Key facts

As from May 2018, if you deal with people within the EU, you'll need to ensure that the way you gather, store and use people's data is GDPR-compliant.

The two key factors of the GDPR regulation are essentially:

1. Keep customer data secure and
2. Be transparent with your marketing communications.

Failing to comply with the the new standards may result in an organisational fine of 4% of annual global turnover, or €20 million, whichever is greater, so it is important that Warwick does as much work as possible to cover any potential loopholes.

General guidance for web pages

Page permissions

• As a priority, regularly go through website pages and files that you are responsible for, to check permissions status.
• Ensure that anything that should be internally facing, or restricted in any way has the necessary restricted viewing permissions and has not been opened to the public or groups that should not be able to access this information.
  • This is particularly important as your page may have automatically picked up the cascading permissions from the parent page above. These may not have been changed, or perhaps inadvertently opened up as a result of another operation. This could be a breach of GDPR.
• Ensure that publicly visible pages are compliant with the accessibility legislation guidelines.
• Regularly review the editors and admin permissions for the site/page and if you have admin permission, remove people who you know have left or changed roles within the University. Keep admin permissions to a select few for the site; editors should be allowed to edit specific sections of the site.

Page properties

It's good housekeeping to make sure all of a page's properties are up to date for each page, to aid the user with correct data and provide useful Search Engine Optimisation (SEO).

• Check whether the page should Show in the local navigation menu.
• Check whether you want your page to Allow search engines. If the page should not be found by Search Engines (for an example an Intranet page), uncheck this option.
• Check the Page contact is still correct. If you have one, use a shared resource account for the departmental pages.

Content of web pages

• Check for personal data that is published on your site. Personal data applies to a wide range of information – effectively anything that could be used to directly or indirectly identify a person online. This could include:
  • Names
  • Email addresses
  • Images
  • Bank details
  • Posts on social networking websites
  • Medical information
  • A computer IP address.
• Update or Delete and Purge out-of-date pages on a regular basis and ensure you have the necessary permissions for any data you are keeping.

Images

Before using images that clearly identify specific individuals, you should obtain their written permission to use these images on your site.

SiteBuilder Forms

• Familiarise yourself with the SiteBuilder Forms and data security article.
• All SiteBuilder forms have a compulsory Privacy notice.
• Please edit the notice to provide as much accurate detail as possible advising users why you collecting certain data from them, how long you will keep the data for, and what you intend to do with the data.
  • Reassure the user that you not intending to give/sell their data to any other third party and that you are only using it for this specific task or request.
  • Only collect data that you need to complete the request. So a date of birth or phone number may not be necessary, but perhaps an email address would be, as this is how you intend to contact respondents.
• A field or check box for users to confirm that they accept the terms of using your website and agree to be contacted in this way would be useful.
• Website owners must only send out email marketing material to those individuals who have specifically opted-in for something and can easily unsubscribe later if they so wish.
  • A further checkbox should be included on your form if you wish to send further marketing communications. This checkbox must be unselected when the user arrives on the form.
  • You must include a specific checkbox for each type of communication - email, post etc.

Form submission data

• Users have the ‘right to be forgotten’, meaning that any of their details can be removed from a website and any associated databases if they so request it at any time. Site owners should therefore have a process in place that caters for this and also enable users to request this, whether it mentioning it clearly in your privacy notice on the form or elsewhere on the website.
• All forms within SiteBuilder have been https encrypted so the submission data is protected at source but you will still need to take extra steps to ensure ongoing safety when working with the submissions, email notifications and passing data onto others.
• Don't keep form submissions any longer than you absolutely have to.
• Delete form submissions on a regular basis.

Forums

• Delete any old forum pages that are no longer needed.
• Remove/archive older posts if possible.
• Ensure forum permissions are correctly set up.

Page comments

• Delete comments that are no longer needed on the pages.
• Ensure comments can be moderated if open to the public.
• Ensure permissions are correctly set up for both the page and the page comments.