How to get your website GDPR compliant

What is GDPR?

GDPR (General Data Protection Regulation) is new legislation coming into effect from 25th May 2018 which gives you as an individual more rights and protection over your personal data.

Companies will have to be transparent about what data they hold about you and why, will no longer be able to spam you with unwanted marketing material, nor share your data with third parties without your knowledge. In our opinion this is a hugely positive step forward for the rights of the individual in the context of the current multi-billion dollar data industry and wake of the Facebook/ Cambridge Analytica scandal.

Which businesses does GDPR impact?

GDPR affects all businesses operating within the EU in terms of how they collect, use, share and store personally identifiable data such as names, addresses, phone numbers and emails. There is a misconception that GDPR only affects B2C businesses. GDPR also affects B2B businesses because client and employee names, emails and job roles can all be used to personally identify individuals.

How will businesses need to change?

Businesses will need to have new policies, processes, documentation and contracts in place by 25th May 2018. As part of this, your website will need to be GDPR compliant. However, it’s important to note that your website is largely a reflection of your internal policies and processes; you can’t update your website without first looking at your business. So before we jump into how to get your website GDPR compliant, let’s start with reviewing some of the key aspects your business will need to consider in light of GDPR.

Going forward, you must be up front and honest about how you will use personal data e.g. letting individuals know why you’re collecting it and what you will do with it. You must ensure that all data you collect is lawfully processed e.g. if you’re an accounting firm, you can’t collect data about your clients’ political beliefs as it’s simply not relevant. You must also specifically name any third parties with whom you’re sharing personal data, and have new contracts in place with them as data processors.

You must always give individuals the option to opt-in rather than opt-out of direct marketing – that means no more pre-ticked boxes saying ‘I want to receive promotions and updates’; and you should check that any individuals currently on your mailing lists have consented to receiving updates from you.

You must have adequate measures to securely store and protect personal data and can only store it for a valid time frame – this means you can’t keep data on your ex-clients years after they’ve ceased being your client. Upon request, you must also be able to give an individual a breakdown of all the data you hold about them and delete it permanently if they so wish.To see how ready your company is for GDPR, complete the governing body ISO’s checklist for getting ready for GDPR.

How to get your website GDPR ready

There are a number of things your website needs in place before 25th May 2018 to ensure GDPR compliance. Below is a checklist of the most common things most websites need to do. Please note, this is not an exhaustive list and does not constitute legal advice. Every website and business is different and you are ultimately responsible for ensuring the data you collect, use, share and store meets with GDPR requirements.  

1. Privacy policy

All websites must have a privacy policy that users can easily access from any point of your website – your website footer is a good spot for this. Your privacy policy should communicate why and how you’re collecting data, what you will do with it and how long you will retain it for (both on your website and your office systems) for each different instance where you collect personal data – for example, for users who make a general enquiry, users who purchase something, users who sign up to your newsletter, etc.

You must ensure your business has lawful grounds for collecting this data in the first place. Your privacy policy should also tell users about your complaints procedure, how to gain access to information you hold about them and how they can contact you. The policy must be written in language that is simple and easy for anyone to understand. Read the governing body ISO’s privacy policy for guidance.

 2. Cookie policy

Most modern websites use cookies. It’s already EU law to have a cookie policy that users can easily access from any point of your website that tells them what cookies your website uses. With GDPR, the rules get stricter. Many cookies – especially tracking cookies – leave traces which when combined with other information could be used to identify individuals.

Your cookie policy must be updated to name each cookie your website is using and its purpose. Just like your privacy policy, you must ensure your business has lawful grounds for collecting any personal data via cookies. The policy must be written in language that is simple and easy for anyone to understand. You can use this tool to get a list of all the cookies your website contains (they’ll be listed in the PDF report) and read the governing body ISO’s cookie policy for guidance.

3. Cookie notice

You will likely have seen a number of website cookie notices over the past few years. Sometimes these are prominent, other times more subtle. From 25th May 2018, implied consent or messages such as ‘by using this site, you accept cookies’ are no longer sufficient.

Consent for your website to use cookies must be given by the user through a clear affirmative action, such as a pop up cookie notice that gives users the option to accept or reject cookies, or choosing preferences on a settings menu. Even after giving consent, the user must be able to easily change their preferences or opt-out at any point, meaning your site needs an obvious link (such as in your footer) for the user to change their cookie settings.

4. Contact forms

If your website has contact forms they must contain a visible link to your privacy policy. Your privacy policy should have a section that explains why you’re asking for the information, what you will do with it and how long you will store it for. You must ensure you have lawful grounds for asking for the data, and if you have a long contact form that asks for a lot of data, as best practice you should explain on the form why you’re asking for the data (e.g. we ask for your birthday so that we can send you a birthday gift).

You must ensure you’re only using the data you collect for the purposes you state and that any direct marketing (such as subscribing to your newsletter) has a separate affirmative opt-in box. Contact forms should run from a supported, up to date contact form plugin and sent securely using an SSL certificate (see below). If you keep logs on the website of your contact form submissions, you need internal processes in place to protect access and ensure they’re not kept for longer than needed.

5. E-commerce and payments

E-commerce and online payments typically ask for a range of personal data including name, address and contact details. On your checkout page you should have a link to both your privacy policy (stating why and how you collect, use and store this data) and your terms and conditions of sale. You must have lawful grounds for asking for the data, only use it for the purposes you state and ensure any direct marketing (such as newsletter sign ups) has a separate affirmative opt-in box.

Payments should be taken through a supported and secure payment processor and the site must have an SSL certificate (see below). Your website is highly likely to store logs of all purchases on the website, so you also need internal processes in place to protect access and ensure they’re not kept for longer than needed.

6. Direct marketing

Users must give their consent to be added to any direct marketing lists. It’s no longer OK to add someone to your newsletter or brochure run because they filled out a contact form or downloaded an e-book. Users must be given the affirmative choice to opt-in, and your website needs to make it clear (both when they sign up and in your privacy policy) what it involves i.e. the type and frequency of communications.

If you communicate via different channels such as email, phone, SMS, post, etc., users should be able to choose which channels they want to be contacted by. You should also check that any systems you use for marketing communications (such as Mailchimp – tick!) are GDPR compliant, and that the people already on your lists have given their consent.    

7. Accounts

If your website enables users to create accounts (these are common with membership based websites and e-commerce websites) it must be obvious to the user what they’re signing up to and written in simple language anyone can understand. You should include a link to your privacy policy which explains why and how you collect, use and store this data. You must have lawful grounds for asking for the data and only use it for the purposes you state.

8. Sensitive/ special category data

If your website collects any data about an individual’s race, ethnic origin, politics, religion, trade union membership, genetics, biometrics (where used for ID purposes), health, sex life or sexual orientation, or any data about children, this is deemed to be more sensitive and subject to greater protection. As well as having lawful grounds for collecting it you must also satisfy a separate condition under Article 9. You can read more about special category data here.

9. SSL

It’s already recommended for all websites to have an SSL certificate. An SSL is the little green padlock symbol in an address bar that lets you know a site is secure. What it does is encrypt data sent from the website to other systems or emails (e.g. contact forms, e-commerce purchases) to ensure they’re sent securely. GDPR places a responsibility on all businesses to protect personal data, so if your website doesn’t already have an SSL certificate, make sure you have one in place before 25th May 2018.

Need some help?

If you need some help and would like to talk to us about making your website GDPR compliant, please call us on 01233 512066.