GDPR Compliance Checklist for Irish SMEs
This GDPR Compliance Checklist is an easy way to check if your website is compliant with the new GDPR rules.
First, find out if you need to register with the Data Protection Commissioner as a data controller/data processor and then use this handy checklist to ensure that your website is compliant with the new regulations which come into force on 25th May, 2018.
SSL (Secure Sockets Layer) certificate is the encryption code process on the hosting space of your website which results in a secure notice on the browser bar – it’s green and often displays a padlock symbol. This means that any details entered into any forms or fields on the website will be securely encrypted. There is a range of SSL certificates available all of which encrypt the data to the same level (256 bit – 2048) though some offer further levels of protection and insurances.
This is a page on a website that describes what cookies are used on the site, both the website owner’s and from third parties, what type of data is captured with the cookies and what is done with this information.
Cookie and Privacy Popup Notice
Most websites that have user accounts and store user information (as in an Amazon account storing name, address, date of birth, etc.) store the data in an SQL database which is a web-based database. In most instances (other than online banking), these details are not stored encrypted meaning that if the SQL file were accessed, the content could be clearly read. Storing and retrieving data in an encrypted way is difficult but, as part of GDPR, “pseudonymisation” means that website will need to start moving towards users being identified by a user name only and that the rest of the data is encrypted so that there is no connection between the user and the stored information. Speak to your website developer and host to plan this change as it will require planning, time and a budget.
If your website contains an function for users to sign up to receive a newsletter (whether sent out individually from your desktop email app or from an automated system such as Mailchimp, e-Shot, Sharpspring, etc.), you need to make sure that the tick box default handling subscriptions is set so that the user has to opt in, rather than opt-out. You must seek user consent for each method that is used to email them, detailing how it is to be used and how they can unsubscribe. You cannot include the automatic sign-up and agreement to the newsletter service in your website’s standard terms and conditions. There must be separate opt-in tick boxes for each place on your website where data is gathered. For example, if a user signs up to a service they purchase on your website, they will need to tick a box to accept the terms of that service. Should you offer a monthly marketing newsletter, there must be a separate tick box for users to elect to receive the newsletter. These options must not be a “required” field. You must also provide a separate tick box if you give users’ details to another party. All emails sent to users must contain an unsubscribe link.
User Account Creation
If your website is an ecommerce one or allows users to register an account for services behind the login area, you must ensure that you have the SSL certificate installed and that your work towards the data gathered being stored as pseudonyms. Your website developer will advise you on adopting this process.
If your website features an enquiry form enabling users to send you messages, you must ensure that:
· The website has an SSL certificate
· User details are not stored in the website’s SQL database unless the data is encrypted.
· If the enquiries are sent to you by email, you email service provider must adhere to GDPR rules and the emails must be stored and sent according to GDPR secure methods. Many email service providers (such as Outlook 365 and Google mail) are updating their terms of service in accordance with GDPR, however you should check your email service provider’s policy to ensure compliance.
· If you print out emails with enquiry details you must have a shredding process in place to ensure that emails with users’ private details are destroyed.
· The enquiry form should not feature a tick box that will automatically sign up a user to a newsletter.
Any enquiry is explicit to that instance alone – you cannot add the user’s details to your marketing database unless the user has explicitly agreed to this in a separate tick box.
Google Analytics/Tracking Systems
Social Media Account Connection
Also consider updating your Social Media policy with employees.
Although this is not strictly website-related, all email services and the storage of email from all those with whom you are connected must be stored in accordance with DPA (Data Protection Act) guidelines. This means that you must store your email data securely, using effective anti-virus apps and archive and completely delete unnecessary email.
This is a lot of information for any business owner and ensuring compliance in this way may seem like a challenge. If you should need help in putting your website on track to ensure GDPR compliance, why not get in touch with one of our expert team members to set you on the right path?