10 Steps to Make Your Website GDPR Compliant

Is your website compliant with the requirements of EU General Data Protection Regulation (GDPR) that will be enforced on the 25th May 2018?

Here are 10 changes that you need to make now so that your website will stay on the right side of the law, and to keep your customers happy.

But first, what exactly is GDPR?

The GDPR was designed to harmonise data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organisations approach data privacy.

But aren’t we about to leave the EU?

That may well be the case. However, when GDPR comes in to enforcement, the UK will still be part of the EU. The UK will adopt all EU legislation immediately after Brexit.

OK, so how would I be affected if I took the risk?

Don’t! Business that do not comply with GDPR the day that it comes into enforcement are facing a potential fine of €20M or 4% of your turnover – and understand this, [whichever is greater]. Compliance therefore with the 2018 General Data Protection Regulation is a critical issue for your company to be addressing right now if you haven’t already done so.

Disclaimer

These are our recommendations and suggestions based on the research that we have undertaken. In order to ensure full compliance, we would advise that you seek legal advice and take the time to conduct some further reading on the subject yourself.

So what information might you be gathering?

There may be information that you are collecting via your website but you’re not actually aware of it happening – such as cookies and IP addresses. However, there will be some data that you are aware of – such as contact forms, newsletter sign-ups and e-commerce transactions.

OK, that makes sense – but what does it mean practically speaking?

We will break this down in further detail below, but practically speaking, from a website perspective, you need to first think about how your company acquires data through your website – we’re talking about personal data that can be used to identify an individual. Things like names, email address, contact numbers, IP address etc.

When individuals visit your website and interact with it, you need to make it as clear and as transparent as possible what’s happening.

You need to show what information you are gathering, offering options for consent at a granular level. You need to provide the ability for individuals to view the information you have gathered and be able to remove that information from your systems as soon as people ask you to.

1. Privacy Policy

Once you have analysed the data that you are gathering (and, if there is a lot of it, you would need to assign a Data Protection Officer (DPO) who is responsible for monitoring this data), you then need to set this out in a revised privacy policy on your website.

Your privacy policy needs to be written very clearly and cover details about how you are capturing data, where you are storing it, how long you intend to keep it for, how people can view what information you have stored and finally, how they might go about having their data removed from your systems (The right to forget).

2. Peace of mind for you & your customers with an SSL certificate

Privacy is the number one priority as part of GDPR. People want to be safe in what information they provide and, how they provide it.

A Single Socket Layer, or SSL certificate is a small file that digitally binds a cryptographic key to an organisations details. When you have one as part of your website, it activates the ‘padlock’ symbol that you see in web browsers. It provides you with that https:// in your address bar – making all of your content secure between servers, it increases your Google search engine optimisation (SEO) rankings which is a bonus and builds/enhances customer trust, resulting in improved conversion rates – especially within e-commerce websites.

3. Website Forms

Forms on your website must no longer include pre-ticked boxes. This is considered implied consent and not freely given.

Users should be able to provide separate consent for different types of processing. For example, an option to be contacted by post, email, or telephone as three separate tick boxes.

If you are asking for permission to past details onto a third party – again, you need another tick box. If you are collecting data through one website on behalf of several third-parties, then you need to clearly give an opt-in option for each party.

Offering them something like a whitepaper if they sign up to something is a great way of getting more user signup’s, but you still need to provide an opt in tick box, otherwise consent has still not been given freely.

4. Easy to Withdraw Permission or Opt-Out

It must be a simple process to remove a user’s consent as it was to grant it, and individuals always need to know they have the right to withdraw their consent.

In terms of your web user experience, this means providing a way of unsubscribing on your email marketing and providing a link via your website also – this may be best placed in your website’s privacy policy.

5. Cookies

As per the 2011 regulation The Privacy and Electronics Communication Regulation, advertising the use of and requiring acceptance of cookies became law. The use of cookies should also be outlined in your privacy policy and what the information collected will be used for. Users also can opt out of cookie tracking in their browser’s privacy settings. It is worth giving the user this advice.

If you are using third-party plugins such as Google Analytics to capture autonomous data, then you still need to make your users aware of this via your privacy policy.

6. IP Tracking

There are many software providers that will give you a tracking code to embed on your site, so that they can they provide you with identifiable details of your visitors. This is different to the anonymous data that can be found in Google Analytics. You will need to make sure that any IP tracking you do is also stated in your privacy policy as IP addresses are classed as ‘personal data’.

If your website has a blog element to it where users can leave comments or sign up to a news feed, the chances are their IP address is being stored in your websites database and therefore, you need to let people know about this.

7. Social Media Advertising

If you’re planning on using email addresses to build lists for social media advertising, you will need to tell your users about this. They will need to opt into the social media marketing (as a granular tick box) and, also be offered the option to opt out too.

8. Re-Marketing

This works by using cookies to track your activity online. You will specifically need to outline in your privacy policy that cookies are being used in this way if your website takes part in this type of activity.

9. Online Payments

If you are an e-commerce business, you are likely to be using a payment gateway for financial transactions – PayPal, Stripe, SagePay etc.

Your own website may be collecting personal data before passing these details onto the payment gateway. If this is the case, you will most certainly require an SSL certificate to make sure this information is properly encrypted.

If your website is then storing these personal details after the information has been passed along then you will need to modify your privacy policy and web processes to remove any personal information after a reasonable period, for example, 90 days.

The GDPR legislation is not explicit about the number of days, it is your own judgement as to what can be defended as reasonable and necessary. You simply need to be prepared to provide the details you have to an individual who asks for it and, remove the data if an individual asks you to.

10. Data Breaches

The GDPR introduces a duty on all organisations to report certain types of data breach to the Information Commissioner’s Office website (ICO), and in some cases, to individuals. You only have to notify the ICO of a breach where it is likely to result in a risk to the rights and freedoms of individuals – if, for example, it could result in discrimination, damage to reputation, financial loss, loss of confidentiality or any other significant disadvantage.

To recap then:

The GDPR says that your privacy information must be ‘concise, transparent, intelligible and easily accessible; written in clear and plain language – particularly if addressed to a child; and free of charge.’

It would be wise to revisit your existing privacy policy.

The key point here is the language that is used is simple and easy to understand, as jargon will not be acceptable under the GDPR rules.

Make yourself aware of where data on your website is coming from, where it is being stored and how it is being processed.

Give everyone the choice to opt into any data, give them the ability to opt out and view/have their data removed from your systems easily.

Encrypt your website with an SSL certificate which not only brings confidence to your users, but also helps to boost your rank in search engines.

If you’ve got any questions, we’d love to hear from you.

You may also like

By continuing to use the site, you agree to the use of cookies. more information

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.

Close