top of page

Privacy Policy & GDPR

  • Aug 8, 2022
  • 3 min read

Updated: Mar 24

Overview


  • As a business owner, you're legally responsible for protecting your customers' data.


  • Part of this includes having a privacy policy visible on your website.

  • This is part of the GDPR law launched in 2018.

  • GDPR isn't just a website thing—it applies to your whole business.



What do I need to do?


From a website point of view:


  • Write a privacy policy for your website that explains how you store and use that data.


  • We recommend using your favourite AI generator (not great for everything but fairly reliable for this!)

  • Export it as a document in Word or Pages, and send it to me (kat@onlinedesigns.uk) to put on your website.


A privacy policy explains:

  • What data you collect

  • Why you collect it

  • How you keep it safe


Most businesses can make their own privacy policy by using a generator or template and don't need to consult a lawyer. But your business should use a lawyer for a privacy policy if you collect large amounts of data, sensitive information, or data from children.



What else do I need to do?


You have GDPR responsibilities across your business. Read on for information and tips.



GDPR basic overview


Here is what the GDPR law includes, from a very basic point of view:


  • Lawfulness, fairness, and transparency: Data processing must be lawful, fair, and transparent.

  • Purpose limitation: Data must be collected for specified, explicit, and legitimate purposes.

  • Data minimization: Only collecting the data necessary for the purpose.

  • Accuracy: Keeping data accurate and up-to-date.

  • Storage limitation: Keeping data only as long as needed.

  • Integrity and confidentiality: Ensuring data security.

  • Accountability: Being able to demonstrate compliance.


🧠 What counts as data?


Data = anything that identifies a person:


  • Name, email, phone number, address, date of birth, etc.

  • Even emails or form messages count.

  • Your website cookies also collect data.


Sensitive data (e.g. religion, sexuality, political views) needs extra care.


Do not collect this unless you absolutely have to.


Tip: In general, only collect what you truly need. For example, your contact forms should be as minimal as possible. Most people automatically want a phone number AND an email address from a customer. Is this 100% necessary for you?

You should be able to fully and clearly explain exactly why you need each piece of information you're asking for.


The actual GDPR wording is "Data must be collected for specified, explicit, and legitimate purposes."



🤔 What if I don’t think I collect data?


You do!

  • A single customer email = data

  • Cookies on your site which exist automatically for analytics and caching = data


So yes, everyone needs a privacy policy even if you're not purposely collecting data.



🔓 What happens if data isn’t secure?


  • Hacks and leaks are common.


  • Weak passwords or insecure email accounts can lead to breaches—your customers could end up getting spammed, and you could be reported.


  • If there's a breach, you legally must follow the ICO’s data breach process.


  • There are lots of steps you can take to prevent a hack and leak of data.



🔐 So how do I protect my data and stop a leak?


  • Use secure email - we can provide these for you. (They should be with proper providers like Google/Microsoft, not cheap providers like 123-reg).

  • Use strong, random passwords—never reuse them.

    • Example: YF4Z-az2pq-UTlMC2I

  • Store passwords properly in tools like 1Password, Dashlane, or Apple Keychain. Do NOT write them on paper or in random digital notes.

  • Store all files in secure cloud storage (Google Drive, Dropbox, etc.). Do not use cheap servers, or random storage set up by your friend of neighbour. This kind of thing is fine for personal family photos but not for business use.

  • Be cautious of losing portable hard drives or USB sticks.

  • Don’t keep old data for no reason. Regularly go through and delete what you no longer need. For example, delete enquiries from years ago that never went ahead.

  • Enable 2-step verification on everything.


  • Store your customer details and jobs/projects in a proper secure CRM/CRM like Zoho, Monday or HubSpot.



💻 How much of this is our job as your web designers?


None. You are the data controller as the business owner.



So what's next?


  • Write a privacy policy for your website.

  • Immediately stop using free email services if applicable, and move to professional business mailboxes. Ask us for info.

  • Review all the data you store, and where you store it.

  • Set up a secure CRM for customer data.







 
 
bottom of page