Get in touch

Got a project you’d like us to help you with? We’d love to hear from you.
Use the contact form or drop us an email and we’ll get back to you as soon as we can.

Office open Monday to Friday, 9am – 5pm

Tel: 01461 205 437
Email: i[email protected]

Out of hours support number: 01461 536 202
Please note: This number is for out-of-hours urgent support only.

Creatomatic Ltd
80a High Street
Annan
Dumfries and Galloway
DG12 6DW

Company number: SC422843
VAT number: 184828370

 
Close
One of our team will contact you within 24 hour of sending this form.
 
 
 
Home > Blog > News > Your website and GDPR
 
View all posts
 

Your website and GDPR


A guide to how GDPR can affect the services Creatomatic provide, and what you need to know if you use them.

 
 
 
James Miodonski
 

 

Please note: There’s a second part to this now which covers cookies too: Final update on GDPR and cookies.

With the 25th May deadline looming, we’ve received a lot of enquiries regarding GDPR recently.

Because our clients are so varied – in terms of both size and business type – we unfortunately can’t pull together a one-size-fits-all guide of what we think you need to know about this stuff. However, we’ve compiled a list of GDPR compliance questions below as a guideline to what we cover at Creatomatic.

A caveat that we have to make is that we’re not GDPR or legal specialists – if you’re in any doubt, we strongly recommend seeking legal advice. The best and most informative source of information and support we’ve found so far has been the FSB (Federation of Small Businesses) which more than justifies our annual membership for this stuff alone.

Are Creatomatic GDPR compliant?

We’re working on ensuring our own compliance for the 25th May guideline. This document is part of our own process to ensure compliance and has been shared in good faith to help our clients meet their own requirements for the GDPR deadline.

Is my website/email/marketing data GDPR compliant?

Unfortunately, there’s no definitive, one-size-fits all answer to this. It depends as much on what you do with your data than it does on how it’s stored.

Before tackling the intricacies of GDPR, it’s vital to gain a clear understanding of what personal data your organisation collects, stores, uses and/or shares.

We’d suggest that you make a list of all of the places that personal data is collected and/or stored, specifically what personal data you hold and, where it is stored and what you use this personal data for.

It’s quite possible that some of the data you hold is no longer required, and should be responsibly erased from your systems.

In terms of the data which Creatomatic work with, this is likely to cover one or more of the following locations:

Where is our website data held?

Are there cookies on my website?

Unless you’ve specifically requested that tracking is disabled, your site will have three cookies from Google Analytics:

If your site allows users to log in with an account (for memberships, or online sales through WooCommerce) WordPress will set a cookie which stores their credentials (double-hashed, in the case of the password). This expires after two weeks.

If you use custom third-party systems for tracking or communication (ie. live chat, lead tracking, etc) these platforms may set separate cookies. You will need to contact each of these third parties to obtain specific cookie information from them.

Every WordPress site we launch has a cookie notification which appears on first load. To check that this is running on your site, you can view the site in a new private/incognito window.

What personal data is held on my website?

This varies from client to client. Quite often, enquiry forms will be backed up in WordPress; if you sell products or services online using WooCommerce or WooBookings, customer and order data will be held online.

Under GDPR guidelines, companies are obliged to remove personal details after it’s been processed (ie. when you’ve replied to an enquiry, or shipped an order) – so you are responsible for removing this data once it’s been used.

What do I have to do with email marketing lists?

Anyone on your email marketing list must have expressly opted in to receive your digital marketing correspondence. If not, you need to clean up your mailing lists.

An efficient and effective method of ensuring you’re only emailing people that have specifically confirmed they want to hear from you is to send out a ‘please confirm you want to be on this mailing list’ type email, and remove anyone that doesn’t respond from your databases.

We strongly recommend against sending out mass emails from your own email account, as you’ll almost certainly end up blacklisting yourself!  We highly recommend MailChimp for this purpose.

Next, you should ensure that you’re only signing future mailing list subscribers who too, expressly wish to be on there. This means removing the automatic ‘opt-in’ check box on sign-up forms, and ensuring people tick it for themselves to receive these emails.

Again, MailChimp does much of the heavy lifting for you on this front by having two-step confirmation (enter email to join our mailing list, followed by a ‘please click to confirm you definitely want to be on this list’ emails).  We can help set MailChimp up on your behalf, design email templates and create campaigns etc – please give us a shout if you need a hand.

Do I need a Cookie/Privacy Policy on my website?

Yes: you should publish a privacy policy statement on your website.  This should be specific to your organisation (i.e. don’t just ‘borrow’ one from another company’s website) and tailored to the way that you handle and process personal data.

There are numerous templates available online to assist with creating your own. Scottish Enterprise does a decent job of showcasing the kind of thing you should be aiming for with theirs – https://www.scottish-enterprise.com/help/privacy

Shopify have a comprehensive, free to use Privacy Policy template builder available –

https://www.shopify.co.uk/tools/policy-generator

You should include specific information regarding cookies, whether your website uses cookies (both your own and those from third parties) and how they are used – see ‘Are there cookies on my website?’ above.

I run an online shop – is there anything specific I need to know?

Owners of eCommerce websites will typically use one or more popular online payment gateways (e.g. PayPal, Stripe, WorldPay or Sagepay). Again, you need to make sure that your payment gateway provider meets GDPR regulations, and that their privacy policies are checked and referred to within your own website’s privacy policy. If they do dealings with EU based customers, they will need to be GDPR compliant.

Other things to consider are how you process orders, which typically have personal data printed on the paperwork.  For example, if you print out things like customer orders or picking slips that hold a person’s name, address or contact details, you are posing a data risk.

What about my email compliance?

Creatomatic provide email hosting and services to a number of our clients.  As such, you should ensure that all of your email services, including the storage of email from anyone that you are connected to, is securely stored in accordance with the GDPR guidelines.

A common-sense approach to this would ensure that:

You should also have a Data Retention policy: a clear statement about how your organisation stores data and the length of time it is help before being erased.

A typical business data retention policy covers a period of two years as data older than this tends to be deemed out of date, though there are exceptions to this rule (notably in health, government and financial industries).

If we’ve set you up with GSuite/Gmail for Business, your email is handled by Google. Their guidelines on GDPR can be found here: https://cloud.google.com/security/gdpr/

Does my website need to have SSL?

Having a Secure Sockets Layer (SSL) certificate in place on your website encrypts all of the data being entered into the website through form fields (e.g. setting up an account, ordering goods online or signing up to a newsletter). You can tell if your site has SSL because the address will start with https:// rather than http://.

For almost all of our hosting clients, we’ve got you covered on this front – see our post back in September 2017 on the subject.

It’s important to note that whilst having an SSL Certificate in place takes care of the data input part of the process, it doesn’t necessarily cover how that personal data is processed thereafter.

Is my (tracking tool/live chat/etc) GDPR compliant?

Many websites run, host or contain tools, feeds and plugins from third parties – a few examples would include Facebook, Google Analytics, MailChimp, SalesForce, Lead Forensics and so on.

The GDPR regulations refer to these as ‘third party data processors’ – in effect, they are processing the organisation’s data on their behalf.

It is your responsibility as the website owner to ensure any and all connected third parties to your website meet GDPR regulations and, if they don’t, you should replace them or remove them entirely from your website until they meet the guidelines.

You need to make sure that your processes and policy clearly states what third party data processors you use and where a subject’s data is passed to.

Further reading and resources

Guides

Platform-specific

 
 
 
 
 

More stories like this

 

 
Your website and GDPR
 
By Kit Allen
11 Dec 2018
 

Wordpress 5.0 is here


 
The new Gutenberg editor is now live in WordPress. Here's what you need to know if you're thinking of upgrading.
Your website and GDPR
 
By Kit Allen
6 Aug 2018
 

Gutenberg for WordPress is coming.


 
You might be prompted to install Gutenberg on your Creatomatic WordPress website. We recommend that you don't...yet. Here's why.
View all posts
This site uses cookies.

This site uses cookies for marketing, personalisation, and analysis purposes. You can opt out of this at any time or view our full privacy policy for more information.

Read our privacy policy