Simple Guide to Website GDPR Compliance
Website GDPR Compliance
Just in case it has passed you by, the General Data Protection Regulation (GDPR) comes into effect on the 25th May 2018. In this simple guide to website GDPR compliance, we look at what you need to do to make your website compliant whilst also improving user experience and satisfaction, which is essentially the reason that the law has been put in place.
What is GDPR?
The General Data Protection Regulation (GDPR) is a new EU regulation designed to put the consumer and citizen first and deliver ‘greater transparency, enhanced rights for citizens and increased accountability’. GDPR is intended to be ‘an evolution in data protection‘; rather than the dramatic change that some are fearing. There is a lot of free information out there on the regulations and a good place to start would be the Information Commissioner’s Office website, where there is a really useful guide, together with a checklist and some practical tips. There is also a blog where the ICO try to keep people informed on issues and dispel some of the fear that has been spread.
How to Make Your Website GDPR Compliant
Every website is different and every business has different data collection needs. A sophisticated ecommerce site will be very different from a simple brochure site which simply aims to generate business enquiries, however, here are 11 things to think about and look at: –
- Forms
No longer can sites opt-in people automatically to receive marketing communications and the like, they must ask people to actively opt-in, i.e. choose to subscribe to receive communication.
Nor can they bundle the opt-in to agreeing to terms and conditions, but must set out the acceptance of T&C’s separately from opting in to receiving communication
People must also be allowed to choose how you will communicate with them, e.g. by email, SMS, phone or post.
- Easy to Opt-Out or withdraw permission
It must be as easy to remove consent as it was to grant it, and individuals always need to know that they have the right to withdraw their permission.
It must also be easy to choose, where necessary, the streams of communication that they receive, or change the frequency of communication.
You need, as well, to clearly provide the contact information for your Data Protection Officer or the person who is responsible for managing personal data so that enquiries can be made.
- What If I Only Store Legitimate Customer Enquiry Data
If a customer gives you their details so that you can contact them in the course of your business, e.g. if they want a quote or follow up, you can hold this data for as long as is reasonable and necessary to conduct your business. This will obviously depend on how long it typically takes you to process an enquiry/order and its complexity. In some industries, this can be a few days or even hours, whereas in others it could be months or even years. This does not, however, give you the right to contact them about other areas of business or cross-sell to them. You will need to get them to opt-in to do that.
- Sharing Data
It is now no longer enough to say that you will be sharing your user data with third-party organisations, you now need to name these organisations, even if they are related to your own organisation.
- Privacy Notice and Terms and Conditions Page
The ICO suggests that the most common way for organisations to be transparent and provide accessible information to individuals on how you use their personal data in accordance with the Data Protection Act 1998 and GDPR is in a privacy notice.
The ICO has also created a sample notice (below) which they have ‘tested with members of the public’ and, which in their view ‘constitutes good practice when seeking consent for direct marketing’.
- Online Payments
If you are taking online payments via a third-party payment gateway, e.g. PayPal or SagePay, you may also be collecting personal data on your site before passing this to the payment gateway.
If your website stores these personal details after the information has been passed across, then you will need to modify your processes to remove any personal information after a reasonable period, e.g., 30/60 days. The GDPR legislation is not explicit about how long, this relies on your own evaluation of what is necessary and reasonable. It would be useful for you to review your processes to understand what information you need to hold to carry out your business and for how long you need to hold it.
- Third Party Tracking Software
If you use Third Party Tracking or Automation Software, e.g. Lead Forensics or Infinity Call Tracking, it is important to ensure that they are GDPR compliant and their software is providing the necessary information to your users.
- Google Analytics and Google Tag Manager
Google Analytics collects anonymous data so no personal data is being collected and, as far as we can see, this falls outside GDPR. However, Google is quite up on the game and has published this commitment to data protection laws and GDPR specifically and, more recently, this update on GDPR.
- Encryption/SSL/https and Security
Any data that is submitted to your website must be encrypted in order to comply with GDPR, this will also stop people from hijacking your data! To do this you need to install a Secure Sockets Layer or SSL on your server and transfer all of your website data over to HTTPS (Hyper Text Transfer Protocol Secure), meaning all of the data is encrypted. Google has been encouraging sites to switch to HTTPS for a number of years and now its Google Chrome browser will not allow people to enter data or fill in forms on a non-secure connection, so, really, there is now no excuse not to go HTTPS.
- Do you also have a Mobile App/s?
GDPR also applies to personal data collected through mobile apps. You need to review the data your mobile app collects, where it goes, and why it is collected to make sure it complies with the GDPR.
- It’s Not Just Your Website That Has to Be GDPR Compliant
It’s pretty likely that you will be storing personal data across your business and you need to comply with regulations here. Again the ICO 12 Step Guide is a great place to start to ensure that you are all ready for May.
So, hopefully this Simple Guide to Website GDPR Compliance sets your mind at rest and assures you that you do not need to make dramatic changes to your site to comply, it really is just a case of following common sense rules and not trying to trick people into doing things they are not happy with. Perhaps quite a topical thought with the current Facebook, Cambridge Analytica hullabaloo. As part of our SEO and Digital Marketing Service, we will be reviewing all of our client sites to ensure compliance. If you’d like us to review your site as well, please get in touch.