Privacy by Default
Come the 25th May, if your site is not GDPR compliant, you could be fined up to €20 million. This law is not just for the "big boys", but important to us all.
The European GDPR covers data processing for personal information, which is anything that either directly or indirectly identifies a person – names, email addresses, dates of birth, addresses all come under this heading.
Now I'm not a lawyer, and the GDPR is a complex area, so these checklists are only prompts to look into this more deeply and establish what you need to do to be compliant. If you think you need to check or change any of these items listed on your website, just call or email and I can help you.
A GDPR Checklist for your Website
- What 3rd party services do you use and are they GDPR compliant, ie MailChimp, Gravitar, Google Analytics?
You can be sure these bigger organistations will be, check their privacy policies to be sure, but what about the smaller ones you use?
- Do you have clear, specific consent to add people to your mailing list? And do you have a record of this?
If not, it might be worth thinking about getting consent again and storing this information securely.
- Are your mailing list checkboxes ticked on by default?
This is no longer allowed, opt-in checkboxes must be un-ticked by default.
- Do you have a double opt-in on your mailing list?
This is not a legal requirement for the GDPR, but is for Canada and Australia so it's wise to use it.
- Do you tell the subscriber why you ask for that information, describe the way in which you will process that data and tell them how long you will keep it for?
- Do you pass the information on to anyone else or use it for any other purpose?
Then you must get specific consent for each purpose and name the organistations that you pass the data on to.
You are still responsible when passing on information to third parties.
- Do you have "unsubscribe" links on all of your newsletters, or a way for users to amend their settings on your website?
- Are you collecting data from children?
The GDPR specifies that consent can only be obtained from children if they are between 13 and 16 (with parental consent) and each country in the EU can set its own limit within this range.
So, it might be wise to add checkboxes on to forms so your users can specify they are 16 and over or are between 13 and 16 and have parental consent.
- Do you store your emailed forms in your website database as well? Do you need to do this any longer, or do you need to store them for less time?
- If you already have these policies, have you reviewed them to make sure they comply with GDPR?
- Are these documents written in easily accessible language not legalese?
- Are you asking for information you don't need?
Now is a good time to make sure you aren't collecting or storing any information that you don't really need. Maybe you can delete old emails or contact forms stored on your website.
- Do you have a way for your customers to see or delete their personal details?
This will soon be possible with Joomla 3.9. However you do need to keep any business/tax documents for a minimum of 5 years in the UK, so you cannot delete these under the "Right to be Forgotten".
- How will you manage deleting personal data from backups before they are restored?
- Do you have an SSL (the padlock in the address bar) so personal data is sent on an encrypted connection?
This is important if users are entering details into a form, but even on a site without this, an SSL will help your Search Engine rankings.
- Do you have a clear contact details? Maybe in the footer on every page or a specific contact page.
- Does your site show your legal company/organistation name? This includes your limited company number and VAT number if applicable on at least one public page.
- Is your website and extensions updated regularly? This can prevent the site becoming hacked and possibly resulting in a data breach.
- Do you regularly run security audits to make sure your site is as secure as it can be?
- Do you use 2-factor authentication on your Joomla site?
- Do you use complex passwords that are different for each purpose/website/app? Are you storing them in your browser? Are they being changed immediately when employees leave the organisation?
If you are concerned about any of these items, please get in touch and I can either sort them out for you or give you guidance on how you can do any of these.
If you have a Monthly Support Contract with me, then your site will be prioritised for me to go through and check your site against this checklist.
Other GDPR issues to think about
- Do you know how to delete all the data you hold for a user, even from backups?
Your users can request all data you hold on them and how it is processed at any time. You cannot charge for this.
Want to know what you might be asked? Here’s a good example from a LinkedIn article by Constantine Karbaliotis
- Is data stored on your tablet or laptop etc encrypted? What if gets stolen, or you leave it on the train, can anyone just open your files? This includes your backups as well.
- If you have multiple places where information is stored on computers etc, consider amalgamating it into one on your website.
- If you have information on paper, make sure it's locked away securely and away from the public's eye.
- Do you let your employees take work home? Is it checked in and out, is it secure?
For more information and if you are in the UK, take a look at the Information Commissioners Office (ICO) website.
Legal disclaimer: This article contains general information about legal matters. The information is not advice, and should not be treated as such. You should not rely on the information on this article as an alternative to legal advice from your attorney or other professional legal services provider. If you have any specific questions about any legal matter you should consult your attorney or other professional legal services provider. You should never delay seeking legal advice, disregard legal advice, or commence or discontinue any legal action because of information on this website.
Some of this information comes from another article: pollyhearsey.co.uk/simple-marketing-blog/232-preparing-for-gdpr, thanks Polly :)