General Data Protection Regulation (GDPR) and your website.
- GDPR applies to personal data of all contacts, held digitally or on paper.
- Personal data should only be held or processed with expressly obtained consent.
- Individuals may ask for, and be given, any data held on them, and can request its deletion.
- Processing must be documented.
- Data breaches must be notified to the ICO (Information Commissioners Office).
- Information should not be shared with any other body without explicit consent.
- Access to personal data should be restricted and it should be held securely.
- Data should not be retained for longer than is necessary and securely destroyed.
- Registration with ICO is not a requirement for smaller not-for-profit and some small organisations who only process personal data for core business purposes.
Issues to consider
Your website almost certainly uses cookies. These may not identify users (by name or IP address) unless they have explicitly logged in or provided some personal identifier perhaps via a social network tool linked to the site. Cookie consent should be obtained from users where you make any use of personal data.
If you have a contact form it may be that data collected is stored on the website as well as emailed to you. This would almost certainly include names and email addresses. Such data should not be retained for longer than necessary. Either the contact form should not store any data on the server or the data should be deleted periodically as an admin task. Given it has been known for contact messages from websites to go astray, it is helpful to have an online copy of submitted messages; so if this is currently in place it is probably best to retain the functionality and to delete old messages and contact data periodically.
If you have an email list for newsletter mailings etc. you should be certain that you have express consent to hold peoples data and for each of the ways they are contacted (multiple lists etc.).
If you have e-commerce on your site and retain any customer data this should also have any personal information removed you do not have consent to retain after a reasonable period.
If you have analytics on your site to track website visitors you should make sure that it does not carry personal information. Normally this will only be if you have advertising features with data collection enabled in which case you would need user consent.
Other third party website plugins (social networks / sharing etc) need consent if they track users.
A privacy policy ought to be available on your site which explains to users how you handle their information and how long it is retained.
If you have Terms and Conditions these should also refer to GDPR
More information
ICO GDPR Checklist
Note: the above is not exhaustive and cannot be assumed to constitute official guidance