How do you make sure your website is GDPR compliant?
1. Forms: Active opt-in
We’ve all got forms on our websites which invite our visitors to subscribe to newsletters or indicate their contact preferences. Now, the check-boxes attached to these invitations will need to be defaulted to “no” or be blank. You can’t force your user to actively opt-out with pre-selected tick-boxes any more; that’s classed as bad user experience, and definitely needs to be changed by May.
2. Unbundled opt-in
In addition to the above, you need to clearly set out the options separately and in plain English. For example, the acceptance of your terms and conditions needs to be clearly separated from your contact permissions. It needs to be totally unambiguous what action they’re taking by selecting these options.
3. Granular opt-in
Your users need to be able to provide separate consent for different types of communication (post, email, SMS, telephone etc.) For example, they need to be able to tick email communications, but not post, if they want to.
4. Make it easy to withdraw consent
It needs to be as easy to withdraw permissions as it was to grant them so make sure your contact preferences page is really, really easy to find.
5. Named parties
What exactly are they agreeing to? Your web forms must clearly identify each party for which the consent is being granted. It isn’t enough to say specifically defined categories of third-party organisations, they now need to be named.
6. Privacy notice and terms and conditions
You’ll also need to update your terms and conditions on your website to reference GDPR terminology. You’ll particularly need to make it clear what you intend to do with the information once you’ve received it, and how long you’ll retain this information both on your website and elsewhere. You’ll also need to communicate how and why you’re collecting data, so you should transparently detail any software or applications you’re using to help facilitate that.
7. Online payments
If you’re an e-commerce businesses using a payment gateway for financial transactions, you need to also be aware of your own website collecting any personal data before passing the details onto the payment gateway.
If your website’s storing these personal details after the information has been passed on, then you’ll need to modify your web processes to remove any personal information after a reasonable period. The GDPR legislation is not actually explicit about the number of days, apparently, but 60 days is a good guide.
8. Third-party tracking software
A lot of businesses now use a third-party marketing automation software solution these days. These might be lead-tracking or call-tracking applications.
The use of these kinds of tracking applications is a grey area when it comes to GDPR, but it does raise some interesting questions. They seem to track users in ways they wouldn’t expect, and as such, users have not granted consent. For example, are you tracking your visitors each time they return to your website or view a specific page on your site?
9. Google Analytics
Loads of websites these days are configured to use Google Analytics to track user behaviour. Although it’s always been an anonymous tracking system it is still collecting “data” about the users’s visit to the website.
Google has stated their commitment to complying with applicable data protection laws. They said they’re working hard to prepare for the new changes and have placed keeping user information safe as one of their highest priorities.
10. Check your existing data
You’ll also need to check the data you have stored in various places around your business. Make sure you have a good understanding and documented record of the data you hold. Who has agreed to you storing their info? How have they consented? And when did they consent? All the answers to these questions need to be readily available. Essentially, unless you need to keep certain data, it could be a liability for your business and should probably be deleted.
11. Is your website and content management system secure?
Websites that use HTTPS send data over an encrypted connection, so you need to make sure your website has an SSL certificate. Your CMS provider should also address this, because if your database itself is unencrypted, your contacts will be left exposed in a breach.