7 Tips for a GDPR Compliant Website

By Chloe Smith

It’s coming, GDPR is the buzzword floating around the water cooler right now. (Thank goodness they have forgotten about the office party… amirite?) Striking fear into the hearts of companies both big and small. 

Whilst our advice should never be taken over legal, we hope the following tips will help you pull up your socks and say “I’m compliant!” 

The General Data Protection Regulation (GDPR) changes are looming, you need to be compliant by 25th May 2018. The highest fine for not adhering to the new changes is 20 million euros or 4% of last year’s documented worldwide earnings, whichever is greater. With those hefty enforcements, let’s be sure you align with the new regulations.

First Things First… Who Does GDPR Affect?

GDPR dictates the way data pertaining to personal information (data that indirectly or directly identifies someone) is captured, used and stored for all EU residents. It extends to all EU member states – which currently the UK is one – as well as any companies offering services to EU citizens and residents. Even if your company is not headquartered in the EU, if your services are open and offered to them, you need to be GDPR compliant.

Part of GDPR is a Data Protection Officer (DPO), someone in your organisation assigned as the regulator. Good news is, in most cases, you will not need one! There are specific instances outlined by GDPR when a DPO is required, so check to see if you fall under those specific circumstances. The DPO can either be a person or persons in the company or a third-party agency. The person within your company should be well-versed in the regulations to oversee the changes to your processes. Either way, someone in the organisation should be overseeing the implementation of the regulations.

What Does the GDPR Cover?

Since the GDPR regulates how data is collected, used and stored, it affects most aspects of your business. There are different requirements depending on if you are a data controller or processor. Both parties hold responsibilities for the private information collected (the data), though. Learn more about data controller versus processor through the ICO.

Personal data has also taken on a broader definition with GDPR. When discussing personal information most people jump to identifiable pieces like addresses, names, and birth dates. Under GDPR, personal information is any data that can be used by itself or with other data to identify a person. As MailChimp points out, now personal information extends to IP addresses, geo locations, financial information, biometric data, and more. Since GDPR covers the gamut of personal information, a review of the entire process of personal data usage at your company will be in order.

Start With the Individual

Data protection laws like GDPR are trying to help regulate the very unregulated internet. Protecting people like you and I. To start the process of getting ready for GDPR, let’s start with your website, typically the first customer touch point in communication with your organisation.

To help ensure you have everything in order before May, we have compiled a list of checks for your website. These are tips to ensure your website is compliant with the new changes. However, they do not constitute legal advice and are not a replacement for educating yourself and your team on the changes and seeking professional guidance. The ICO offers an introduction and an outline of the GDPR policy to get you started.

A GDPR Compliant Website

The main message of GDPR is to be clear and concise with individuals. Make it easy for the user to understand how, when and where you will be communicating with them and for the user to be able to easily update these preferences. Including what information you have on record and the ability to change it.

7 Tips For a GDPR Compliant Website

1. Opt-In Not Opt-Out

In the past, it has been standard practice to have the opt-in options on forms pre-checked for consumers to offer consent. With the new data changes, uncheck the opt-in automatically. People should actively be opting into your communications, not the other way around.

Even if you are using a third-party email provider, such a MailChimp, it is the organisation’s responsibility to ensure the user has given clear consent. We reached out to MailChimp. Anthony from their legal department could not offer specific legal advice but he did suggest “ensuring your signup forms include clear statements for what your recipients are giving permission to receive.”

An even better way to meet GDPR regulations with your email campaigns and ensure individuals definitely want to be added to those communication forms are double opt-in. Double opt-in emails mean after someone provides their email on the signup form, another email will be sent confirming they want to be added to the list for a set of specific information – such as weekly newsletters. In your MailChimp settings, you can change your account to default to double opt-in for all email signups. Naturally, other email marketing platforms are available and have an option of double opt-in, but as a client of Forty8Creates there’s a very good chance you’ll be using MailChimp to collect data.

1. Clear and Concise Information

Do not bundle consent to your terms and conditions and the opt-in to the email list. These are two separate active opt-in features. A link to the terms and conditions should be provided with an opt-in option. Separate from that should be an explanation of what communication the user is opting into; such as, exclusive offers and discounts. Have an active opt-in button for it as well.

Part of the transparency of GDPR is not transferring consent to other forms of communication. If someone signs up to receive exclusive offers and discounts, you cannot add them to all of your email and communication lists, such as sending them your weekly newsletter. As with the active opt-in, the exact information they are opting into should be clear.

1. Know How You’re Communicating

Consumers need to have a clear understanding of how you’re going to reach out to them. Whether via texts, emails or phone calls. As well as the type of information they are agreeing to receive.

For instance, let’s say you have a free offer of an e-book and a signup form to be completed before the free download. Your terms and conditions, as well as clear opt-ins, need to be separated at the bottom before they submit. If you are collecting their phone numbers and emails, you would need a checkbox confirming you can contact them with both methods. Do not precheck the opt-in checkbox. As well as an explanation of the type of information they would receive through both channels. I.e discount codes, newsletter through email and reminders through text.

Most email subscriber databases, like MailChimp, provide you with the option to build your own pop-up and embedded forms. It is your responsibility to ensure the email signup forms comply with GDPR regulations. Make sure the signup forms cover all the reasons why the information is being collected and all uses.

1. Opting Out as Easy as Opting In

The same way you offer individual opt-in options for different forms of communication and on different devices, you need to offer an easy, granular opt-out process. Allow individuals to opt-out of specific forms of communications or types of offer. For instance, let’s carry on from the example above. After an individual downloads the e-book, they decide they do not want to receive text messages but would still like to be sent weekly emails. On your unsubscribe options, have a checkbox list for easy understanding of what forms of communication the user is subscribed to and which they are opting out of.

1. E-Commerce Payments

If you have an e-commerce site, your website may collect information before passing it on to a third party processing site. If this is the case, you need to review what personal information you are collecting and update your website to delete the data after a certain period.

Make your customers aware of the transfer of their personal information to a third party. You can outline this in your Privacy Policy.

The timeline is not specifically declared by the GDPR but is relayed as personal data should not be kept for longer than necessary. So, it is up to your company to decide what is necessary; be sure it’s an amount of time you can justify and has reasoning behind it. There should be a purpose for storing the data for the set amount of time.

1. Privacy Policy Update

Privacy Policies are a place to clearly lay out exactly how you collect, use and store an individual’s personal information. They should contain no jargon and be clear and to the point. The ICO provides a breakdown and an example of a compliant Privacy Policy.

Even before GDPR implementation, it was important to have a Privacy Policy on your website if you were collecting data. Without even knowing it, you may be collecting data. If you have Google Analytics installed, you have to have a Privacy Policy. Now, the Privacy Policy needs to clearly outline all aspects of personal data. Including, what information is being collected, by who, what it is being used for, how long it will be stored for and how to access, amend and delete personal information.

E-commerce payments section

In the e-commerce payments section, you determined how long it was necessary to store personal data for, the Privacy Policy should state this length and the reasoning behind it. The agreed consent is not forever and it needs to be clear when that expires. Explain in the Privacy Policy on how a user can easily access their personal information. As well as receive a copy of the data stored.

As complex as this sounds, it really is just about being clear. Forty8Creates is more than happy to help you with all the points outlined. However, we cannot stress enough that our advice doesn’t trump professional legal advice. We recommend Integrity Data Solutions, who specialises in GDPR if you would like a consultation.

If you are using third-party apps for data collection and storage, such as MailChimp for your email lists, you should add language to your Privacy Policy clarifying the user’s personal data will be transferred and processed by these companies. Don’t forget the companies’ sub-processors as well. Remember to look into add-ons in these features as well. Through MailChimp, you can have Product Retargeting and Google Web Retargeting Ads add-ons. Assess these and add them to your Privacy Policy.

1. Audit

Create a clear picture of where the personal information you collect is stored and what channels it goes through. Complete a personal data audit to determine all of your processors. These processors can then be added to your Privacy Policy.

Is the data processed by you or a third party? If a third party is processing your data, check their Privacy Policy and ensure they are GDPR compliant. Even though most CRMs and data processing companies are US-based, they will be Privacy Shield compliant – a venture by the US Department of Commerce and the European Commission to regulate the flow of data between the US and the EU.

Review what third-party applications have access to the data you are collecting. Ensure you have a contract outlining their data responsibilities.

As you complete the audit, assess the data you are collecting, why are you collecting the data, how long you are storing it for and do you still need it? This will help you decide what steps to take as you move forward with other GDPR regulations.

What’s Next

Completing a website review and implementing changes to be GDPR compliant is only one step in the chain. The process loop of how information is collected, stored and utilised at your organisation needs to be reviewed. The website is the main outward facing mechanism for the data collection. The utilisation and storage of the personal information are as important for GDPR compliance. For instance, review your company’s current data needs. If you are utilising a CRM, assess how it processes the information and the length of consent for personal data. Furthermore, GDPR is ongoing and evidence-based. Remember to hold a record of how people are opting-in to comply with the regulations. No matter if they opt-in through a link or an email.

Since GDPR encompasses the why, how, what and where of personal data collection it also touches on security. Make your staff aware of the importance of data encryption and your IT processes as well as making information anonymous. If you are utilising past data for trends and insights, make it nonpersonal.

Though the changes may seem daunting, utilising the ICO checklist and Forty8Creates’ checklist implementing new workflows will allow for continued compliance.

And the Good News?

By being more transparent and open with personal data and the forms of communications, marketers may see improvements in their response rates and the success of campaigns. With active opt-in features, you know only engaged, informed individuals are agreeing to your communications.

How do you think GDPR will affect your company’s marketing efforts?

Download the nifty GDPR Compliant Website Checklist to help ease the stress palpitations.