Alana Spencer has been a client of ours ever since she won BBC's The Apprentice in 2016 and asked us to design a new website for her handmade cake business, Ridiculously Rich by Alana.

Ridiculously Rich has been going from strength to strength since Lord Sugar invested in the company two years ago, and earlier this week, he and Alana announced their new Cakepreneur initiative, which promises to drive even greater growth as we head into autumn.

Here's an introduction from Alana and Lord Sugar themselves:

Building the new Cakepreneur system

The Designer Websites team have been hard at work over the last couple of weeks, striving to ensure that the website's new Cakepreneur system would be ready for its big launch.

We were asked to build an add-on for Alana's existing Ambassador system to accommodate a new type of reseller: Cakepreneurs. This was conceived as a more affordable way to join the Ridiculously Rich family - it costs £1,000 to become the Ridiculously Rich Ambassador for your region, whereas Cakepreneurs pay a one-off setup fee of just £150.

A Ridiculously Rich Cakepreneur starter kit.

Our skilled web developers created a sign-up area that makes it easy for would-be Cakepreneurs to get the ball rolling. Once the user has filled in their details, the website shows them an introductory video, then prompts them to take a quick online test. Those who pass this test can then pay the setup fee and order their starter kit (pictured above).

What do Cakepreneurs do?

Cakepreneurs earn commission by selling Ridiculously Rich cakes to...

• Cafés
• Delicatessens
• Farm shops
• Corporate clients

...and so on. Each Cakepreneur is given a unique discount code that entitles their customers to 5% off all online orders.

The system that we have designed and developed makes it easy for Alana's Cakepreneurs to sign in and manage everything. Each Cakepreneur can create their own Ridiculously Rich profile, add meetings to their own personal calendar, and sign up clients who will earn them commission with each order placed. The system also allows the Ridiculously Rich administrators to see how active each Cakepreneur is.

Additional development

In addition to the new Cakepreneur system, Designer Websites also built...

• A new downloads section that allows Ridiculously Rich to share documents, videos, and other downloadable resources with their Ambassadors and Cakepreneurs all over the country.
  
  
• A 'Stockists' page (view here) that makes it easy for users to find nearby shops that sell Ridiculously Rich cakes.
  
  
• A new 'Find My Nearest' page (view here) - simply enter your postcode to see a full list of Ridiculously Rich Ambassadors and Cakepreneurs in your area.

Alana explains why she chose to work with Designer Websites

Visit Ridiculously Rich > Get a Web Design Quote >

IMPORTANT NOTE: Unlike some companies who have written about this topic recently, we are not running a GDPR course, and so we will not be exaggerating the issues to scare you into parting with your cash. This is merely an advisory post for Designer Websites clients, many of whom have been asking us about the new law that will soon be in effect.

If you're a business owner, odds are you've already heard about the General Data Protection Regulation (GDPR) that will soon be in effect throughout the European Union. This new regulation is fairly complex, and many different claims are being made about it - not all of them accurate.

With that in mind, we want to do what we can to help you understand the new laws and what they mean for your business, particularly your website. You've probably got a lot of questions about the GDPR, and today we're going to attempt to answer some of them.

Please note that this post is for informational purposes only and should not be mistaken for professional legal advice. Designer Websites Ltd will not be held responsible for any other organisation's failure to comply with the GDPR or any other piece of legislation.

Contents:

1. What is the GDPR?
2. When will the new law take effect?
3. Where does the GDPR apply?
4. Why does my organisation need to be GDPR compliant?
5. Who is responsible for ensuring that my organisation is compliant?
6. How can I make sure I'm ready for the new law?
7. What steps do the ICO recommend?
8. Are Designer Websites GDPR compliant?
9. Do I need to do anything about my website?
10. Can Designer Websites help with GDPR compliance?
11. Useful links

1. What is the GDPR?

The GDPR (General Data Protection Regulation) is an EU regulation that aims to improve data protection for individuals within the European Union. The regulation will give individuals more control over their personal information and how it is used.

Under the GDPR, organisations that process people's personal data will be expected to keep that data secure, be transparent about its use, and report data breaches promptly when they occur.

Here in the UK, the new data protection law will be enforced by the ICO (Information Commissioner's Office). An in-depth guide to the GDPR can be found on their website.

2. When will the new law take effect?

The GDPR was adopted in April 2016, but it is not yet in effect. It will be enforced from 25 May 2018 onwards. Your organisation will need to be compliant with the new law by that date.

3. Where does the GDPR apply?

The GDPR is an EU regulation, and thus it will apply to all EU member states. This will include the United Kingdom, even after Brexit.

The GDPR also applies to any organisations who process the personal information of individuals within the EU. For example, Facebook and LinkedIn are both based in the USA, but since they hold personal data on EU citizens and residents, these companies will be expected to comply with the new regulation just as if they were based inside the EU.

4. Why does my organisation need to be GDPR compliant?

Once the new law is in force, your organisation will be required by law to comply with the General Data Protection Regulation. After 25 May, if you are found to be in violation of the GDPR, you will be breaking the law, and may thus be subject to a number of sanctions.

That said, the ICO have made it clear that they view fines as a last resort, and will only use them to punish companies who "systematically fail to comply with the law or completely disregard it". Information Commissioner Elizabeth Denham has stated the following:

"The ICO's commitment to guiding, advising and educating organisations about how to comply with the law will not change under the GDPR...we intend to use [our increased] powers proportionately and judiciously. And while fines may be the sledgehammer in our toolbox, we have access to lots of other tools that are well-suited to the task at hand...the GDPR gives us a suite of sanctions to help organisations comply - warnings, reprimands, corrective orders." [source]

So don't panic when you see people using scaremongering tactics and telling you that you'll be fined millions of pounds if you aren't GDPR compliant by 25 May - this is simply not true. The important thing is that you're making a reasonable effort to comply by being transparent about your data collection practices and keeping people's personal information secure.

5. Who is responsible for ensuring that my organisation is compliant?

Short answer: you are. If it's discovered that your organisation is not complying with the GDPR, it's your organisation that will be held to account.

The long answer is a little more complicated. The new regulation makes the following distinction between what the EU call 'controllers' and 'processors':

• Controllers determine the 'purposes and means' of processing personal data (e.g. if you collect information about your customers and use that information to either communicate with them or make decisions about them, then you are a controller).
  
  
• Processors are the ones who actually handle the data on behalf of a controller (e.g. companies like Sage, Salesforce, Infusionsoft and MailChimp are processors because they provide a service that involves processing data on behalf of controllers).

It is quite possible that you are a controller and a processor of some personal data.

Both controllers and processors have some responsibilities under the GDPR. Processors must keep accurate records of the data itself and of processing activities; they are responsible for keeping people's personal data secure, and will be held legally liable in the event of a breach. However, controllers may also be held liable if they use a processor without ensuring that the processor is GDPR compliant.

Since virtually all organisations process some personal data themselves - even if it's just their own employee records - nobody will be off the hook when the GDPR comes into force on 25 May. So now let's answer the most important question of all...

6. How can I make sure I'm ready for the new law?

The most important thing is to demonstrate that your organisation has made a reasonable effort to comply with the GDPR and protect the rights of the individuals whose personal data you store and/or process. As you've already seen, the Information Commissioner's Office will only be issuing fines to the very worst offenders - they're more interested in helping businesses to understand and comply with the new law in order to protect individuals' rights as best as possible. In fact, if this whole thing has you feeling completely lost, you may want to make use of the ICO helpline (open 0900-1700, Mon-Fri).

So what exactly will you need to do from 25 May onwards? Well, the right approach will differ from one organisation to the next, but here's a good rule of thumb: before you collect or process someone's personal data, make sure you...

• Have a clear reason - and a lawful basis - for doing so. Know why you're collecting other people's information, and know whether that reason is defensible in the eyes of the law. Under the GDPR, there are 6 valid legal reasons for organisations to collect personal data: consent, contract, legal obligation, vital interests, public task, and legitimate interests. Details on all 6 lawful bases can be found here; for the majority of businesses, the most applicable basis will either be consent (the individual consented to you collecting and processing their information) or legitimate interests (you have a valid business reason for collecting the data, and you are not infringing on the personal rights of the individual).
  
  
• Are only collecting what's necessary. You should only ever collect/process personal data if it is necessary to your stated goal. For instance, you might reasonably collect a customer's name and contact details so that you're able to reach them, but that's no reason to also collect information on their race, nationality, date of birth, etc.
  
  
• Know how long you will be holding on to that data. The GDPR doesn't allow organisations to keep people's personal information indefinitely just because. Once you know why you're collecting personal information (see first point), you should also assess how long you'll need to keep the data in order to meet that goal. This doesn't necessarily need to be a specific number of days or months - it could just be 'for as long as that person remains a customer' or 'until that person unsubscribes from our newsletter'.
  
  
• Will be able to keep this data secure. This may mean installing security software or making organisational changes to ensure that only authorised personnel are able to access the collected information.
  
  
• Will be able to respect the individual's rights to access and erasure. Under the GDPR, individuals have the right to view all personally-identifiable information that an organisation holds on them. In addition, they usually have the right to request that this information be deleted. Ensure that your data subject(s) will be able to make these requests, and that you'll be able to honour them in a timely manner - requested information will need to be supplied within 1 month of receiving the request, and while there are certain circumstances under which you can refuse to delete personal data (see 'When can I refuse to comply with a request for erasure?'), you will generally need to comply with deletion requests as quickly as possible too.

7. What steps do the ICO recommend?

The ICO have put together a helpful list of 12 steps that organisations should take ASAP in order to prepare for the General Data Protection Regulation. By now, you hopefully have a reasonably clear idea of what your responsibilities will be under the new law, but if you're not sure what actions you now need to take, this list is a great place to start.

So let's go through the 12 recommended steps in a little more detail:

1) Make sure everyone's aware of the new law.

Speak to the key decision-makers within your organisation and ensure that they understand the new law and what it requires of them.

2) Document all personal data you currently hold.

You probably already have at least some personal data on record. Now is a good time to review:

• What data you hold
• Where it came from
• Whether you still need it
• How you're using it
• Who has access to it
• Whether you have a lawful basis for keeping it

An information audit may help with this step.

3) Review your privacy policy.

People who interact with your organisation should be able to access a copy of your privacy policy (most companies publish it on their website). Read over your privacy notice and revise it if necessary to ensure that it complies with the GDPR.

If you're not sure what your privacy policy needs to include, you may wish to refer to our own privacy policy as an example - however, please bear in mind that every business is different, and your privacy notice may need to cover certain things that ours does not.

4) Make it easy for individuals to make information requests...

As we've already covered, data subjects have the right to know what information you have on them. Try to make it as easy as possible for data subjects to submit information requests - for instance, you might put a contact form on your website for this purpose, or set up a dedicated email address for right of access requests.

Larger companies may choose to provide an automated system to allow their customers to view, update and delete their own personal information manually. However, developing a tool like this would probably be overkill for small/medium-sized businesses who do not expect to receive many requests.

5) ...and ensure that you're able to respond to these requests.

In addition to the above, you need to make sure that your systems allow you to quickly retrieve and, if necessary, delete people's personal information when they request it. Ensuring that this can be done in a timely manner will help you to comply with the GDPR, and it will save you valuable time if and when a request is submitted.

6) Identify a lawful basis for your data collection / processing.

Remember, there are 6 lawful bases for processing data - make sure you understand them, and identify which one applies to your activities. Bear in mind that you can't change your mind later (e.g. if you collected a customer's contact details on a 'consent' basis because they agreed to receive promotional information from your organisation, you cannot use those details for other purposes on the basis of 'legitimate interests').

Your choice of lawful basis should be documented in your privacy notice - see step 3.

7) Check how you establish consent.

If you collect people's personal data on a 'consent' basis (see above), you need to:

• Give individuals a clear way to give - or withhold - consent
• Make it clear what individuals are consenting to

For instance, if there is a form on your website that requires people to enter their contact details, you need to be EXPLICIT about what you plan to do with those contact details. If you're going to send promotional emails, say so. If you plan to share the individual's details with your partner companies, make this clear.

Consent should never be the default option. Here's something you've probably seen quite often on the Internet:

☐ Tick this box if you do not wish to receive promotional emails from us.

In this example, users are automatically consenting to receiving emails until they tick the box. Under the GDPR, this sort of thing will not be allowed - the message above would need to be changed to 'Tick this box if you wish to receive promotional emails from us' or something similar. Make sure you're ASKING for consent instead of giving the option to withdraw it.

8) Think of the children!

Children under the age of 13 cannot legally consent to the collection and processing of their own personal data. A parent or legal guardian must consent on their child's behalf.

If you think that children may interact with your organisation, it may be necessary to implement some kind of age verification system on your website and/or set up a simple way for parents and guardians to consent to data processing activities.

9) Know how to respond to a data breach.

If a security breach allows unauthorised personnel to access the personal data that you hold, you will be expected to respond to the breach properly. Make sure you have an established procedure in place for detecting, reporting and investigating data breaches. (Remember, if you're based in the UK, breaches must be reported to the ICO within 72 hours.)

10) Familiarise yourself with the guidelines.

You're already reading up on the General Data Protection Regulation, but now is also a good time to familiarise yourself with other relevant guidelines, especially the ICO's code of practice for conducting privacy impact assessments.

11) Designate a data protection officer.

While everyone in an organisation has a role to play in keeping data secure and complying with the law, you should appoint (formally or informally) a data protection officer to take overall responsibility for compliance and security.

12) Determine your lead data protection supervisory authority.

If you solely operate within the UK, your data protection supervisory authority is the ICO (Information Commissioner's Office). If you hold information on individuals in other EU member states, you should identify the authorities for each of those countries and determine which is the 'lead' authority for your organisation.

8. Are Designer Websites GDPR compliant?

Yes, we are. In fact, we have always been compliant; from the very beginning, we were always extremely careful to store / process customer and staff details securely.

We keep our servers (which hold the data we collect and record for our customers) in a purpose-built secure data centre with firewalls, secure access and activity logging. We have our own defined procedures in place for tracking and using the data that we record. We have always had a designated data protection officer, and we have an up-to-date privacy policy.

When an enquiry is submitted via our website, we do not store the submitted information in a database - we simply receive an email containing the content of the submitted form. These emails are deleted after 12 months.

9. Do I need to do anything about my website?

As stated earlier, all businesses - and all business websites - are different. We can offer some general guidance to help you ensure that your website is GDPR compliant, but please remember that it is your responsibility to familiarise yourself with the new law and ensure that every part of your organisation is following it.

With that said, we recommend the following:

1. Update your privacy policy and cookies policy. Make sure these documents are accurate and exhaustive. Explain all the ways you collect people's data through your website, how that data is used, and how people can contact you to request access to / deletion of their information.
   
   
2. Review the forms on your website. If your website contains any forms that ask users to enter personal data, you must declare why you are capturing that information and what you intend to do with it (e.g. 'we will use this information to inform you about future offers' or 'we reserve the right to share this information with our partner companies'). This should be stated on the form itself as well as in your privacy policy (see above).
   
   
3. Stop making consent the default option. If you use pre-ticked checkboxes on your web forms (or require the user to tick a box to opt OUT of something), you will need to stop doing this before the GDPR comes into force. Ensure that users cannot consent to anything through a lack of action - for instance, users should have to tick a box when they DO wish to be added to your mailing list, not when they want to be kept off it.
   
   
4. Make sure you have consent for any data you already hold. If you have collected people's personal details in the past, you should make sure they are still happy for you to keep hold of them. For example, you may need to make it easier for people to unsubscribe from your mailing list if they no longer wish to be on it.
   
   
5. Ensure that people are able to view and delete their personal information. As we mentioned earlier, you may wish to set up an automated system that allows your customers to manage their own personal data, but a contact email address is sufficient if you're not expecting a lot of requests. Just make sure that anyone looking to access their personal data has a clear way to do it.

10. Can Designer Websites help with GDPR compliance?

It is ultimately your responsibility to comply with the GDPR law, but if you need any help from the Designer Websites team then we will of course assist you wherever possible.

For instance, if you need us to make your web forms compliant, or if you need help with your website's privacy policy, please email info@designer-websites.co.uk and ask for assistance. This work is chargeable (our usual rates apply), and each website is different, so we would have to add you to our list of requests and assess how much time would be needed to make your site compliant. Please bear in mind that we manage hundreds of websites, and it may be some time before your changes can be made.

11. Useful links

• ICO guide to the General Data Protection Regulation (GDPR)
• The EU regulation in full

Truly successful online businesses don't just need a website that's user-friendly and optimised for search engines. More often than not, they need specialised functionality, a significant level of automation, comprehensive administration portals, integration with other business solutions...the list is long, and of course, every business has its own specific requirements.

In this post, we'd like to show you 10 quick and simple examples of the bespoke online solutions that we've created and implemented for our clients.

More...

We at Designer Websites are very proud to announce that we've been featured in not one but two lists of the UK's very best web developers. Clutch, who describe themselves as a 'data-driven field guide to business buying decisions', included Designer Websites Ltd in the following lists:

• Top Ecommerce Developers (UK)
  
• Top .NET Developers (UK)

As ecommerce specialists, we were particularly pleased to learn that we'd made Clutch's list of the UK's leading ecommerce developers. Our experienced designers and developers work hard to provide high-quality ecommerce solutions that are tailored to each individual client, and it feels great to be recognised for the quality of the work we do.

Visit our Ecommerce Web Design page to find out more about the bespoke ecommerce solutions we provide here at Designer Websites.

More Useful Links:

• View our Clutch profile page
• Request an ecommerce website quote

UPDATE 30/01/18: We have also been named among Clutch's Top UK Inbound Marketing Agencies!

From October 2017, Chrome will show a 'NOT SECURE' warning on any HTTP page containing a text form

Google are currently on something of a crusade. They want their users to feel totally secure as they browse the web, and so they've been doing their best to force website owners to take user security more seriously. Google Chrome already shows a 'Not secure' warning on non-HTTPS pages that collect sensitive data; for instance, checkout pages and login screens must be served over a HTTPS connection in order to ensure that card details, passwords, and other sensitive details are encrypted. If you're asking users to enter that sort of information on a HTTP page, Chrome will flag up the risk with a notice like this:

As things stand, that 'Not secure' warning is only shown on pages where a user is explicitly asked to enter 'sensitive' data, such as:

• Passwords
• Credit / debit card details

However, Google have now announced a major change that could cause a lot of problems for website owners. As of October 2017, the 'Not secure' warning will appear on EVERY non-HTTPS page that contains a text input form, regardless of the form's purpose.

This means that, from October onwards, the following pages will need to be secured with a SSL certificate:

• Any page with a search bar
• Any page with a contact / enquiry form
• Any page with a newsletter signup form

Basically, if your page contains ANY element that allows the user to enter and submit some sort of information - whether it's their credit card number, their email address, or the name of the product they're looking to buy from your website - then you'll need to get that page secured with an SSL certificate by October.

With this change looming on the horizon, a lot of website owners will need to think very seriously about implementing HTTPS across all pages if they have not already done so. For instance, it's quite common for ecommerce sites to use HTTPS on their login/register and checkout pages while serving all other pages over an unsecured HTTP connection, but once this Chrome update takes effect, the people who visit those websites will start seeing 'Not secure' messages everywhere they click.

And those two little words will often be enough to put off potential customers and send them running to a fully-secured competitor instead.

What do I need to do?

If you are currently serving text input forms over an HTTP connection, you will need to purchase an SSL certificate and install it on the server where your website is hosted. You will then need to update things like canonical tags and internal links so that they point to your website's new URL (beginning with https:// rather than http://). You will also need to ensure that the proper redirects are in place so that anyone trying to access the HTTP version of your website is automatically sent to the secure HTTPS version.

If that to-do list seems a little intimidating, don't worry - all you really have to do is ask your website developer to make the necessary changes for you. They will know how to install the SSL certificate and update everything 

Do I need to switch to HTTPS if my website doesn't contain any forms?

Perhaps you've been reading this and thinking 'this doesn't concern me - I don't have any search bars, contact forms or anything like that on my website, so I must be safe'.

If so, we have some bad news for you. Google have made it quite clear that the October update will merely be the latest step towards their ultimate goal, which is to mark ALL HTTP pages as 'Not secure'.

This week, Google sent out an email to webmasters warning them of the imminent expansion of the 'Not secure' message. That email included the following ominous statement:

"The new warning is part of a long term plan to mark all pages served over HTTP as 'not secure'."

So while your unsecured website may survive the update in October, you won't be able to escape that 'Not secure' shame notice forever. And given that users are increasingly expecting to see that little green padlock at the top of their screens no matter what they're doing online, it's probably a good idea to get that SSL certificate and upgrade to HTTPS sooner rather than later.

Further Reading: Why Convert Your Website to HTTPS?