GDPR compliant

Most interactions between a website and its user (sign up, placing orders, comments, etc.) require submitting user’s personal data, which are strictly protected by law. Any business that stores any users’ personal data must comply with GDPR (General Data Protection Regulation) and the Data Protection Act 2018. Personal data is all information that identifies a living person. Before collecting personal data, a business website must display a visible and concisely written privacy notice. In practice, it’s usually a pop-up window on every website we visit, so you should be already familiar with GDPR compliant appearance and content. It’s also on my website. You can see a privacy notice template and general guidance about complying with GDPR on Information Commissioner’s Office.

Consent to use cookies

Cookies are small files stored on the website user’s device (computer/ smartphone, etc.). They remember data, such as user’s browsing history, preferences, purchases and they can be used for different purposes – for example to improve user experience or to target the right advertisements.

Many websites use cookies and they have the legal requirement to inform user about this fact and what their cookies are used for. The info must be clearly visible and accessible, and a website visitor’s consent must be confirmed before storing cookies by a clear action such as clicking a button or ticking a box.

These requirements are under the Privacy and Electronic Communication (EC Directive) Regulations 2003 and the GDPR. The ICO provides guidance on how to comply with this legislation.

Online orders and e-commerce

When the website enable visitors to buy goods or services through the website, they must provide all information that clarify the process to a customer:

• info about different steps to follow to complete the transaction
• a way to identify and correct input errors
• info about languages the website can be translated to
• the purchase button must be clearly indicated with words such as “Order and Pay Now”
• goods selling businesses must also provide certain pre-contract information and access to a cancellation form. These are under the Consumer Contracts (Information, Cancellation and Additional Charges) Regulations 2013.
• selling businesses

Website security

Cybersecurity measures for business websites are under the GDPR and the Payment Card Industry Data Security Standard (PCI DSS), which must be complied with by businesses that process payment card details. Examples of security measures are:

• using a firewall and anti-virus software
• implementing HTTPS security encryption and SSL certificate on the website
• restricting and monitoring staff access to data
• updating website software and passwords
• find out more on ICO website

Accessibility

The Equality Act 2010 sets the requirement to provide reasonable allowance for the needs for people with disabilities. The access to business websites must be accessed for everybody and cannot be impaired by disabilities. This guideline made by World Wide Web Consortium will help you to work out the accessibility measures.

Good practice

Besides legal requirements there is also couple of things worth including on the business website:

• terms and conditions of the website’s use – legal requirements, website’s policy, etc.
• a copyright notice – most of original work are automatically protected by law, however it might be helpful simply as a reminder or in case of a dispute
• a disclaimer – may help to protect the business from claims