With the new regulations coming into full effect next month, ensuring that your business is GDPR compliant should be a priority. At the top of that list should be the compliance of your website. Though it may seem like a big inconvenience and a lot of change, getting your website GDPR complaint may be easier to do than you think.
GDPR is the replacement of the 1995 data protection directive, adapted in 2016 and now finally coming into effect on May 25th this year. The purpose of it is to create new standards for consumer rights and how their data is used. Meaning if you have a business, you will have to alter and be completely transparent about how you use customer data. Otherwise, you could cost yourself a very hefty fine of up to 4% of your annual turnover or €20 million; whichever is higher for your business. And, we’re pretty certain this is something no business wants to come up against.
In a lot of cases, your website is the first element of your business that people see, you might be surprised, but your website is likely to also be impacted by the GDPR changes. In this blog, we hope you’ll be able to gauge which end of the readiness spectrum you’re on and, in the end, get your website GDPR compliant.
Now I'm no GDPR expert (arguably no one is yet as the law hasn't yet been passed), but we've been keeping abreast of all the latest. As with all legal policy, we recommend that you should consult your legal counsel for expert insight on the matter, but here are our top tips for GDPR compliance for your website:
There must also be a “right of erasure” element, this allows any customers to completely remove any data being held about them should they see it fit. Ensure that all this information is visible and easily accessible.
Be sure that you are aware of all the data being collected on your website. Generally, websites collect a lot of different data so, identifying what it is exactly that is being collected by your website, where your website is storing it and who can access it (do third parties have access?) is important. Your company may be required to complete an information audit, or even a full website audit, regarding the data you already have, so being aware of everything your website has is a great place to start. The awareness stage should also include educating staff on the coming changes, ensure that everyone working for your company is aware of what data can be collected and how it can be collected legally, a little slip up or some misinformation could end up costing your company millions!
Sneaky opt-out tick boxes will no longer be accepted as a form of consent, instead, customers will have to fully opt-in, in full knowledge of what they’re agreeing to. Look at your consenting and sign up processes, it has to be totally unambiguous and clear from the get-go that they are signing up if they choose to. Also be sure that there is an easy and accessible way for customers to opt out of communications should they want to and they should be fully aware of this option too. This is a huge must for newsletter sending and marketing communications, review existing processes on every platform you use to contact customers on (manually, Mailchimp, etc) and look at what needs to change.
The green padlock that can be seen when you go to a secure website is that added layer of security, both literally and emotionally, for a website user. This lets them know that any information that is used on this page will be totally safe. All information entered on one of these pages is securely encrypted and these SSL certificates can be bought online.
User accounts and enquiries
Websites are now required to move to a system that allows users to be identified by a username only, with the rest of the data being encrypted to ensure that there is no way to connect or access the rest of the data. Working this into your website could take some time, so this is something to get started on as soon as possible!
Should a visitor to your website wish to get in touch with your company, this is also something that could impact your website GDPR compliance. For example, all enquiry forms must have: SSL employed, no details being stored unless they are encrypted, an email provider adhering to GDPR rules, no details being printed and stored (any printed information must be destroyed) and no pre-ticked boxes, any marketing emails must be fully and legally signed up to for them to be sent to a recipient.
Should there be any data breaches, the GDPR requires the data controller to have the right processes ready to act on. Although there should be robust breach detection employed by the company to avoid anything like this happening, any breaches, legally, must be reported within 72 hours. If it’s a high-risk breach, meaning important information of customers is at risk of breach, these individuals must be informed as soon as possible and without unnecessary delay. Find out more about reporting breaches on the Information Commissioner's Office website. Nobody likes to think about data breaches, but it’s always better to be safe than sorry!
Data Protection Officer
Every GDPR website needs a Data Protection Officer. Your DPO will be responsible for everything data protection, as their title suggests, this person will take accountability for data compliance within your company and this would also cover making your website GDPR compliant too. Basically, this person should be the absolute go to for anything data compliance, so choose wisely!
There are many platforms that can be connected to your business, from CRM to social accounts, these are also things that have to be reviewed. Any connected email accounts must have securely stored data, good anti-virus software in use and no non-crucial email content being stored. Most of all, all connected email accounts must be Data Protection Act and GDPR compliant.
Keeping your website GDPR friendly may seem like a massive looming task, but once the initial changes are made, keeping on track should be easy to manage. In essence, if you're already following good data protection processes, you're likely already almost there!
If you’re still struggling to wrap your head around the GDPR changes, take a look at the full guide by the Information Commissioner's Office for some more information.