[email protected] +44 20 7193 0206
GDPR Compliance for your Website
18th March, 2018

So, GDPR, the bugbear in the room needs to be discussed, this post is going to be short, I’ll let you Google ‘GDPR Compliance’ and work out what it all means for yourself or your business.  Suffice to say. the threats of non-compliance are big and the job of working out GDPR is vast…  I also need to point out we are not GDPR consultants or specialists… I won’t reference anything or anyone here, this articles deals solely in your websites and tries to suggest the ‘action’ steps you need to follow to comply with the new rules.

Currently, you are NOT compliant… anyone using WordPress, Magento, Fyneworks, Squarespace, Wix or any other platform or HTML website is not compliant.  None are.

Before I start I need to make clear the difference between B2C and B2B websites… there is not a lot of difference in the rules, but if you have a B2B website, then you are likely to be encouraging webforms to be filled in, newsletters to be subscribed t0 or webinars and the like to be signed up to.  You are still affected.  If you are a B2C, in terms of marketing all of the above applies, but also you need to content with Orders, Quotes, Historical Data and so on.

Steps to take:
There are basically two steps to take… first organise your policies – these are written elements of your Terms and Conditions or Privacy Policy… It’s basically the legal speak, but unlike many examples in the past – these have to be written with your business, services and products in mind.

Then worry about the technical implementation. Depending on your written policies for GDPR you’ll more or less know what you need to technical implement – at least that is the idea.

GDPR Documentation:

I call this ‘documentation’ for want of a better word, it could be your Privacy Policy, or T&C or a whole new section of the website.  We need to include the following key elements:

  1. Right to Access – we need to tell people they can access all their personal information that we hold on them.  If we store it – we need to tell them how they can access it… From Emails to online accounts… Anything we have about a person – they have a right to access it.
  2. Right to be Forgotten – Anyone storing data on a website or with a 3rd party company – has a right to delete it.  Again, everything from online accounts, shopping histories, old addresses, access, even Emailed Enquiry forms.  If a user requests for this information to be deleted – we have to delete.
  3. Data Portability – we have to provide users with their data – so they can give it to someone else.  Phew – sounds like a headache. But Yes – if a website user wants to withdraw their data from your website – you have to provide it in a format they can use on another website.

As I said before – the key with all three of these, is to describe them first in your Terms and Conditions or Privacy Policy – or if you prefer, we can build a dedicated GDPR page for you.

Technical Implementation:

  1. Right to Access
    Simple way: do it manually – if a customer/user wants to access – you just have to hand over anything you have on them, via email probably. (this will probably be the easiest solution if you are a B2B)

    Tech way: Allowing people to see their data online – and not just some of it – but all of it.  For example past orders and enquiries on an e-commerce shop, via a Support Desk Ticketing or Forum solution for all interactions between user and company.  Basically, making the whole business online, rather than email based.

  2. Right to be Forgotten
    Simple way: do it manually – if a customer/user wants to be deleted – we do it.  But it might involve considerable work, you might have orders, enquiries, tickets, support queries, email chains of correspondence.

    Tech way: As above – but with big fat delete buttons along the way.However: there is a caveat here – if you made a Sale 6 months ago and the user/customer asks you to remove it, it will affect your ‘sales’ figures… so rather than deleting an Order or Query or Ticket – it needs to be anonymised – all the personal information removed, while all the ‘company’ information is preserved.  It’s a technical biggie.

  3. Data Portability
    Simple way: do it manually – email people whatever they require.Tech way: Downloadable CSV files – GDPR, however, requires that you make data portable, i.e. in a format that someone can upload to another system.  That poses interesting questions… One can see if you are using an Accounting system and want to move your data to another accounting software – makes sense.  But if you are hiring a product or dealing with 2-year-old e-commerce orders, the data has to be provided in a manner that it can be uploaded elsewhere – probably to another system.This makes the Tech system challenging to say the least if you take on a customer from a competitor you not only have to build a technical solution to allow the customer to download their data, but also one to upload some else’s data if the situation arises where someone wants to start using your services.

    CSV – is the obvious data format, super flexible, lightweight and common to all computer systems.  It should be easy to export and import

As a footnote to the above we should just stress the last comments:

  • If you re an Accounting Software B2B Service – the rules are going to hit you hard… you’re going to be handling tons of your clients’ information and that all needs to be accounted for by GDPR.  None of NCompass’s websites are really like that, although many of our clients offer Software or Software-as-a-Service solutions… most of our websites are simpler than that.  This article refers to the ‘simple’ stuff.
  • If you have a marketing only website – then the rules apply just the same – you trying to get prospective users or businesses to sign up – you need to be GDPR compliant.
  • If you have an eCommerce website – then rules apply and you need to go a bit deeper.

Having established the three principal ‘effects’ of GDPR on websites, get in touch and we can take you through a much more personalised plan for your website, very importantly – we may not have the answers for you, but we will be able to help with the technical implementation of whatever is needed…