General Data Protection Regulation (GDPR): What It Means To Your Business & Your Website
From 25th May 2018 your business has needed to be GDPR (General Data Protection Regulation) compliant. Failure to comply with GDPR could lead to fines of up €20 million or 4% of the company’s total global revenue.
Furthermore, your customers expect it of you. GDPR affects any business in the world storing information on EU citizens. GDPR protects people’s information, giving each person total control over what happens to their information. That data must always be protected and kept safe and secure.
Part of making your overall business GDPR compliant involves ensuring your website is compliant. We have thoroughly researched all the necessary requirements and tools required, and have a set procedure in place to go through each site and action all/any of the necessary steps to get your website GDPR compliant as quickly as possible.
- Your website MUST have an SSL Certificate to show that the information your customers give to you is transmitted securely and safely. Most businesses require a Dedicated SSL Certificate at £85 plus VAT pa, or there is a Shared SSL Certificate option for a personal or very small business at £35 plus VAT pa.
- All forms that people complete must have a tick box – unchecked by default – to give their consent to be contacted on a regular basis. (see https://www.web-marketing.co.uk/contact as an example). We will check your forms and make any amends necessary.
- If you sell goods online, any options for customers to be contacted regularly by default in the checkout process must be set to opt out as default, or be disabled. We will action this for you if relevant.
- If you use Mailchimp (or any other bulk mail system), you will need to send out a re-permission email to your subscribers to ensure that they continue to give their permission to be emailed. Without their consent, you CANNOT email them.
NB: There are also certain things unrelated to your website that YOU need to be aware of, and if necessary to act upon. For example whilst all third party systems that we use ourselves or recommend for our clients (ie Jotform, Jottacloud, Freshbooks, Mailchimp, Rackspace, and Google) are all GDPR compliant, if you use any other third party systems for invoicing, crm, data backup, databases etc, you will need to verify that they are GDPR compliant. And, if you use offline systems/applications such as Microsoft Access/Excel it is your responsibility to ensure that information is kept safe and secure.
You can read more specific information in this section of our website.
You can read more specific information below and can get answers to FAQS here.
From now on, when users submit their email address in exchange for access to an ebook, brochure, etc. you are required to ask for their consent (by way of a checkbox on the form) to be contacted, instead of assuming they want to be contacted. And consent should be optional so that they can download the e-book without giving consent for you to contact them.
You’ll need to be able to provide evidence that a user has opted in receive emails from you, which you would have anyway if the person has submitted a form on your website.
If you’re using CRMs or Invoicing Systems, you need to make sure the companies that built those systems are, themselves, GDPR compliant. They should have information about this on their website or they would need to be contacted.
GDPR – Day
After 25th May 2018 you can only email users who have actively, freely and willingly opted in to receive messages from you.
If subscribers have not explicitly opted in to your mailing list, you’ll need to ‘re-permission’ that mailing list. That means if a client exports the entries from a contact form on your website and adds those email addresses to a mailing list, those people never opted in to be actively emailed by that business. So if you plan to contact them again, you would need to send out an email asking for consent from each person on your mailing list if they would like to be contacted by you. And this had to be done by 25th May 2018.
In that email you send to your mailing list to get ‘re-permission’ you need to say:
- How you got their personal details.
- Why you are contacting them.
- What sort of content you will send them in the future if they opt-in.
- How they can update their communication preferences and opt-out.
If you’re collecting an email address on a registration form for an event, you should provide details on why you need that email address and how you’re planning to use it.
When asking for permission to email that person, you must avoid any pre-ticked boxes as these are considered implied consent and not freely given.
You should also, if you are using a mass-mailing system, ensure that it is easy to unsubscribe from emails. Take Mailchimp, for example, when you click Unsubscribe, you are taken to a webpage that does exactly that and tells you that you are unsubscribed. In other words, you don’t have to follow a rigorous process to unsubscribe.
Collecting and Storing Data Securely
GDPR states that you need to “implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.”
This starts with encrypting any data that is submitted to your website, which is what GDPR recommends in Article 32. This will stop people from hijacking the data. An SSL certificate must be implemented on your site to encrypt the data.
- Don’t assume people want to be contacted by you – get firm consent from the person before you contact them.
- Always have a tick box on forms asking for permission to contact the customer regularly. Ensure that tick box is not automatically ticked. The customer MUST tick this box themselves.
- Third party systems (CRMs/Invoicing) must be GDPR compliant if you’re storing customer data on them
- Re-permission subscriber lists if you didn’t receive permission in the first place to contact them regularly.
- Explain in simple terms what you will do with a customer’s email address if they opt-in to be contacted.
- SSL certificates are essentially mandatory to have on websites as of 25th May 2018 (GDPR-Day).