How to ensure your website is GDPR compliant

We’ve been completely swamped with GDPR-related activity in the past few weeks. We began by taking the position that we weren’t qualified to answer questions about GDPR and instead referred clients to all of the publicly available information. This prompted even more questions and in response to several clients asking us to guide them through the GDPR compliance process therefore we developed a series of steps which you can follow.
It’s clear now that non-compliance isn’t an option because the regulations have teeth. You can be fined up to 4% of annual global turnover or €20 Million for breaching GDPR . Of course these are the most serious fines, for lesser offences there is a tiered approach. Fines of 2%of annual global turnover are the penalty for not keeping your records in order (article 28), not notifying the supervising authority and data subject about a breach or not conducting a full impact assessment.
Our Website GDPR Compliance Programme is designed to help guide you through the whole process of becoming compliant. It breaks down into two parts: Reporting and Implementation.
Reporting
First of all we will create a report reviewing everything on your website which might be relevant to GDPR along with a bespoke plan or roadmap describing the work necessary to achieve GDPR compliance.
This is a summary of the type of detail you can expect to see in your report.

1. Overview

An overview of your site, its infrastructure and the technologies used to run it.

2. Cookies

We will give details of which cookies are in use on your website along with their expiry dates and any specific recommendations for ensuring GDPR compliance.

3. Passwords

We will list all of the user accounts on your site, along with their roles and privileges and recommendations for current and future password security.

4. Contact Forms

If your website uses contact forms to capture user data we will list each form along with details of any associated plug-ins or code. The report will provide details of how the data from the forms is stored along with any recommendations for current and future GDPR compliance

5. Signup Forms

The report will contain details for any newsletter sign up forms (linked to MailChimp for example) along with recommendations showing you how to ensure future sign-ups will be GDPR compliant.

6. Mailing Lists

Any existing Mailing Lists will be examined and recommendations made on how to make those lists GDPR compliant. If you have already carried out a GDPR compliance exercise we can take a look at that and report on whether you are, in our opinion, fully GDPR compliant.

7. User Data

The report will give details for all the stored user data, this will include e-Commerce customers and WordPress user accounts. If your website has eCommerce capability the report will detail where and how you store and process user data. Storage methods and data locations will be shown along with our recommendations describing how to ensure this data can be modified to ensure GDPR compliance.

8. Plug-ins

Every plug-in on the site will listed be along with individual reviews describing  how safe the plug-in is, whether it is still under active development, and especially an alert if it presents any potential GDPR issues.

9. General Security

You will be provided with an overview of the website’s current security status.

10. Backups

The report will confirm details of backup procedures, frequency and storage methods

11. External Services

We will list all of the external third party services that are integrated with the site and detail of how these services can be made GDPR compliant

12 Roadmap

This final section will provide details on the work that we recommend you undertake in order to bring the site up to the current standard required for GDPR compliance.

Implementation

Until we complete the report it is impossible to say exactly what action you need to take in order to make your site fully compliant. It could be that you there won’t be anything to do in which case the report alone will suffice and you’ll be able to file it away in case anyone ever asks you to demonstrate what steps you took when the new regulations came into force.
What seems more likely is that the report will list a series of tasks which you need to carry out. Here are some examples of those tasks.

1. Data Clean-up

Remove existing data that does not comply with GDPR along with any unjustifiable information

2. GDPR Data Requirements

Setup new WordPress Core features which satisfy the following GDPR rules:
  • Data Portability
  • Right To Be Forgotten
  • Right To Access

3. Create policies

We will create GDPR compliant policies for:
  • Privacy
  • Consent
  • Cookies

4. Cookie Plugin

Install and configure a cookie consent plug-in which will display on the website.

5.  Breach Notification

As part of the GDPR requirements, any breach of data must be communicated to affected parties. In preparation for this eventuality we will create a Breach Notification Plan for you

6.  Plugins

We anticipate having to update, replace or delete at least some plugins because they are no longer compliant

7. Changelog / Report

We will generate a final changelog report with details of all the work carried out which you can keep for your record
Cost for the Reporting stage is £199 ex VAT, it’s impossible to say with accuracy what the implementation would cost but the experience of the past two weeks indicates that it is likely to be a similar figure ie £199 ex VAT.
Contact Us