How do you make your website GDPR-compliant?
What is GDPR?
The General Data Protection Regulation (GDPR) is a series of changes to the way that data is captured, used and managed for everyone in the EU. The purpose of this regulation is to give everyone better control of the data that can be captured and used about them. Any person you hold information on has the right to request you erase their data. So if an individual asks you to remove their data from your systems, you have to do so.
When does it come into effect?
25th May 2018, so not long now!
Who will this affect?
Any organisation that holds, collects or uses customer data for their marketing or business communications. If you have an inkling that’s you, you’ll need to review your processes and ensure they’re compliant by the deadline.
What are the consequences of not being GDPR-compliant?
Well, I hope you’re sitting down. Worst case scenario, the associated fines of non-compliance are up to €20 million, or 4% of your global turnover — whichever is greater. Yep, you read that right.
But the UK is leaving the EU! So I don’t really need to worry, right?
We’re not out of the EU yet! When the GDPR comes in to effect, the UK will still remain in the union.
According to The Great Repeal Bill, EU laws will be incorporated into Britain’s new position outside of the EU. The government is expected to keep GDPR in UK law, to make sure that communication and trade continues to be shared smoothly with the EU after we leave.
And just in case you needed another reason — unless you’re planning on denying EU citizens or residents access to your products or services, you’ll still need to follow the new rules or pay the fines.
So how do you make your website GDPR compliant?
1. Forms: Active opt-in
We’ve all got forms on our websites which invite our visitors to subscribe to newsletters or indicate their contact preferences. Now, the check-boxes attached to these invitations will need to be defaulted to “no” or be blank. You can’t force your user to actively opt-out with pre-selected tick-boxes any more; that’s classed as bad user experience, and definitely needs to be changed by May.
2. Unbundled opt-in
In addition to the above, you need to clearly set out the options separately and in plain English. For example, the acceptance of your terms and conditions needs to be clearly separated from your contact permissions. It needs to be totally unambiguous what action they’re taking by selecting these options.
3. Granular opt-in
Your users need to be able to provide separate consent for different types of communication (post, email, SMS, telephone etc.) For example, they need to be able to tick email communications, but not post, if they want to.
4. Make it easy to withdraw consent
It needs to be as easy to withdraw permissions as it was to grant them. Simple. So make sure your contact preferences page is really, really easy to find.
5. Named parties
What exactly are they agreeing to? Your web forms must clearly identify each party for which the consent is being granted. It isn’t enough to say specifically defined categories of third-party organisations, they now need to be named.
For example, John Lewis’ forms ask for permissions for updates each from Waitrose, John Lewis, and John Lewis Financial Services.
6. Privacy notice and terms and conditions
You’ll also need to update your terms and conditions on your website to reference GDPR terminology. You’ll particularly need to make it clear what you intend to do with the information once you’ve received it, and how long you’ll retain this information both on your website and elsewhere. You’ll also need to communicate how and why you’re collecting data, so you should transparently detail any software or applications you’re using to help facilitate that.
7. Online payments
If you’re an e-commerce businesses using a payment gateway for financial transactions, you need to also be aware of your own website collecting any personal data before passing the details onto the payment gateway.
If your website’s storing these personal details after the information has been passed on, then you’ll need to modify your web processes to remove any personal information after a reasonable period. The GDPR legislation is not actually explicit about the number of days, apparently, but it could be, say, 60 days after.
8. Third-party tracking software
Now, here’s where it gets a little tricky. A lot of businesses now use a third-party marketing automation software solution these days. These might be lead-tracking or call-tracking applications.
The use of these kinds of tracking applications is a bit of a grey area when it comes to GDPR, but it does raise some interesting questions. They seem to track users in ways they wouldn’t expect, and as such, users have not granted consent. For example, are you tracking your visitors each time they return to your website or view a specific page on your site?
Luckily, a lot of the suppliers of these applications assure us they’re GDPR-compliant. CANNDi, for example, have a whole section on GDPR compliance, and advise their clients to display banners which state clearly and unambiguously that cookies are being used. However, it’s always good to double check your supplier has got your back when it comes to GDPR, so make sure you review your contract with your software providers very carefully.
9. Google Analytics
Loads of websites these days are configured to use Google Analytics to track user behaviour. Luckily, it’s always been an anonymous tracking system — there’s no “personal data” being collected. So it seems that GDPR might not have much of an impact on it’s usage.
Nevertheless, Google has stated their commitment to complying with applicable data protection laws. They said they’re working hard to prepare for the new changes and have placed keeping user information safe as one of their highest priorities. You can read all about it here.
10. Check your existing data
You’ll also need to check the data you have stored in various places around your business. Make sure you have a good understanding and documented record of the data you hold. Who has agreed to you storing their info? How have they consented? And when did they consent? All the answers to these questions need to be readily available. Essentially, unless you need to keep certain data, it could be a liability for your business and should probably be deleted.
11. And finally, is your site and CMS secure?
Websites that use HTTPS send data over an encrypted connection, so you need to make sure your website has an SSL certificate. Your CMS provider should also address this because if your database itself is unencrypted, your contacts will be left exposed in a breach.
So there you have it! Some useful tips on how to make your website GDPR compliant. But it’s not just your website that will be affected; it will, of course, change the way you run your entire business. This article focuses purely on your digital marketing. But don’t worry, there are so many resources out there to help you keep your whole business in check come May, so make sure you’re researching the subject as much as you can! Here’s somewhere to start.