Since the beginning of the Covid-19 pandemic, businesses have been forced to think and rethink about how to conduct their operations. What initially may have been a short-term reaction to the lockdown in March 2020 has most likely become integrated as a core and ongoing business function. This has resulted in a dramatic increase of businesses across all sectors, large and small beginning or expanding their trading online presence.
There are many advantages to having an online presence. This can be through a website or leveraging the commerce options of social media networks. The flexibility, fluidity and adaptability of a digital platform can deliver new and perhaps more lucrative revenue streams.
Many businesses may already have had an online presence such as with a brochure website. The move to trading online can, however, expose your business to risks which need to properly considered and mitigated.
Below are some of the areas that need to be considered from a GDPR and Data Protection perspective.
Is your website secure? It is vital to ensure that your website is properly secure to protect against cyber-attacks which may lead to data breaches such as Robert Dyas Data Breach. Do not assume that the website development process will involve security or penetration testing, you may have to ask for this. This will highlight any vulnerabilities that may expose your website, users and your business to harm. Ensure that any software and plugins being used are up-to-date and are updated on a regular basis.
The safeguards you need in place should be proportionate to the personal data processing. So if you are processing high volumes of personal data or are processing special category data you will need higher levels of safeguards to ensure the security of the data. In certain cases, you may need to conduct a Data Protection Impact Assessment (DPIA) prior to website launch.
Personal Data Processing
What personal data is being processed through your website? Personal data can be processed actively such as through a membership login or newsletter sign up, or automatically such as by analytics cookies. Unless you map out your personal data flows you may not be aware of exactly what you are processing and may be using personal data that you don’t actually need. See here for more information about Data Mapping.
Why are you processing this personal data? You must clearly know the purpose of processing the personal data. For example, the purpose of analytics cookies may be to enable you to understand how users interact with your website, which pages they look at and which pages they don’t; the purpose of a newsletter sign-up is for communication with subscribers, the purpose of a contact form is to enable people to contact your business.
What is your lawful reason for processing the personal data? You must pick one of the six lawful reasons as outlined in the GDPR.
If legitimate interests is your lawful basis, you should complete an assessment to ensure that your business’s interests do not infringe on the rights and freedoms of your website users. To do this you need to consider whether the processing is necessary. If it is, then you need to consider whether it is proportionate and balance out your needs as a business with the rights of your website users.
If consent is your lawful basis, remember that you must have an opt-out mechanism so that users can withdraw their consent.
Third Party Due Diligence
Are you using any third-party processors? It is likely that you are using different processors for the design, running and operations of your website.
For example, unless you are a website developer, you will have employed someone to design your website for you. Your website will generally be hosted by a third party like AWS, Azure or Blacknight. You will have a payment provider. You may have a newsletter that is managed by a third party.
It is vital that you understand your relationship with these providers. As a business owner, you are the data controller. This means that you ultimately responsible for vetting and approving any third parties. This process of due diligence should include reading and understanding the privacy policies and following up with any questions that you have to the third parties. There may be circumstances where you need a Data Processer Agreement in place as well. See my Guidance Note here for more information about Data Processor Agreements.
Letting Users Know: Privacy Notices
Have you written a bespoke Privacy Notices?
In the case of a compliant, investigation or audit, they also will demonstrate to the Supervisory Authority (in Ireland, this is the Data Protection Commission), that you have taken your responsibilities seriously and have endeavoured to meet your obligations.
So, beware of generic versions or ‘copy and paste’ creations when writing your privacy notice. See the tools here to assist in creating bespoke Privacy Notices and Sample Privacy and Cookie Notice Templates
The Importance of Cookies
Have you checked your Cookies?
Check out my Resources section for all the tools you need to help on your GDPR compliance journey.