With the new regulations coming into full effect next month, ensuring that your business is GDPR compliant should be a priority. At the top of that list should be the compliance of your website. Though it may seem like a big inconvenience and a lot of change, getting your website GDPR compliant may be easier to do than you think.

GDPR is the replacement of the 1995 data protection directive, adapted in 2016 and now finally coming into effect on May 25th this year. The purpose of it is to create new standards for consumer rights and how their data is used. Meaning if you have a business, you will have to alter and be completely transparent about how you use customer data. Otherwise, you could cost yourself a very hefty fine of up to 4% of your annual turnover or €20 million; whichever is higher for your business. And, we’re pretty certain this is something no business wants to come up against.

picture of egg time filled with sand running out

In a lot of cases, your website is the first element of your business that people see, you might be surprised, but your website is likely to also be impacted by the GDPR changes. In this blog, we hope you’ll be able to gauge which end of the readiness spectrum you’re on and, in the end, get your website GDPR compliant.

Now I'm no GDPR expert (arguably no one is yet as the law hasn't yet been passed), but we've been keeping abreast of all the latest. As with all legal policy, we recommend that you should consult your legal counsel for expert insight on the matter, but here are our top tips for GDPR compliance for your website:

T's & C's and Privacy Policy

Getting your website GDPR ready will mean you will need to alter the privacy policy on your website. This should notify web visitors that their data is being collected, how it’s being used, who has access to it and how long it will be being held for. Evaluate your current Privacy notice and your current Terms and Conditions, consent, in general, should be a separate issue from these two sections of a GDPR friendly website, but these sections must be reviewed and potentially altered to suit the new legislation.

This element also includes how cookies are used. If your website uses cookies to glean personal information about a website visitor, this must be fully disclosed and agreed to by the visitor. If a visitor decides against allowing cookies to access their data, the website must still be accessible and if there is any loss of functionality, this must be disclosed also. Implementing a ‘cookie pop-up’ isn’t necessary but it is an easy solution to many of the GDPR requirements.

There must also be a “right of erasure” element, this allows any customers to completely remove any data being held about them should they see it fit. Ensure that all this information is visible and easily accessible.

Awareness

Be sure that you are aware of all the data being collected on your website. Generally, websites collect a lot of different data so, identifying what it is exactly that is being collected by your website, where your website is storing it and who can access it (do third parties have access?) is important. Your company may be required to complete an information audit, or even a full website audit, regarding the data you already have, so being aware of everything your website has is a great place to start. The awareness stage should also include educating staff on the coming changes, ensure that everyone working for your company is aware of what data can be collected and how it can be collected legally, a little slip up or some misinformation could end up costing your company millions!

Consent

Sneaky opt-out tick boxes will no longer be accepted as a form of consent, instead, customers will have to fully opt-in, in full knowledge of what they’re agreeing to. Look at your consenting and sign up processes, it has to be totally unambiguous and clear from the get-go that they are signing up if they choose to. Also be sure that there is an easy and accessible way for customers to opt out of communications should they want to and they should be fully aware of this option too. This is a huge must for newsletter sending and marketing communications, review existing processes on every platform you use to contact customers on (manually, Mailchimp, etc) and look at what needs to change.

Security

The green padlock that can be seen when you go to a secure website is that added layer of security, both literally and emotionally, for a website user. This lets them know that any information that is used on this page will be totally safe. All information entered on one of these pages is securely encrypted and these SSL certificates can be bought online.

screenshot of AD website showing that their website gdpr is friendly and secure

User accounts and enquiries

Websites are now required to move to a system that allows users to be identified by a username only, with the rest of the data being encrypted to ensure that there is no way to connect or access the rest of the data. Working this into your website could take some time, so this is something to get started on as soon as possible!

If your website has an e-commerce element, SSL is a must and all information must be stored with a pseudonym (username) rather than having a customer name, email or payment information all connected as an identifier. You must also ensure that all payment information must be compliant with whatever payment pathway is used. If payment goes straight to your website, it must be PCI compliant and if it goes through a third party like PayPal or Worldpay, all payment gateways must be referenced fully in your privacy policy.

Should a visitor to your website wish to get in touch with your company, this is also something that could impact your website GDPR compliance. For example, all enquiry forms must have: SSL employed, no details being stored unless they are encrypted, an email provider adhering to GDPR rules, no details being printed and stored (any printed information must be destroyed) and no pre-ticked boxes, any marketing emails must be fully and legally signed up to for them to be sent to a recipient.

If your website has a live chat function, refer to the third party in your privacy policy and make sure that their GDPR compliance has been reviewed before use.

Data Breaches

Should there be any data breaches, the GDPR requires the data controller to have the right processes ready to act on. Although there should be robust breach detection employed by the company to avoid anything like this happening, any breaches, legally, must be reported within 72 hours. If it’s a high-risk breach, meaning important information of customers is at risk of breach, these individuals must be informed as soon as possible and without unnecessary delay. Find out more about reporting breaches on the Information Commissioner's Office website. Nobody likes to think about data breaches, but it’s always better to be safe than sorry!

Data Protection Officer

Every GDPR website needs a Data Protection Officer. Your DPO will be responsible for everything data protection, as their title suggests, this person will take accountability for data compliance within your company and this would also cover making your website GDPR compliant too. Basically, this person should be the absolute go to for anything data compliance, so choose wisely!

Connected platforms

There are many platforms that can be connected to your business, from CRM to social accounts, these are also things that have to be reviewed. Any connected email accounts must have securely stored data, good anti-virus software in use and no non-crucial email content being stored. Most of all, all connected email accounts must be Data Protection Act and GDPR compliant.

Tracking systems must be referred to in the privacy policy and be GDPR compliant. Of course, well-known systems like Google Analytics will be compliant (however you have to turn on the anonymisation option for it to be fully compliant), but lesser-known tracking system options may not be and this is something you would have to look in to.

If your company has a CRM system in use, like the rest of the discussed points, this must also be referenced in the privacy policy. Any data collected must be recorded and made available to any customers or web visitors who ask for it. It must also be able to be deleted (request for erasure) should any visitor require that too.

Finally, connected social media platforms must be disclosed as a third party in the privacy policy. Any messaging system used must have the conversation wiped after its over (instead try and have the conversation transferred over to email), consent must be given by an individual if their details are being used to promote the business and of course, any interaction garnered from the social platform must adhere to GDPR guidelines.

Keeping your website GDPR friendly may seem like a massive looming task, but once the initial changes are made, keeping on track should be easy to manage. In essence, if you're already following good data protection processes, you're likely already almost there!

If you’re still struggling to wrap your head around the GDPR changes, take a look at the full guide by the Information Commissioner's Office for some more information.