GDPR. This 4-letter acronym has been popping up a lot recently and that frequency is only set to rise over the coming weeks. Almost all the information appearing on the web seems to be designed to worry you, but not to tell you what you as a company actually need to do.
We suggest that the best way to prepare is to press on and get the key tasks done. It’s not going to be easy (or even possible) at this stage to be aware of every nuance of the legislation and how it might apply to your individual company, but the ‘public face’ of your company is bound to be first in line for some scrutiny and so at the top of the list needs to be your website and your email marketing. As our guiding principle we will take the old adage of the two people about to be attacked by a lion. One starts pulling on his trainers, leading the other to say ‘those will be no use, you will never outrun a lion’. The wiser of the two then replies ‘no need to outrun the lion – I just need to make sure I can outrun you’.
1. Is your website content management system up to date?
Good! Keep it that way. You need to be thinking about an ongoing process of probably 2 to 3 updates a year with some security related ones possibly needed between those. The most cost-effective way to manage this is probably to have a technical support agreement in place with your web agency. Failing that, at least arrange to have the updates done on a regular basis (a minimum of every 6 months).
You need to get this fixed and soon. If your website is very old then an update of the CMS could be a major task and so you may even want to think about getting some other benefits at the same time, for example a reskin or even a full redesign of the site. You probably would not make the May deadline if you wanted a new site, but at least you could genuinely show you were working toward compliance and then within a few months you would have a new compliant site in place.
2. Do you have a contact form on your website?
- Make sure your site is running under a secure certificate (https://) indicated by a padlock symbol in the browser address bar.
- If you can avoid saving the personal details provided via the form in your site’s database, then switch this feature off if that is possible in the CMS (website content management system) you use.
- Put in place an encryption method for the website to use when it sends you the contact form content in an email, so that the person’s details do not travel over the web in a plain text format.
- Look at your website form copy. Does it have any ‘We will send you this and that’ type statements with a pre-ticked box ? If so, then switch these pre-ticked boxes to be unticked by default.
- Add a mechanism to the site which allows people to request whatever data you hold on them is deleted (this could just be a simple email link).
- Add a mechanism to the site (again this could be an email link) which allows people to request a copy of the data you hold on them.
- Provide details on the website about how long you will be keeping a person’s information and what you will be using it for.
- Look at your website and your internal storage of personal data, to work out how you would retrieve or delete someone’s information if you were required to.
3. Does your website have a section where people can register/login ?
- Is the information you are storing on the website to support this the ‘bare minimum’ needed to do the job ? If not, strip it down. Perhaps email the extra stuff over to yourself for offline storage, or drop those questions entirely from the form and delete that historical data from the website.
- Does your website have some kind of monitoring software running on it that is detecting attack (hack) attempts? If you think your website is not being attacked you are wrong! Almost every website is being attacked multiple times a day from across the world. Most of these attacks are automatic with no ‘man power’ required to sustain them and so the flow of attacks is never ending. If your site is open to a known attack, then it is purely a matter of time before that attack happens.
- Does your server have a reasonably up to date technology stack? If the operating system is out of date then it is vulnerable to attack, and therefore so is your website. If your hosting server’s operating system is a year out of date then it’s pretty clear to the agency implementing the legislation (the ICO) that you are not really making ‘best efforts’ to keep your data secure.
- Does your hosting server have a firewall ? If not then it is open to a much greater range of attacks and therefore more vulnerable.
- Where do your website backups go? Are they secure ? Are they perhaps (well at least the database part) encrypted? If this backup can be accessed by an unauthorised person, then this is another method by which your website data can be compromised. So if your ‘offsite backup’ is an unencrypted hard disk in the boot of the IT manager’s car then it might be time for a procedure rethink.
- Passwords – change them into something reasonably hard to guess. The scary thing is that approximately 50% of all the passwords in use today belong to a list of about 20 popular ones. So forget teams of hackers working through the night on a supercomputer to break into your website content management system; it could be someone just sitting at a keyboard anywhere in the world trying these twenty common passwords and 50% of the time they are going to be able to login. This is a terrifying statistic so make sure you are not part of that 50%!
If you do email marketing then it’s time to look at your record of where you got those email addresses from. If it was from ‘dodgy&co list’ on some long defunct ‘Buy Your Lists Here’ website then you are going to need to get positive confirmation to continue contacting the people on that list by the end of May (and have evidence of that permission). You need to start working on the text of your ‘please confirm you still want to receive our emails’ email as soon as possible as you may need to send a few prior to May in order to catch people who do want to stay in touch at the right moment for them to agree.
If you have gathered together your emailing list in a more credible way over the years, then look back at that process. You may be able to demonstrate ‘legitimate interest’ from your contacts and carry on emailing them. For more information on this search Google for Recital 47 GDPR.
If you have put in place the steps above then you are the one wearing trainers. As time rolls on this year undoubtedly other issues will emerge that you will need to address but at least you have made a strong start!