GDPR – Website & Data Security Package

Details of our Website & Data Security Package

The General Data Protection Regulation (GDPR) is being enforced from 25th May 2018.

Under GDPR, businesses have certain responsibilities with regard to the management of personal data. Personal data is defined by the ICO as “any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier”. So this includes obvious things like names, addresses and telephone numbers (in business contexts as well as personal) but also less obvious things like IP addresses.

The six principles of data protection under GDPR are that data should be:

  • Processed lawfully, transparently and fairly
  • Only collected for specified, explicit, legitimate purposes
  • Adequate, relevant & limited to what is necessary for the processing purpose
  • Kept accurate & up to date
  • Only kept for the time needed for the processing purpose
  • Collected, stored & processed securely

For most businesses, their website is a key part of their business and an important means of collecting (and often storing) information about potential clients. Bearing in mind the above principles of GDPR, Ascendancy have identified a number of key changes that most businesses are likely to need to implement on their websites in order to work towards GDPR compliance:

  1. The site should have an SSL certificate (this means the site will have https at the start of its address rather than http – see this article for more information). We are recommending that clients on our most basic hosting package make the switch to our Business package, which includes SSL by default, as well as having other benefits such as making your website run significantly faster.
  2. The site should have a GDPR-compliant privacy statement. By this we mean that you replace your old ‘privacy policy’ with a new statement that meets the GDPR requirements. Unfortunately we can’t write this for our clients, as we’re not lawyers, but the ICO give lots of examples here.
  3. As well as having the privacy statement linked to from the footer, you should also give users privacy information in context (ie on the actual contact forms on your site themselves) that explains clearly what you’re going to do with users’ data. Again, the ICO give lots of examples on the link above.
  4. You should audit the website database to see what information may be stored in it – are you keeping copies of enquiries that came in 5 years ago in the back end of your site? If so, bearing in mind that you should only keep data for the time needed for the processing purpose, you should probably have a clear-out! Make sure you are only storing data that is needed, and review this regularly, purging any data you no longer need or have the right to hold.
  5. Google Analytics has an optional IP address anonymisation feature that you may wish to turn on, to request that all your users’ IP addresses are anonymised within the product. You can find more information about this here.
  6. Bearing in mind the requirement to keep data secure, you should review and if necessary upgrade the security of your website – make sure any usernames and passwords used are strong, that only those who need access actually have access, and that your website software is up to date (and kept up to date going forward). As an additional security measure, if you’re using WordPress, you may wish to install a security plugin such as Wordfence, that will help you keep the site secure.
  7. As well as providing information on your website’s use of cookies via a cookie statement, you may also wish to install a banner for you to raise awareness of your use of cookies among users.

The good news, for Ascendancy clients that meet certain criteria – if you’ve had your site built by us, it’s hosted with us, and the website is a relatively straight forward one – then we have put together a fixed price package to make the various changes mentioned above on your website for you.

If your site doesn’t meet those criteria, it doesn’t mean we can’t help, it just means you may not be able to have our fixed price package, and we’ll have to put together a custom package just for you.