logo

Welcome to Silomedia

A freelance Web designer and IT consultant based In Hampshire UK with twenty years experience working in the IT industry, both government and private sectors.
Working Hours
Monday - Friday 9:30 - 17:00
Saturday - Sunday CLOSED
Contact Details

will@silomedia.co.uk

support@silomedia.co.uk

+44 (0)203 691 8386

47 Canterbury Road, Farnborough, Hants, GU14 6QP

+44 (0)203 691 8386

Mon - Fri | 9.30 - 17.00

Top

What GDPR means for your website and how we can help

GDPR (General Data Protection Regulation) is a new regulation by the EU which changes the way websites and businesses are expected to manage user data. Even non EU-based websites would need to comply if dealing with customers inside the EU. You have until 25th of May 2018 to make your website GDPR compliant or could face fines from the EU.

FAQs

What is GDPR?

GDPR stands for General Data Protection Regulation and it is a new data protection law in the EU which comes into force in 25th of May 2018.

The aim of the GDPR is to give citizens of the EU control over their personal data and change the approach of organisations across the world towards data privacy.

GDPR provides much stronger rules than existing laws and is much more restrictive than the EU cookie law.

For instance, users must confirm that their data can be collected, there must a clear privacy policy showing what data is going to be stored, how it is going to be used and provide the user a right to withdraw the consent to the use of personal data (consequently deleting the data) if required.

GDPR law applies to data collected about EU citizens from anywhere in the world. As a consequence a website with any EU visitors or customers must comply with GDPR, which means that virtually all websites and businesses must comply.

To better understand the regulation, take a look at the publication of the regulations in the Official Journal of the European Union, which defines all terms related to the law. There are two main aspects of GDPR: “personal data” and “processing of personal data.” Here’s how it relates to running a website:

  • personal data pertains to “any information relating to an identified or identifiable natural person” – like name, email, address or even an IP address,
  • whereas processing of personal data refers to “any operation or set of operations which is performed on personal data”. Therefore, a simple operation of storing an IP address on your web server logs constitutes processing of personal data of a user.
Where can I learn more about GDPR?

You can find further information here: https://www.eugdpr.org/

What about third parties that handle my users data?

Some tools that sit seemingly outside of your website will see the impact of this too. Take, MailChimp for example. It’s a common practice to have those integrated with your website and to send promotional emails based on a list of email addresses. Depending on how you run your newsletters/lists, those addresses might not have been obtained by getting explicit consent from users.

For instance, a checkbox that’s selected by default would count as a violation. Under GDPR, everything that’s part of your online presence as a business will need to explicitly collect consent and have a privacy policy in place. There are other implications too – if you wish to buy a mailing list, you would be sending emails illegally to the recipients, since no one explicitly asked to receive emails from you.

Should I be taking GDPR seriously?

Website owners have time until May 25th 2018 to comply with the regulations set by the GDPR. The penalty for non compliance can be 4% of annual global turnover, up to a maximum of €20 million.

There are various slabs of penalties according to the seriousness of the breach, which have been described in the FAQ section of the GDPR portal.

Such a high amount in penalties has been proposed to increase compliance. However, one may wonder what steps for the supervision of websites are in place. Supervisory Authorities (SA) of different member states are going to be set up, with the full support of the law. Each member state may have multiple SAs, depending on the constitutional, administrative and organizational structures. There are various powers that SAs will have:

  • carry out audits on websites,
  • issue warnings for non-compliance,
  • issue corrective measures to be followed with deadlines.

SAs have both investigative and corrective powers to check compliance with the law and suggest changes to be compliant.

It is too early to speculate how SAs of various member states would interlink and work together, but one aspect is clear; SAs would enjoy considerable power to enforce GDPR guidelines.

How do I make my website GDPR compliant?

A initial review of your website should reveal how data is being processed and stored on your servers, and steps that are required to comply with GDPR.

Some usual ways in which a standard websites might collect user data:

  • User registrations
  • Comments
  • Contact form entries
  • Analytics and traffic log solutions
  • Any other logging tools
  • Security tools and plugins

Here are some key aspects of GDPR:

(a) Breach notification

Under GDPR compliance, if your website is experiencing a data breach of any kind, that breach needs to be communicated to your users.

A data breach may result in a risk for the rights and freedoms of individuals, due to which notifying users in a timely manner becomes necessary. Under GDPR, a notification must be sent within 72 hours of first becoming aware of a breach. Data processors are also required to notify users as well as the data controllers, immediately after first becoming aware of a data breach.

In a WordPress website scenario for example, if you notice a data breach, you would need to notify all those affected by the breach within this designated time frame. However, the complexity here is the definition of the term “user” – it may constitute regular website users, contact form entries, and potentially even commenters.

This clause of GDPR thus creates a legal requirement to assess and monitor the security of your website. The ideal way is to monitor web traffic and web server logs.

(b) Data collection, processing and storage

Three elements of this: Right to AccessRight to Be Forgotten and Data Portability.

  • The right to access provides users with complete transparency in data processing and storage – what data points are being collected, where are these data points being processed and stored, and the reason behind the collection, processing and storage of the data. Users will also have to be provided a copy of their data free of cost within 40 days.
  • The right to be forgotten gives users an option to erase personal data, and stop further collection and processing of the data. This process involves the user withdrawing consent for their personal data to be used.
  • The data portability clause of GDPR provides users a right to download their personal data, for which they have previously given consent, and further transmit that data to a different controller.

Privacy by design encourages controllers to enforce data policies which enable the processing and storage of only that data which is absolutely necessary. This encourages site owners and controllers to adopt potentially safer policies for data, by limiting the access to number of data points.

As a website owner, you first need to publish a detailed policy on which personal data points you’re using, how they are being processed and stored.

Next, you need to have a setup to provide users with a copy of their data. This is perhaps the most difficult part of the process. However, we can assume that when the time comes, most plugin developers or tool developers – for the tools and plugins that you have on your site – will have already come forward with their own solutions to this.

It is still advised, however, to have a system in place to derive the required data out of your database.

Further, it may be wise to avoid data storage altogether in certain cases. For instance, contact forms could be set up to directly forward all communication to your email address instead of storing them anywhere on the web server.

(c) Use of plugins – implications of WordPress site GDPR compliance

Any plugins that you use will also need to comply with the GDPR rules. As a site owner, it is still your responsibility, though, to make sure that every plugin can export/provide/erase user data it collects in compliance with GDPR rules.

This can still mean some tough times for some of the most popular plugins out there. For instance, solutions like Gravity Forms or Jetpack have a lot of modules that collect user data by nature. How are those tools going to comply with GDPR exactly?

For plugins too, the same rules apply, although they must be approached from the point of view of the WordPress site owner. Each plugin needs to establish a data flow and inform about the processing of personal data. If you are the developer of a plugin, consider providing users of your plugin an addendum that they may add to their website’s terms in order to make them GDPR compliant. Gravity Forms, for instance, needs to let the user know how personal data being filled in a contact form is going to be published, and an option to get it removed, if necessary.

What needs to be done to my website?

To sum this up quickly for you:

  • The GDPR law comes into effect 25th May 2018.
  • It applies to any website that deals with personal information of EU users.
  • It gives the user the right to control the flow of their personal information,
  • The EU has defined processes to monitor compliance and big fines are in place for non-compliance.

To make your website GDPR compliant you should:

  1. Look into all the different ways in which you’re collecting visitor data.
  2. Put mechanisms in place to make sure that users can control their data. These can be either manual or automated processes.
  3. It’s a good idea to avoid collecting user data where it’s not necessary.
  4. If you’re using any third-party tools and solutions check they are GDPR compliant.

Time until GDPR enforcement

How we can help

Initial website review

For existing customers we’d suggest you sign up for a initial review of your website using the form on this page.
New customer? Contact us

We will review how your website handles any user data. We’ll then advise on what changes would be needed and any costs involved. These in a majority of cases would involve:

Adding opt-in options (including privacy policy link) on all data collections forms

Making changes to the existing Privacy Policy with clear information for users about what and how you or any 3rd party uses their data

Adopting good data handling practises. (SSL, Send and forget etc.)

Assigning a data officer (internal or managed)

Removing any existing data that is no longer required or non essential

Checking 3rd party plugins compliance

Please note in some rare cases more serious development or changes maybe required.

The cost of the initial review for a standard website is £95+vat

Disclaimer! Please note: This service is not a legal service. None of the information on this page is legal advice. We are not lawyers.

We estimate most customers websites will require around 1 to 3 hours work (charged at our standard hourly rate) to make the necessary changes. Average turn around after initial review is 10 working days.

Book your review

Please complete the form below to book your websites initial review. Please note this form is for existing customers only, if you are a new customer and require some help please contact us direct.

Your Name (required)

Your Email (required)

Please provide the website(s) url (eg. www.mysite.com)

This form collects your name, email and website URL. Check our Privacy Policy for the full story on how we protect and manage your submitted data.
 

I consent to having Silomedia collect my name, email and enquiry information. (required)

 

If you have any questions or need further information > Contact us