EU-privacy-laws--steps-to-take-for-your-website

From May 2018 the European General Data Protection Regulation (GDPR) is in effect.

In this post you’ll find an overview of the things we feel you can do to make sure your website is compliant with the GDPR.

Please note that we are not legal experts or lawyers, so this is just our personal take on this. For a more general discussion of the EU privacy laws, also see our article on EU Privacy Laws & your website – what we think you need to know and do.

EU privacy regulations and your website

If your business is in the European Economic Area (EEA), then the EU privacy regulations directly affect your business and your website. But also if you’re outside of Europe, your website likely still attracts visitors from the EEA, and you may need to respect European privacy laws.

So what can you do to respects people’s rights to privacy?

 

Step 1: Create a Legitimate Interest Assessment (LIA) for data you collect

For most small businesses there are two lawful bases to consider as valid reasons for processing personal data. The first one is consent (someone gives you permission). And the second one is legitimate interest (there’s a genuine need for you to do so).

If you want to do direct marketing through an email newsletter, legitimate interst alone is not enough. Because there’s a second law (the Privacy and Electronic Communications Regulations, or PECR) that requires explicit consent for such marketing.

But we think it is a good idea to make a make a Legitimate Interest Assessment (LIA) anyway for any data you collect (for your newsletter list building and any other data collection you may do, like through your shop or membership area). Going through the assessment, you’ll documenting your thinking, and this is a new and necessary step that we small business owners have to go through when we collect and process data. The LIA is quite easy to do. So every time we’re setting up a new optin, we’ll be doing a LIA, and file our thinking about it somwhere safe.

So what is a LIA and how can you do it?

A LIA is a type of light-touch risk assessment that takes both your business’ interests and your website visitors’ interests into account. So it’s a kind of balancing test. It can help you ensure that your processing is lawful, and recording your LIA will also help you demonstrate compliance.

Doing the assessment is quite straightforward, and there’s an online questionnaire that can help you determine if legitimate interest is a good lawful basis in your case. You can find it here: Lawful basis interactive guidance tool.

For more information, and to read more about the LIA read the Information Commissioner’s Office overview on legitimate interest. Scroll down to the heading “What is the ‘legitimate interests’ basis?” where they first mention the test, and then a bit further along under the heading “How can we apply legitimate interests in practice?” there are a number of questions you can answer.

 

Step 2: Make sure your site runs over HTTPS (a secure connection)

This is likely going to cost you some money, because you need to buy and install an SSL certificate for your site. But it depends on your hosting company. Some hosting companies now include SSL certificates with their hosting packages (we do with our solar hosting – also see our article on how to select a good host for your website).

Otherwise there’s an annual fee you’d have to pay for the certificate (typically between $50 and $100 per year). Then once you have a valid certificate installed on your server, some work needs to be done on your site to make it run over a secure connection. This is a one-time, but more technical step, and we recommend you have this done for you by an experienced web-developer.

 

 

Step 3: Check your signup forms and settings at your email marketing provider

Check all your optins and see if you need to rewrite what you ask from people. Make sure it’s crystal clear to them when they’re signing up for your newsletter. Especially if you give away a freebie as an incentive to get people onto your list. For example; the main action could be to join the mailing list, the freebie is only a welcome gift. Link to your privacy policy directly at the actual optin. We say more about this in our post EU Privacy Laws, freebies and newsletter list building.

Also make sure you use an email marketing provider that gives people on your list the option to opt out at the bottom of each email you send. All well-known email marketing providers like MailChimp, ConvertKit, Constant Contact etc. offer this. But if you’re using a lesser known provider for your email marketing, or if you rely on your own software or a WordPress plugin for sending out newsletters, have a good look at this.

 

Step 4: Make sure you protect your visitors’ data

When you collect people’s data (such as contact details and purchase information) you want to make sure this data is protected and not accessible to third parties. We recommend the following steps to do so. And by the way, we think this is really good website practise anyway, making your site much more resilient against attack and general data loss as well as personal data breach.

Steps to protect your visitors’ data (and improve your website security at the same time)

A: Make sure you use strong passwords for your site

All the usual password advice applies here, so use a unique password and make it stronger by including non-dictionary words and special characters. Longer passwords are more diffcult to crack, so go for something of around 20 characters or more.

With so many different passwords we use nowadays, we highly recommend you use a good password manager such as KeePass. A password manager stores all your passwords in an encrypted database that opens with a single (superstrong) master-password. So you remember just 1 password and store the rest safely in your password manager.

B: Keep your site up to date

Keeping a WordPress website up-to date is straightforward nowadays. If you’re a Divine Website Pack user you can find more information on keeping your site updated in the exclusive member classroom. Otherwise we recommend educating yourself on maintaining your website by reading some articles about it (search for WordPress website maintenance). Or take out a maintenance package with web-developer and have them do the updates for you.

C: Protect your site from hackers and malware

A compromised website is a big nuisance at the least, so protecting your site from getting hacked in the first place is a very good investment. There are many ways to make your website more secure and we recommend you consult with an experienced web-developer about this. If you use our Divine Website Pack, we’ve already taken many steps to harden your site against attacks and make it more secure.

D: Use a secure hosting service for your site

Good hosting is important for your website, because it ensures your site is always available to your visitors and consistently loads quickly. Moreover, good hosts have their own security policies in place to help protect your website. Compared to budget hosting, for the price of an extra cup of coffee a month you can buy yourself much higher quality hosting for your site. We highly recommend this.

Not sure what hosting is? See our article on hosting for more info.

E: Use a Secure Socket Layer (SSL) connection for your site

See the earlier notes on HTTPS under step 2.

F: Setup automatic backups to prevent data-loss

Life happens and sometimes things go wrong. Your website and the data it holds is a valuable asset, and you can protect it by taking automatic regular backups to an external storage provider such as a dropbox account or google drive. We highly recommend this and if you’re a Divine Website Pack user we’ve already set this up for you.

G: Avoid storing sensitive personal data (especially payment data) on your site

This is important for online shops and membership sites. If you don’t store any payment data, it can’t be compromised either. Most websites use an external payment provider such as PayPal to do payment processing, and so they would store all this information for you. Likewise, if you use an external email marketing provider such as MailChimp they store the email addresses you collect through your site on your behalf. If you use good external providers, then all you have to do is make sure that the providers you work with operate secure systems that protect the data they transmit and store on your behalf. Here again is where relying on the top-rated providers is one of the best ways to ensure security across all of these functions since most of the top names in every category do this for you.

 

Step 5: Display a cookies notification

If you’re in the EU and your site uses cookies (probably it does; most websites do), you have to display a cookies notification to comply with the so called ‘cookie law’.

There are 2 straightforward ways to do this:

  1. Install a plugin to display a cookie notification. There are a few good ones, and after testing a few, we like this one most: Responsive Cookie Consent …Install and activate the plugin. Find the settings under ‘Settings >RCC’, adjust and you’re ready to go.
  2. Add a snippet of code to the header of your site. Sounds difficult, but if you have the Divi theme that we install as part of the Divine Website Pack, you can simply copy/paste it into the block for header code in your theme options.Otherwise add it to your theme manually if you’re a developer, or first install a header/footer code injection plugin such as this one: WordPress Header and Footer Plugin and paste the code into your site that way.You can find a good customisable snippet of code to insert here: Cookie Consent Solution (click the download link to generate your code and copy/paste it into your site’s header).

We’ve also written an article with a more detailed explanation of displaying a cookies notification on your website.

 

 

 Step 6: Write or update your Privacy Policy

In your privacy policy you set out what personal information you collect from visitors to your website, how you use this info, and how you make sure it stays private. The exact contents depend on your own situation, but have a good look at all the ways you may be collecting data. These are some common ones for you to consider:

  • Facebook Pixel
  • Google Analytics
  • Sharing buttons
  • Like Boxes
  • Data collected through shop
  • Newsletter subscription
  • Cookies

And when you’re writing your Privacy policy, consider and write about:

  • What information do you collect, and what is the lawful basis for collection?
  • Who is collecting it? Usually that’s you of course, so state your business details.
  • How do you collect the info and why?
  • How will you use people’s private info?
  • Will you share it with anyone else? If yes, who and why?
  • Will there be any negative effects on the individuals concerned?
  • Is what you’re going to do likely to cause any complaints? How would you deal with those?

On the ICO website you can find more info about Privacy Policies and here they have published a checklist for writing your own.

What to do when you’re updating your Privacy Policy?

Every time you change your Privacy policy, you should notify anyone affected and give them the option to opt out. You could for example mention you will do so by email and explain that people can opt out at the bottom of the email.

Final notes

We wrote this article with small business owners in mind. And we believe that if you take the above steps, your website will satisfy the requirements of the EU privacy laws. If you don’t do any large scale processing, then this is most likely all you need to do. Please note that we don’t have a legal background and so we’d recommend you do your own research as well and consult with a legal expert if you feel that’s necessary.

 

More info & Free GDPR Checklist

There is more to GDPR than just your website – to find out more we recommend looking at:

Checklist for all GDPR related things you need to do for your biz

We find  Suzanne Dibble’s free GDPR checklist very useful – it gives you a quick overview of what you need to do to make sure your business is GDPR compliant. Suzanne is a Data Protection Lawyer.  By requesting the free list you’ll also be invited to her free facebook group where you’ll find lots of further guidance and free videos, and you can learn more about her GDPR Compliance pack, with 20 legal templates to help you get set up with your Privacy Policy, Cookie Policy and much more. We have bought this pack, many of our clients have also – we find it very useful,  affordable, and highly recommend it to make all of this much easier!

You can download the free GDPR checklist here.

Please note that we earn a small commission if you decide to buy the legal pack from Suzanne through our referral here 🙂

with love,

Helena