Your website is subject to the Data Protection Act (1998) and from May 2018, the EU General Data Protection Regulation. It's crucially important that you understand how it affects your organisation and website.
In summary, you need a reason to store any personal data, any information you store needs to be accurate and up to date, and it needs to be stored securely and destroyed when it is no longer required. Data subjects - the people who the personal data belongs to - have a number of rights which you have a responsibility to meet.
Iteracy has responsibilities and obligations as a Data Processor, but the primary responsibility belongs to the owner of the website who is the Data Controller. Our agreement with each website owner must reflect the data collection and processing policies that the website owner decides on:
- what data is collected
- why that data is required
- how the data is used
- how long it will be stored for
Statement of Data Protection and Data Privacy
Privacy by design and default
Our websites are created with privacy by design and by default.
- Web pages are served over HTTPS which means all traffic between the web server and the website visitor is encrypted
- The CMS password protects access and restricts multiple login attempts
- CMS passwords are stored securely
- Our websites and database are hosted on a web server located in a secure data centre in the UK
- We have robust security policies and procedures in place which are regularly reviewed
Website owners have responsibilities to maintain data privacy:
- Do not share logins for the CMS – always create a separate account for each CMS user
- Remove or deactivate any CMS user logins as soon as they are no longer needed, for example when a member of staff leaves
- Follow good password practice:
- Use a strong password (the CMS has a minimum standard for passwords)
- Use a different password for each website you login to
- Do not share your password with anyone else
- Change your password regularly
What personal data is collected and why
How long data is kept for
How long personal data is kept for is a decision for the Data Controller (website owner). Data can be removed by deleting records through the CMS, and website owners are responsible for removing data when it is no longer required or when they receive a request for erasure.
Requests for rectification and erasure
Data subjects can ask for their records to be corrected or deleted. Website owners can do this by editing records in the CMS, and are responsible for updating or deleting records when they receive such requests. Whoever monitors the website’s contact email should be made aware of their responsibilities to respond to such requests.
Requests for access and portability
Data subjects can ask whether any data is stored about them, and if so what. Whether any personal data is stored can be determined through the CMS, and website owners are responsible for responding when they receive an enquiry about whether a person's data is stored. If data is stored about an individual, the website owner should tell them what is stored, for what purpose, how long it will be stored for and their rights under GDPR.
Website owners are also responsible for responding to a person when they receive a request for a copy of their data. This must be supplied in a structured, commonly used and machine-readable format (commonly CSV or XML).
Such requests must be free, but website owners can charge an admin fee if the number and frequency of requests from an individual is unreasonable. Whoever monitors the website’s contact email should be made aware of their responsibilities to respond to such requests.
Out of scope
We retain server backups as part of our security procedures; we consider these to be out of scope for erasure and rectification requests.
The Data Controller (the website owner) is responsible for any damages caused by a data breach as a result of their actions or failure to act.
Iteracy is responsible for any damages caused by a data breach as a result of our actions or failure to act.
In the case of a data breach, it is the Data Controller’s responsibility to notify the ICO within 72 hours. We will notify you, the website owner, within 48 hours if we become aware of a data breach.
Depending on the nature of the data you collect and whether a breach is likely to result in a high risk to the rights and freedoms of the individuals concerned, you may need to communicate to your data subjects (the people who the data belongs to) if a data breach does happen.