Also consider updating your Social Media policy with employees.

CRM Connection

If your website captures user data that is written into a CRM such as Salesforce or SharpSpring  you need to ensure that the data collection process is secure and that you refer to the third-party service in your privacy policy. Should your website automatically send enquiries directly to the CRM, the date, time, reason for capture and consent details must also be captured. Any user has the legal right to ask you where you capture their details and when, with information on how the data will be used and how the information can be permanently deleted (request to be forgotten).

Email Connection

Although this is not strictly website-related, all email services and the storage of email from all those with whom you are connected must be stored in accordance with DPA (Data Protection Act) guidelines. This means that you must store your email data securely, using effective anti-virus apps and archive and completely delete unnecessary email.

Live Chat

If your website features a Live Chat service, you must ensure that you refer to this third-party service in your cookie policy and your privacy policy. Furthermore, you must review the GDPR/Privacy Shield policy of the third party. Note that the transcript of chat sessions is often emailed to both parties once completed and the same principles on usage and storage apply.

This is a lot of information for any business owner and ensuring compliance in this way may seem like a challenge. If you should need help in putting your website on track to ensure GDPR compliance, why not get in touch with one of our expert team members to set you on the right path?

Richard Coen

With over 21 years of experience in Digital Marketing, 31 years in sales and 25 years in business development, Richard assists companies to develop key growth strategies on a local or international basis. He can assist marketers to achieve balance in their approach to key areas affected by the growth in digital marketing.