How to Make Your Website GDPR-Compliant

 

You’re probably tired of hearing about it. You’ve probably had it up to here with seeing the countdowns to May 25th. And you’re probably a bit sick of people going on about ginormous fines for noncompliance. Yes, we’re talking about GDPR. And this blog is going to talk about GDPR, too. Sorry about that. But we think we have some handy tips to share with you that you won’t want to miss.

Now, we’re certainly not claiming to be experts in the complexities of GDPR, but what we do really know our stuff about is websites. So having brushed up on the new regulations, we’ve got a few fairly simple but pretty important suggestions for getting your website compliant. Fear not – there’ll be no scaremongering here and no bamboozling so-called explanations that leave you scratching your head or, perhaps even worse, send you into a slumber.

Why Make Your Website Compliant?

GDPR is all about protecting the personal data of individuals. It extends the rights of individuals further than ever before when it comes to how personal data is obtained, held and used. Under the new rules, individuals have a multitude of new rights regarding consent and control over their personal data. These new rights include the right to be informed, the right of access, the right of rectification, the right of erasure, and the right to object. You can find more elaborate explanations of all of these terms and more on the ICO website. It’s actually not a bad read.

Now, in light of all this and because websites collect personal data (names, telephone numbers, emails, addresses – essentially any information that can fully or partially identify a person) from users in various ways, it’s time to rethink how we collect, store and use this information.

How to Make Your Website Compliant

First and foremost, you’re going to have to have a careful think about how you currently handle your customers’ personal data. You’ll have to consider how you capture it, what you use data for, where it’s stored and how long it’s stored for, and then make some changes if the way you do things doesn’t comply with GDPR. Below are some of our recommendations on what we think are the most important changes to make to your website before May 25th. But remember – it’s your responsibility and no one else’s to make sure you’re compliant. So while we’re more than happy to offer you some handy tips, it’s up to you to make sure they’re actioned.

1. Update Your Privacy Policy

Privacy policies. If you don’t have one, you need one. If you have one but it’s not been written with GDPR in mind, then it’ll need updating. It needs to cover a lot of stuff and it’s important that it’s written in a clear, accessible and informative way when it comes to telling users how their collected data will be stored and used.

It’ll need to include:

  • The types of customer data you process
  • Why you are collecting this data
  • How this data is used
  • Where you store this data
  • Data retention and how long data is used for
  • Any and all third parties you share this data with, including any payment gateways (it must also make reference to their privacy policies)
  • The process involved in subject access requests
  • The right of removal and a clear explanation of how a user goes about getting their data removed.

Yes, this is a lot of info. But if you nail all of this, link to it where necessary and get users to give explicit consent to having read and understood it, then you’ll have taken an important step towards compliance.

2. Key Contact Form Changes

Contact forms are one of the most common methods for gathering data through websites. Prompting users to enter contact information such as their name, company, telephone number, email and query, they’re how potential customers or clients get in touch with you via your site. But, because they collect so much personal data, you’re going to have to make some changes to make sure you’re complying with key GDPR principles.

First off, you need to establish explicit consent. In the context of a contact form, this will usually concern the way in which the individual’s data is used to contact them. We recommend doing this by including granular opt-in functionality on the contact form itself.

When we say ‘granular opt-in’, we mean giving users the opportunity to consent to some things, like being reached by phone, and not others, such as being contacted via email. To do this, you will need to provide one blank tick box per contact method to allow users to give explicit consent – no blanket statements that include all contact options or any automatic or pre-ticked options, we’re afraid. We also recommend featuring an option that provides a link to your shiny new privacy policy and a box allowing users to agree to having read and understood it – this keeps your form nice and uncluttered without neglecting to fully inform your users. Take a look at the example to get a good idea of what we mean, but remember that the information will vary depending on how your organisation uses and stores personal data.

granular

Next, you need to explicitly communicate what the data will be used for. For this, we recommend adding a permission disclaimer to your contact form.

A permission disclaimer will be a small paragraph of text outlining that the data being collected will be used solely for the purposes of contacting the individual with regard to the query they submitted via the contact form. Previously, user data gathered via contact forms could have also been added to mailing lists and used for other marketing purposes. This can no longer be done, and the disclaimer demonstrates that you understand and comply with the new rules.

Finally, you need to demonstrate that collected data will be responsibly processed. This will involve making an important practical change to the way you process and store data.

To comply with the new rules, you must keep an accurate record of the data you’ve collected through your contact forms. This is essential for being able to demonstrate compliance as you’ll be able to prove that you’ve been given explicit consent, and also to ensure that data can be recovered and provided to the user should they request it. Your website may already offer this functionality, but if you’re unsure then we recommend having a chat with whoever handles or hosts your website to see what can be done.

3. Say Yes to Opt-In Marketing

Now seems like a good time to raise the issue of marketing. Following on from the points raised above, you’re going to need to be able to demonstrate that you have ongoing consent when it comes to your marketing lists. If you can’t do this and you’re unsure whether you have an individual’s consent to send emails or letters or texts, then you can’t send them anything. You can’t even send a message asking for confirmation as this is regarded as direct marketing in itself.

The solution? Well, if you want to keep emailing people but have no record of them consenting to receiving your emails, you may want to consider sending an email asking for explicit consent in the weeks before May 25th and keeping an accurate record of the responses you receive back. After this date, we wouldn’t recommend sending anything to anyone who hasn’t explicitly consented as it may be breaking the law.

Another option is to start including another separate tick box on your contact form to ask people whether they want to be included in your marketing lists, as the image below demonstrates. But remember – you’ll need a separate box for every type of communication you intend to send. 

opt in

4. Tighten Up Security

Another thing to consider is the overall security of your website. There are a number of factors you might want to review to ensure greater data protection, from SSL certificates and default privacy settings to hosting options and your company network. We recommend getting in touch with whoever hosts or handles your website to discuss various security options.

Hooray! You Made it to the Finish Line. Now What’s Next?

So there you have it – our four key recommendations to achieve a GDPR-compliant website. We know it’s been a long read, so if you’re still here, thanks for sticking with us. Now you just need to set things in motion. Giving our team a call is the best way to discuss your options and see how we can help you get your website ready for GDPR. Any questions, queries or comments are welcome. We look forward to hearing from you.