GDPR (General Data Protection Regulation) is due to come into force from the 25th of May. Everyone processing data in any form will be subject to the requirements of this new regulation.
I have been researching the implications of the regulation with regards to your website, and have attempted to put an example notice together which will help to cover the regulation. First though some caveats.
- It is aimed at those organisations I have built a website for, where I have knowledge of how that website was built and what it does. If I did not build your site, you may still use the draft, but do take care to make it relevant for your organisation.
- It is offered without any warranty or claim for fitness for purpose, but it may help you to get started.
- It is offered as a foundation from which you can review and build your own privacy notice. I do not know the details in your organisation, the GDPR affects everything you do, the website is only a small part of your data collection, handling and data processing. You need to take a holistic approach across your business reviewing what you do with data and how it is handled.
- Please be very clear that this is rather like an iceberg. The privacy notice is the bit the public may see, that part of an iceberg that sits above the water. In order to have the privacy notice, there must be supporting processes and procedures within your organisation, and supporting training for it to be effective. So if you have not got procedures in place, then there is probably a lot of work required to cover yourselves. This is the part that the public does not see but you need in place.
Recommendations for my clients
Firstly for websites and email hosted by me, these are my recommendations, you can action all of these to make your installations, hosting and email more secure.
1). Web Content Security
Your website runs over either an http:// or https:// connection. If it is http:// then this means all information sent and received from the website is in plain text. If someone was able to intercept the data on the wire, they could read everything, including form data submitted by a user.
The hosting does support an https:// connection which means that data is encrypted. To make the website run over an encrypted connection you need to broadly take these steps (I will add in specific instructions later). Back up the site, turn encryption on through the control panel, force all connections to be over https:// Reinstall the site. This process should change all of the non secure http:// addresses to https:// It also ensures that any messages sent in through contact forms are encrypted while the user is entering the data. This is the primary reason for these steps.
2). Email messages from your site
Mail from the website uses one of two functions which are built into WordPress. These are however not encrypted, You need to add a plugin which will force the site to use a secure mail connection to send messages. To do this you need to set up a mail account through the control panel, and configure the site to use the mailbox using a secure connection. This will ensure all communications from the site are secure. This is particularly important for form data that users have provided through your website. These will now be sent encrypted.
3). Remove forwarders that forward to private addresses
Particularly for small charities, there has been a practice of forwarding messages that relate to the charities business to a personal email account. This means that there is a risk that personal data relating to the business of the charity may exist in personal email accounts that are not associated with the charity. You also have the problem that data (some of it may be personal) is now distributed and no longer under the control of the charity.
I recommend if you are using this practice that it is removed, and volunteers and employees only access mail relating to the organisation over the organisation’s mail accounts. This is something for the Data Controller to consider. Also purge any mail related to the charity’s business from personal email accounts.
You should also consider having a policy/ procedure for those volunteers and employees leaving an organisation to remove/ return all data, documents and other information back to the organisation when they leave, and sign to that effect.
4). Make sure all mail is sent and received over an encrypted channel
If you only access your mail over a webmail portal then your mail is already secure. If you use mail applications such as MacMail, Outlook, Thunderbird, mail applications on a tablet or Smartphone, then read on……
Where I am providing your email service, it can operate in several ways. The simplest form of connection uses plain text. Anyone with an email application has parameters available that control how email is sent and received. I have recommended for a long time that all mail is encrypted. The mail server supports encryption, so you should be using it.
Check your mail application on every device that use to pick up email from your organisation. Look for the send and receive settings and make sure that you are using an SSL or TLS connection. These are both secure. If you are not using a secure connection to your mailbox change it immediately.
The screenshot below is from an account running in Outlook and shows the parameters to check.
You can get to this screen by the following steps in Outlook. Go to File, choose accounts, choose your email address, click on change, in the bottom right of the form is More Settings, another form pops up choose the Advanced tab and check the parameters on the page. What you are looking for is the selection of SSL or TLS. The port numbers may for the Incoming Server and Outgoing Server will be different if you are using a POP3 account. The settings shown are an IMAP account.
Every device you use (iPhone, Android phone, tablet, Mac etc.) will have equivalent settings somewhere. Each device will need to be checked.
So all of my mail is now secure?
Not necessarily. It is important that you realise that these steps work between you and your mail server. So what you have done is set up a secure connection between your application and the mail server for sending and receiving mail. That is all you control as far as your organisation is concerned. For end to end encryption your recipient or sender also needs to have done the same thing between their mail server and their mail application. Most will have done, but because you cannot guarantee they have, you should consider all mail to not be secure. Any breach in security will have happened at their end because their mail was sent in plain text. Your organisation cannot be held responsible for the configuration of a mail program on a corresponding computer outside of your organisation. That would be unreasonable. However you may wish to place a notice in the footer of your emails recommending that secure email settings are used for all correspondence. The bottom line is you have taken action for securing mail entering your organisation, where the definition of the boundary of your organisation starts at the mail server you use.
5). Add in a privacy notice
Using the draft document at the end of this article, review the content for relevance to your installation and organisation. Edit it and add in additional content relating to how data is handled within your organisation. Amend the document to reflect your policies and procedures. The document is purely a rough guide to get you started, and not a final version, you need to own the final version.
6). Review the claims you are making
Do make sure you understand what you are claiming in the privacy notice and make sure the supporting procedures are in place within your organisation, that these are reviewed, and actioned, and where appropriate training is put in place for those that need to use them.
GENERIC PRIVACY NOTICE
Last updated: 13/03/18
The attached document contains two sections, the first covers things to think about, the second part is a generic privacy statement. The document contains instructions on how to add in your details and separate the two parts to create the privacy notice. Do read it and check it before you publish your version of it!
Please note this whole area is under review, and as I receive feedback I will update the document with new text and new things for you to check.
The document is in MS Word format.