With just under a month to go until General Data Protection Regulation (GDPR) comes into force, you’ll probably be wondering how this impacts on your online business and what you can do to be compliant. Of course, we are not lawyers (as much as we’d love their salaries), and no one can flick a switch to make a website fall in line with the new regulations. But we do have a few pointers that may help you take a step in the right direction towards making your website GDPR-ready.
First thing’s first… what is GDPR?
GDPR is an EU law that aims to protect the rights of individuals to have more control over their personal data and which makes businesses dealing with EU customers responsible for handling that data with greater accountability, fairness and transparency. This law comes into force on May 25th 2018. We have covered the topic in our earlier blog post ‘What is GDPR?’.
OK, what should I consider if I own a website?
Add a fully up to date Privacy Policy
You will need a fully up to date privacy policy on your website with a clear link to it. It will need to be explicit about what data you may collect, how it’s stored and for how long. Don’t forget that you should also include a policy on how you use cookies. We can’t advise on the wording (sorry!), so you should have a lawyer check your privacy policy to ensure that it is legally watertight before adding to your website.
Security
It is going to be more important than ever to demonstrate that the personal data that you may hold on your customers is secure and that you have taken all the steps necessary to avoid a breach. For example, make sure that you have an SSL certificate on your website. This encrypts sensitive data passing through your website (for example, e-commerce transactions), making it less vulnerable to hackers.
Email marketing and active consent
One very clear area of GDPR and website compliance relates to mailing list forms. If you capture personal details for mailing lists then you must ensure that any opt-in tick boxes are unticked by default. Passive, ‘do nothing’ consent just won’t cut the mustard anymore!
Your mailing lists must only contain the details of users that have given express permission to join. If you have a list of thousands of contacts, not all of whom actively opted into that list, you will need to contact them before May 25th to request their active consent and remove them if consent is not forthcoming. Customer added to your list automatically when they bought something from your site or made an enquiry? The’ll need to rejoin your list, otherwise it’s bye-bye!
Privacy notices
As well as a clear website privacy policy on display, you should also ensure that any forms that capture personal data on your website include a privacy notice which clearly says what the data is being captured for, and whether or not third parties will ever access this information (and if so, who are they?). Remember, transparency is super-important!
Deleting data
The so-called ‘right to be forgotten’ allows an individual to request the deletion or removal of personal data where there is no compelling/legal reason for its continued processing. If you hold personal data on your website (e.g. customer orders, user accounts), or third party CRMs and marketing apps, then in many cases you should delete that customer data from your website on request.
Please bear in mind that none of the above constitutes legal advice. Our only advice is to consult a legal expert to ensure that you have covered all bases, and as the day looms ever closer we hope that you can get moving in the right direction!
Please get in touch with us if you think we can make some of the tweaks necessary to help your website become compliant. (Some changes to sites may be chargeable.)