Sophie Jewry: Right, what do I need to do with my website to make sure that it’s compliant with GDPRS? Is there anything that needs to be done?
For example, you’ve got … a normal info site, a membership site and a shop. So, do you wanna go for info site first?
Neil Penny: Yeah. Okay. So, for any website you will need to update that information for your terms and conditions, and your privacy policy. So, your privacy policy needs to recognise that you are handling cookies, and that you’re not responsible for third party website or content. That’s standard as normal data protection rules now. Include information about your ICO registration as well.
Sophie Jewry: Okay.
Neil Penny: But, the privacy policy does need to be updated. Within that privacy policy you will need to have some information relating to a Subject Access Request. ‘Subjects’ are what the European Union call consumers and they have the right to ask for information on what you may hold on them.
Sophie Jewry: Okay.
Neil Penny: They have this right now, but for the 25th of May it’s slightly different. You’ve got 30 days to supply that information, and they then have the right to come back to you and ask you to correct any information, or they can have the ‘Right To Be Forgotten’.
Sophie Jewry: Okay.
Neil Penny: This is something known as the Right To Be Forgotten. You will need a policy that explains how they do that, but within the privacy policy you need to make them aware they have the right to be forgotten.
So, the Right To Be Forgotten means the consumer says, “I no longer wish you to remember me or my business with you.” And you simply delete them and that’s their right to do that.
Sophie Jewry: But, we need to make sure that we log that we’ve deleted them?
Neil Penny: Yes. Do maintain a log that their information has been deleted.
Sophie Jewry: But, obviously, do you just say I’ve deleted … Put like their name? You wouldn’t hold their data?
Neil Penny: Correct, that’s it.
Sophie Jewry: You’d have to delete the data, but just say this person-
Neil Penny: Yeah. So, you would say, “This person-“
Sophie Jewry: Joe Blogs.
Neil Penny: … “Joe Blogs has requested on such and such a date to be … For the right to be forgotten and that was completed on such and such a date.” As long as you got record of it that’s that.
The reason you need this is in case the consumer feels their privacy has been violated and they’ve received information or unwanted correspondence and they think you might be responsible.
In case, you get any enquiries for that you can say, “Yes, I remember that person. We have forgotten them and we haven’t sent them anything.” And you’ve got a record of that.
Sophie Jewry: So, you would just have a separate folder or file, like a spreadsheet, where you just say these people are forgotten on these dates.
Neil Penny: Yes, indeed.
Sophie Jewry: Nice and easy.
Neil Penny: So, you should have an internal policy as well about Subject Access Request. So, who deals with it? Who are they addressed to? How is that processed with remembering the key information?
Don’t forget anything, so if you got credit card information tell them what it is, how it was obtained, et cetera, et cetera. And you’ve got 30 days to comply with that.
Sophie Jewry: So, really we want a checklist don’t we?
Neil Penny: A checklist.
Sophie Jewry: Checklist of what we need to give somebody when they ask for data?
Neil Penny: Right.
Sophie Jewry: Of what we need to do if they ask to be forgotten?
Neil Penny: Yes.
Sophie Jewry: And kind of who is dealing with what, as part of the manual type thing?
Neil Penny: Yep, absolutely.
Sophie Jewry: So, what about https because that’s obviously part of it as well.
Neil Penny: That’s right. For websites that are not just info sites, but are shops as well, I wholly recommend that they are https.
Sophie Jewry: Do you need https for info site… It’s beneficial isn’t it because google now rank you down if you don’t have a secure site?
Neil Penny: That’s right. So, if you’re not a secure site you will be harder for new consumers to find you for you to do business with them.
So, it’s a very simple and quick process and it’s relatively cheap as well to have done. It’s a necessary step so Google, Edge, Chrome, everybody and all the major search engines recommend that you are on https.
Sophie Jewry: So, you get your little padlock and your little green tick.
Neil Penny: You have your little padlock, yeah, green tick. And it’s a McAfee and all those other good people will include you in a safe search, so it’s highly recommended.
More information is obviously going to be stored because they’re going to be accessing information, and supplying you with credit card details, et cetera.
Sophie Jewry: That’s for shops?
Neil Penny: Yeah. Again, very important that that information is stored securely, safely. Ideally it needs to be in a password protected environment, even more ideally it can be anonymised so it’s not easy to recognise that Joe Blogs’s credit card information is this and that’s his postal address.
There are tips about how you can do that on various sites, so it’s not too difficult to work out how to do password protection, et cetera.
Sophie Jewry: Obviously there’s different types of membership sites and shops aren’t there? For some people they’ll have a site which is their plugin on their website and all of the data is in that place. They might likely be used in a third party service for payment like PayPal or Sage Pay or something similar.
Neil Penny: Yes.
Sophie Jewry: So, that side they’re compliant and they need to ask for the compliance information from those third party people?
Neil Penny: Yes. If it was me and I had a shop, and I was using Sage Pay or Worldpay for example. I would go to them and ask them for their details of their privacy policy, and who their data controller was, and what their policies were in terms of protection and maintenance of consumer data.
Very important, all you have to do is get a print out of that and that acts as your documentation that you’ve attempted compliance, and that there is a record that its existed.
So, once again, it’s another tick box that you’ve done your very best to comply with GDPR.
Sophie Jewry: So, the payment processing done.
Neil Penny: Yes.
Sophie Jewry: Then, you’re just left with the actual consumer, the client, the data subject’s information, which is the membership site. So, you might have birthday, you might have name, address, telephone number and things like that.
Neil Penny: Right.
Sophie Jewry: If that is the plugin on your own website and you have to obviously log in to the website, that’s slightly different to if you were using say for example, Infusionsoft or some of the other web platforms out there where you can run your membership site on them. They presumably will be GDPR compliant?
Neil Penny: Correct.
Sophie Jewry: … so you get the information from them like the third party payments?
Neil Penny: Right. So, by the virtue of the fact that they volunteered the information, they’re supplying with you information willingly; the consent is implied. So, you don’t necessarily need consent from a consumer for anything, funnily enough. We’ll talk about that later.
Sophie Jewry: Yeah.
Neil Penny: But, the fact that they volunteered their information on your site-
Sophie Jewry: …because they’ve joined and they’re paying or whatever.
Neil Penny: Because they’ve joined. Yeah, or even if they just subscribe in for free information or marketing the consent is implied. So, it’s slightly different from the shop scenario.
Sophie Jewry: Okay. But, if the data is just on your website and you’ve got access to it, you need to have something in place for yourself for that?
Neil Penny: Right.
Sophie Jewry: Or some proof that it’s secure with the logins or you’ve got some sort of security plugins in place to protect the data?
Neil Penny: Right. So, once again, making sure that the data is stored in a secure environment preferably not in the same place where you’re working, it’s off site.
It can be on a flash drive, or it can be in the cloud, wherever. But, again, as long as it’s separated from the machine on where you’ve gathered the information, that’s an additional security step that the information commissioner would approve.
Sophie Jewry: That’s a whole other thing. So, that would be for example a membership, if you were running a membership club, aside from a website, so, the data is not on the website, you’ve got it all filled in on your computer because you’ve got, I don’t know, you run a Weight Watchers Club, or you’ve got a Rugby club, or you’ve got a little Taekwondo group and they’re coming to you regularly.
Neil Penny: Yep.
Sophie Jewry: But, they’ve like a membership thing, then you’ve got the access for that as well.
Neil Penny: Yeah. So, we would advise that you keep it separate from wherever the access mechanism is. That’s because of potential security violation, it could be down to a hack, or it could be down to data lost, theft.
Keep it separate, it make it harder for anybody to access or get somebody else’s data, which then becomes compromised. So, something we’re gonna be talking about later is what happens if I commit a data breach? We’ll talk about that one later.
Sophie Jewry: And staff obviously.
Neil Penny: Staff training, very important.
Sophie Jewry: Because if you’ve got a VA who’s working on your website, they will get access to the members’ information.
Neil Penny: Right.
Sophie Jewry: So, you’ve got that element as well – and that comes into contract?
Neil Penny: Yes. So, hopefully you would have an employment contract with any member of staff, appreciate small businesses don’t always have employment contracts but it’s a legal requirement, and of course an employee would ordinarily want one-
Sophie Jewry: And outsourcers obviously?
Neil Penny: Yes, exactly. Contractors and what have you. So, it will need to be clear within the working terms and contract, but they may have access to personal information. Then, it’s down to you as a business to restrict access to that information to only those that absolutely need it.
So, a person that’s responsible within the business for IT and security, if you have us dedicate a person they’re gonna do it. Receptionist, they may not have access to all of it and you can restrict that information if possible, you might just have the name and a contact number. But, training is important as well.
It might only be once a year, but at least if your personnel and your staff are trained at least once a year about GDPR and what the legal requirements are, you can learn it again, demonstrate that you’ve tried to be compliant.
Sophie Jewry: Basically if you’ve not got contracts in place even with outsourcers, they need to have separate logins so you can remove their access?
Neil Penny: Correct. Yes.
Sophie Jewry: You need to have a contract in place with them, even if it’s really basic, just to say you’re not going to mess about or share this data anywhere else?
Neil Penny: Correct.
Sophie Jewry: And just make sure that you got all your ducks in a row really in terms of paperwork, so you can just prove that you’re being compliant.
Neil Penny: Consumers, data subjects expect the rights and they will get bombarded with information leading up to and just after GDPR coming into law.
That they’ll then have all these new rights, and I’m sure there will be some people that can’t wait to find out what information that they’ve got. So, they’ll expect it, they’ll expect their data to be protected.
So, fully cognisant of the fact that small businesses may not have all these procedures in place, but you still have time to work towards getting that done.
This is 1 of a series of videos we have recorded about GDPR. To see more and discover what you need to know as a business and an individual, check out our GDPR YouTube playlist at
A little bit about Neil Penny – He has over 30 years of Systems and Telecoms experience, including 10 years in HM Forces (Army) where he specialised in secure data and radio communications. Moving into the private sector he worked for NatWest as SWIFT Communications Manager, Orange as Product Manager for the first pre-paid service ‘Just Talk’, Norweb (now Vodafone) as Head of Telebusiness (Non-Geographic and Premium Rate Services) and COLT Telecom as Head of Intelligent Network Services for UK, Ireland, Northern Europe and Scandinavia. In 2003 he joined Opera Telecom taking on the role of Director of Commercial Operations before founding Enarpee Services in 2006.
You can find out more about Enarpee and their services at www.enarpee.com – if you quote Ladies That Plan you can take advantage of a special package that Neil has put together specifically to help small business owners with GDPR compliance.