Ok, another somewhat worried email from me, I’m afraid.
I was writing my privacy policy (despite still being a little feverish) and decided to contact 123-Reg to find out whether the fact that I get my domain from them and use Office 365 means I was still storing data on their servers. As I was there, I also asked if, once I publish my website, they will store a copy of any contact form responses I receive.
After reassuring me on both counts, (that my emails are only stored in Office 365 and that I had successfully selected the option to not have Form responses stored on their servers but emailed directly to me) they said that I was, however, not GDPR compliant.
Pardon?!? … was my slightly shocked response.
They directed me to this site:
Apparently, after GDPR, any site that has a contact form and does not have an SSL certificate (which I thought I had but it transpires it did not come automatically with the package I chose so I actually only have domain privacy) is not compliant.
Is having an SSL a requirement to get accreditation? I have wanted to switch hosting company for a while but my contract with 123-Reg does not end until October, so I don’t really want to get an SSL certificate from them (not least as the host I am moving to does provide this as standard).
Can I get away with not having an SSL certificate until October since 123-Reg are a respectable organisation (maybe by being honest about it in both my Cookie and Website Privacy Statement and in my Privacy Policy) or should I bite the bullet and quickly take out the contract with the new host and therefore delay my launch?
Any advice welcome.
PS: Sorry if I should have put this under the “legal issues” category instead … was not sure what was the best place for it to go.