Making your website GDPR compliant
What is GDPR?
The General Data Protection Regulation (GDPR) are changes to the way that data is captured, this will affect every website in the EU. The purpose of this change is to give everyone better control of the data that can be captured and used about them. Any person you hold information on has the right to request you erase their data. So if a user asks you to remove their data from your systems, you have to do so.
When does it come into effect?
25th May 2018, so not long now!
Who will this affect?
Any company that holds, collects or uses customer data for their marketing or business communications. If this is something you or your website does, you’ll need to review your processes and ensure they’re compliant by the deadline.
What are the consequences of not being GDPR-compliant?
Well, I hope you’re sitting down. Worst case scenario, the associated fines of non-compliance are up to £20 million, or 4% of your global turnover — whichever is greater. Yep, you read that right.
But the UK is leaving the EU! So I don’t really need to worry, right?
Wrong.
We’re not out of the EU yet! When the GDPR comes in to effect, the UK will still remain in the union. Unless you’re planning on denying EU citizens or residents access to your products or services, you’ll still need to follow the new rules or pay the fines.
So how do you make your website GDPR compliant?
Forms: Active opt-in
Most of us have forms on our websites which invite our visitors to subscribe to newsletters or indicate their contact preferences. Now, the check-boxes attached to these forms will need to be defaulted to “no” or be blank. You can’t force your user to actively opt-out with pre-selected tick-boxes any more. This needs to be changed by May.
Unbundled opt-in
In addition, you need to clearly set out the options separately and in plain English. For example, the acceptance of your terms and conditions needs to be clearly separated from your mail out permissions. It needs to be totally clear as to what action they’re taking by selecting these options.
Granular opt-in
If you indent to contact or sent the user information your users need to be able to provide separate consent for different types of communication (post, email, SMS, telephone etc.) For example, they need to be able to tick email communications, but not post, if they want to.
Make it easy to withdraw consent
It needs to be as easy to withdraw permissions as it was to grant them. Simple.
So make sure your contact preferences page is really, really easy to find.
Named parties
What exactly are they agreeing to? Your web forms must clearly identify each party for which the consent is being granted. It isn’t enough to say specifically defined categories of third-party organisations, they now need to be named.
For example, John Lewis’ forms ask for permissions for updates each from Waitrose, John Lewis, and John Lewis Financial Services.
Privacy notice and terms and conditions
You’ll also need to update your terms and conditions on your website to reference GDPR terminology. You’ll particularly need to make it clear what you intend to do with the information once you’ve received it, and how long you’ll retain this information both on your website and elsewhere. You’ll also need to communicate how and why you’re collecting data, so you should transparently detail any software or applications you’re using to help facilitate that.
Online payments
If you’re an e-commerce businesses using a payment gateway for financial transactions, you need to also be aware of your own website collecting any personal data before passing the details onto the payment gateway.
If your website’s storing these personal details after the information has been passed on, then you’ll need to modify your web processes to remove any personal information after a reasonable period. The GDPR legislation is not actually explicit about the number of days, apparently, but it could be, say, 60 days after.
Google Analytics
Loads of websites these days are configured to use Google Analytics to track user behaviour. Luckily, it’s always been an anonymous tracking system — there’s no “personal data” being collected. So it seems that GDPR might not have much of an impact on it’s usage.