SSL Certificate & GDPR

Anna2017 · 2019-01-07 17:05:35 UTC

Ok, another somewhat worried email from me, I’m afraid.

I was writing my privacy policy (despite still being a little feverish) and decided to contact 123-Reg to find out whether the fact that I get my domain from them and use Office 365 means I was still storing data on their servers. As I was there, I also asked if, once I publish my website, they will store a copy of any contact form responses I receive.

After reassuring me on both counts, (that my emails are only stored in Office 365 and that I had successfully selected the option to not have Form responses stored on their servers but emailed directly to me) they said that I was, however, not GDPR compliant.

Pardon?!? … was my slightly shocked response.
They directed me to this site:

Apparently, after GDPR, any site that has a contact form and does not have an SSL certificate (which I thought I had but it transpires it did not come automatically with the package I chose so I actually only have domain privacy) is not compliant.

Is having an SSL a requirement to get accreditation? I have wanted to switch hosting company for a while but my contract with 123-Reg does not end until October, so I don’t really want to get an SSL certificate from them (not least as the host I am moving to does provide this as standard).

Can I get away with not having an SSL certificate until October since 123-Reg are a respectable organisation (maybe by being honest about it in both my Cookie and Website Privacy Statement and in my Privacy Policy) or should I bite the bullet and quickly take out the contract with the new host and therefore delay my launch?

Any advice welcome.
PS: Sorry if I should have put this under the “legal issues” category instead … was not sure what was the best place for it to go.

caroline · 2019-01-07 20:17:56 UTC

Unfortunately it’s not a case of does comply vs does not comply… It massively depends on what forms you are using and where that data is held and how it’s held and what it is. Not a “one size fits all” unfortunately!!!

You might want to make use of ICO’s helpline: https://ico.org.uk/global/contact-us/advice-service-for-small-organisations/

Anna2017 · 2019-01-07 20:47:48 UTC

I hadn’t thought of that
I’ll call them tomorrow and report back in case it’s useful to anyone else.

Thanks again

adrienneOPEXS · 2019-01-07 23:54:17 UTC

Sorry - I’'m not really au fait with what a SSL is and thought it’s for the likes of securing data. Which maybe it is, or maybe it’s more than that. But if you only need it for the Contact Form, couldn’t you scrap having one until October, if that’s when you said there’s a change? Simply put your contact details instead - email and phone specifically. I’m not having one on my site (I hate filling them in), although I’ve no idea if most prefer to do so. Just an idea but scrap if a rubbish one

Anna2017 · 2019-01-08 12:46:39 UTC

This is indeed the option I have chosen to adopt given that the ICO, would you believe(?!), does not give “specific advice” and just direct you to their guides that are all but informative on this issue.

I personally feel I could have gotten away with it, since the information was going to be sent directly to my Outlook Inbox, but I suppose there is a small risk of hacks … and since they can put some frightening hidden worm or goodness knows what which could steal the information as it was entered into the contact form, and that I know too little about the world of Cyber Security (see my previous panicked post on the subject), I have opted for the safe option.

Anyway … hope my working my way through this will be useful to someone out there and thanks to both of you for your support

Anna

adrienneOPEXS · 2019-01-08 21:55:19 UTC

Well done. Better to be safe than sorry. Always good too when there’s a quick fix which is equally workable.