PLEASE READ THIS WHOLE ARTICLE.
It contains important information and as a business owner you are legally obligated to understand this. It's not just website related.
In summary, what do I need to do?
You need to keep people's data safe, and write a privacy policy.
Skip to:
What is GDPR and data?
The GDPR law means you need to keep your customers' data safe.
Data = any information you get through your website contact form, phone call or an email.
Examples of personal data which you need to keep safe:
Someone's details such as name, gender, or date of birth
Someone's email address, house address or phone number
Someone's date of birth
The GDPR law means you are legally responsible for:
1. Keeping this data safe, whether that's on your computer or in cloud storage
2: Displaying a Privacy Policy that explains why you ask for it and how you store it.
Sensitive data is different to personal data and would require much more extreme secure measures. Sensitive data could include things like: religious beliefs, political opinions, sexual orientation, etc. We recommend against collecting this.
Ideally you should collect as little data as you can.
Business owners tend to ask for a lot of information from their customers even when it's not necessary.
Do you really need their gender? Their full date of birth? Their phone number?
Try and collect as little as possible. The more you collect, the more important your job will be to keep it safe.
What could actually happen to my data?
It might seem like being 'hacked' is extreme. But we've seen it happen to our clients multiple times. You won't even know it's happened.
It's as easy as having a bad email password and a company can log into your emails and export your list of contacts. Your customers will then start to receive marketing emails from random companies.
If they trace the leak back to you, you could be reported.
It's as simple as that.
If this happened to you, you would have to follow the ICO's process for dealing with a data breach. See more info here.
An example
Think about it from your point of view as a customer. If you worked with a local building company they will have your name, home address and maybe even your date of birth. They might also store your card details when you pay your invoice.
If that building company store your details on one of their employee's computers and a random person gains access to that information due to it not being properly secured, all of a sudden a dodgy company from a different country have your personal information. That company/person can then use that information to access YOUR accounts such as Facebook or your email account. Easy as that.
When you give that building company your information, you are trusting them to keep it safe.
So how do I keep data safe?
If your data is hacked then you are liable for letting this happen.
Nothing is 100% secure, but you need to do your best by securing every step of the process.
Use a secure email service like Microsoft or Google (so your emails are not easily hackable). You can get these email addresses through us at retail price.
Do not use cheap email providers like 123-reg or Namecheap as these are easily hackable. It is not worth the very small cost saving. You need to invest in the proper tools.
Use a secure website platform (if we built your website, it's secure!)
Do not choose passwords that can get hacked. Make sure you're using a jumble of letters, numbers and characters and NEVER re-use a password. DO NOT use your name, a date, a year, a place, or ANY other word.
An example of a bad password: KathrynOnline1993
An example of an acceptable password: YF4Z-az2pq-UTlMC2I. Generate your passwords with something like this: https://passwords-generator.org/
Any password you are going to try and remember in your head is NOT a good enough password.
Do NOT write down your passwords on paper. Keep them in a secure password storage like 1Password, Dashlane, or Apple Keychain.
When you save PDF attachments from your contact forms, save them somewhere secure. Your personal file storage might not be secure enough (especially on Windows). Consider using Google Drive, Dropbox etc.
If you do save them in your personal storage, make sure your laptop is 10000% secure in the event you lose it. Eg have a great password on your login screen, and make sure you set up all of the security measures available (have it destroy your data after X amount of failed login attempts, etc).
If you lost your laptop and someone saw your files and names of your customers, this is a breach of GDPR.
Do not write down people's personal information on paper.
Do not keep people's information in any software that doesn't have a password, or in any software that you don't trust.
Regularly delete data you don't need anymore, for example information from leads that didn't go ahead, or information from jobs that are over 4 years old.
Turn on 2-step verification for all of your logins and software.
What if I don't collect data?
Everyone collects data.
When you receive an email from a customer, you get their email address. That is collecting data.
Even if you have no contact form, your website will always have cookies, which allows you to view traffic analytics. This counts as collecting data.
Why do I need to know this? Isn't this your job?
No. When you get a new website you legally become a 'data collector' meaning it's your job to understand this and has nothing to do with us as your web designer. But don't worry, it's not complicated.
What if I don't care about this?
You are responsible, not us, so we will get your website live either way, whether or not you are correctly handling data or have a privacy policy.
How do I get a privacy policy?
A privacy policy is designed to explain to customers why you're asking for their data, and how you're correctly handling it.
In theory, getting a lawyer to write your privacy policy is the best way. We know that's not realistic, so you can also use an online generator.
Although we do not endorse any particular builder, we know other clients have had success with Termly.
When you're done, please send us your policy so we can put it on your website, or send us the login so we can retrieve it for you.
You may also need this during the process: What cookies does my website use?