GDPR: 7 priorities to make your #SchoolWebsite compliant

**GDPR UPDATE (24th May 2018): 

We are sure you will be glad to know, that after May 25th, the high influx of GDPR emails will slow right down!  It is an important step in data security and data transparency, and one that no school should overlook in the slightest.

At @intSchools, we take GDPR very seriously, and believe this is a great step forward to protect our privacy and digital footprint. In that same vein of transparency, we wanted you - our community - to understand the steps we take to ensure that your data is safe and the bespoke #SchoolWebsites we build meet GDPR standards.

We have added to the bottom of this blog key steps and examples of what we have done.

Isn’t having customers’ trust a cornerstone to good business? Isn’t that intangible relationship with customers: loyalty, trust, repeat customers, something most companies want?
— Elizabeth Denham: Information Commissioner, ICO

The General Data Protection Regulation (GDPR) is closing in! If you have not begun to understand and tackle these new regulations, time is of the essence.

For those who are unaware, the GDPR is a set of rules all European organisations must adhere to in order to keep consumer’s personal details safe while online.  

Companies and websites will need to ensure that their websites satisfy the GDPR outlines, before May 25th, 2018. This includes any organisation based outside the EU but have customers from within it (e.g. Facebook). 

Read the ICO 12 step guide for preparing for the GDPR.

To help ensure that your #SchoolWebsite meets these regulations, we have created a checklist of actions you will need to take.

[1] Do you know what data is being captured and held?

Is your website using cookies? Are you using Google Analytics or a Facebook pixel? You will need to know the data that you a capturing - regardless if is collected by yourself or by a third-party - and have these methods clearly defined.

This can be easily solved by having a privacy policy page, where this information is written. The privacy policy should state:

  • what data is captured
  • when it was captured
  • what the data is used for
  • details of any third-party tool used for data capture
  • the process for a user to request their data to be permanently deleted

[2] Do you know when and where data is being captured?

These details must be divulged to anyone agreeing to your site capturing their data.

Without understanding this, you will not be able to ensure the security of your data. Use your privacy policy to make this clear to site visitors. 

[3] Do you know how long data will be stored for?

Another factor that must be declared (ideally in your privacy policy) in order to meet GDPR stipulations. 

[4] How is the data being used and is it secure?

Understanding your data security is essential if you are to meet GDPR guidelines. You will need to fully understand how the data is being used, where it is stored and how secure the data is. 

For example - data captured with an analytics tool:

  • is data stored on a third-party platform?
  • is this platform secure (and 100% compliant with GDPR)? 
  • is the data encrypted to GDPR standards?

Another consideration is the security of your own website anywhere data is involved. An SSL certification is the minimum website requirement needed to protect stored data.

[5] Have you got full consent to capture and store data?

The above 4 checklist items are all key pieces of information that your site visitors need to be able to find out (this is where the privacy policy comes into action).

The next step is to ensure that permission to capture data is explicitly granted.

Site visitors will need to 'opt-in' to grant this permission. This means that any forms granting consent must be unchecked by default so that the visitor can actively check and confirm. 

There are two key areas where this should be addressed:

  • does your site use Cookies?

If so, you must request that visitors agree to this (most commonly seen on the home page in a pop-up window)

  • does your site use forms for contact and enquiries / subscriptions / applications?

If so, you must request that the data captured from these forms is given with consent. An 'opt-in' option must exist on the form that is mandatory (i.e. the form cannot submit without that option being checked).

[6] Is your "data officer" contactable?

As part of the GDPR people have the right to freely request access to their data. To enable this, you will need to have a plan in place for how a person requests this information.

Having someone acting as your school's "data officer" is a proactive step. Within your privacy policy, make it clear how someone can contact your data officer and ask for their data.

[7] Is the "Right to be Forgotten" process clear?

Likewise, people have the right to 'opt-out' and have all data pertaining to them removed permanently. 

The process for them to do this must be clear to them, and easily actionable from your end. 

What has @intSchools done to ensure our #SchoolWebsites are compliant?

[A] Update website privacy terms: every site must contain an easily accessible page detailing their privacy terms (example: https://www.badmintonschool.co.uk/terms).

This will include important details about the type(s) of data being captured, how it is stored, where it is stored and for how long it is stored. It must also give the user the ability to change their consent, or withdraw it completely (example: https://www.badmintonschool.co.uk/terms#cookies).

[B] Add advanced cookie consent popup to website: every site must clearly state that it is collecting cookie data - and every visitor must opt-in to allow this.

We have split cookies into 5 groups (Necessary, Preferences, Statistics, Marketing, Unclassified). To make this as transparent as possible we have added an advanced cookie consent popup to all of our websites (example: https://www.badmintonschool.co.uk/).

[C] Update forms: any and all forms (i.e. contact forms, enquiry forms and and 3rd party forms) on your website will require an opt-in field.

By default, this must be left unchecked so users have to actively choose to allow their data to be captured and used (example: https://www.badmintonschool.co.uk/contact).

[D] Update mailing list confirmation: like many schools, if you send out newsletters to parents you will need to attain their permission to do so.

For 3rd party platforms, such as MailChimp, where data is hosted outside your own website or CMS you will need to ensure that privacy terms are included on the subscription form as well as GDPR opt-in field (example: http://schoolbyt.es/subscribe-to-us)

[E] Migrate your website to SSL: website security is an essential step in the GDPR shake-up, and all sites are required to contain an SSL certificate as a minimum precaution.

This is so your site, and data, is adequately encrypted. A website running over HTTPS will have a padlock next to the URL in the browser, and sometimes say ’Secure'. See below:

Is your #SchoolWebsite compliant? 

First ask your current website developer, as they should already have this planned in and in action. If you get nowhere, and if you would like to find out more about how we can help ensure your #SchoolWebsite is compliant, please email: gdpr@interactiveschools.com.