The General Data Protection Regulation (GDPR) brings data protection legislation into line with new ways that personal data is now used. For website owners, it’s an opportunity to tidy up the way we manage user data with transparent privacy practices in mind. It’s also a legal obligation from 25 May 2018 with steep penalties for non-compliance.

Personal data under the GDPR includes “any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier”. For instance, names, email addresses or identifiable IP addresses all constitute personal data.

What we’ve been doing to protect data and users’ privacy

  • Been registered with the ICO as a data processor since 2012 (Reg: Z2445913)
  • Undergone assessment and achieve certification against Cyber Essentials Scheme criteria since August 2016 (refresher due in Summer 2018)
  • Implemented a managed IT service which covers:
    • End user device (laptop) configuration, policy enforcement, updates/patch management and monitoring
    • Mobile device management
    • Network and firewall configuration
    • Malware and AV scanning
  • Implemented company-wide password management to manage credentials for client sites and company tools
  • Implemented two-factor authentication on our business-critical cloud systems
  • Implemented company VPN for all staff accessing systems remotely, which auto-activated on untrusted networks
  • Implemented a configuration and deployment template for hardening and deploying client servers

Further steps we’ve been taking to comply with GDPR

  • Formalising our processes as policies: data protection, information security, breach notification, information asset/risk registers
  • Refreshing staff guidance
  • Auditing any data we hold offline which could include personal data
  • Reviewing client sites given the broadened scope of GDPR
  • Monitoring what key third party processors are doing: MailChimp, Google (Analytics), including the compliance with US/EU agreements such as the Privacy Shield standard

As part of our client site audits, we’ve been reviewing sites against our 25 checkpoint GDPR template and notifying clients of any recommended steps to take. These audits look at:

  • Hosting security and whether administrative users are still active
  • Analytics and third party services, including the accuracy of Privacy and Cookies information
  • Reviewing functionality:
    • Email newsletter and alert opt-ins, and clarity about signup language
    • Members areas
    • Publisher/user registrations
    • Application forms/submissions
    • Comments
    • Analytics/logging
    • Social media sharing
    • Plugins processing user data
  • Ensuring there are clear routes to support erasure, correction and portability (e.g. exports of user data and subject access requests)
  • Checking for and if appropriate, removing, data stored offline on our systems

What our clients need to do

  1. ensure you are registered with the ICO as a data controller (if you determine what happens to the data), or else as a data processor if you process it in other ways
  2. document the personal information you hold
  3. document on what basis you are processing user data (what data, why processed, where it is kept, who has access to it, how long it is retained for) – usually as part of a data protection policy
  4. ensure you have taken sensible steps within your organisation to keep information secure, and put a process in place to report breaches of security to the ICO – usually as part of an information security policy and breach notification policy
  5. ensure the contracts you have with processors of your data include explicit roles and responsibilities for data controllers and processors?
  6. consider how to ensure the information you hold is current, accurate and up to date
  7. gather and record consent for contacts on email lists or site member registrations assembled previously. Consider emailing the contacts again explicitly to check
  8. ensure you have in place a data retention policy e.g. a point at which data can be deleted when no longer required, based on how long you need to process the data

 Last updated: 24 April 2018