First, this does not represent legal advice regarding the GDPR.
It’s simply an article designed to help business owners understand how their websites may be collecting and storing data, and what their responsibilities are under the GDPR.
Sounds about as interesting as watching paint dry.
I promise not to go on about this any longer than necessary, if you can spare me the 3 minutes it will take you to read it.
Of course, if you are registered with the ICO (in the UK) you are at least aware of data protection regulations and may already understand what data your website is collecting.
Congratulations if that’s the case.
Many small business owners believe (erroneously) that data protection regulations don’t apply to them. Sadly, they are usually wrong.
First, you’ll discover what you don’t know about the data your business is collecting. Second, you’ll discover whether you should be registered.
My interest here is in pointing out how your website might be collecting data from your web visitors and storing it. You may not be aware of what goes on ‘under the hood’ and there’s no reason why you should know this, BUT in the eyes of the law, ignorance is no defence.
You need to check with your web developer what data is being collected and stored as a result of visitors interacting with your website, so you can decide whether storage is appropriate.
- When your web visitors complete a contact form, your website sends you an email with the message. Did you know there’s a very good chance that these messages are also being stored on your website?
- When your web visitors make a purchase from your website there’s a very good chance that details of the transaction are being stored on your website. Did you know that?
There will be lots of other instances when data may be collected and stored, these are just examples that are likely to be the most widely applicable.
What do you do with this information once you have established what data is being collected and stored?
Think about how long you need to retain the data and whether it needs to be stored at all.
If you need to store data, collected via your website, for any length of time, perhaps think about storing it off your public website. Somewhere you can lock things down more securely.
If you have finished with the data, there’s no reason to retain it. Set up a process whereby data is deleted every 28 days (or whatever period works for you).
If you ever suffer a data breach, the penalty under the GDPR will not be dependent on the size of your business, but based on the damage the breach has caused. You could find yourself paying the same fine as a large multi national business might have to pay for a similar breach……… It’s important you are up to speed about this.
If you are an informed website owner and can demonstrate that you are aware of your data responsibilities, have registered with the Information Commissioner and have taken all reasonable steps to protect the data in your possession, you can at least be seen to have been doing the right things. That’s a far better defence than ‘I didn’t know’.
The first of those ‘right things’ is to really understand what your website is doing with the data it is collecting.
We urge you to get clear on this and if you need any help just let us know.