A quick guide to making your website GDPR compliant

Unless you have been living under a rock the last few months, you will no doubt have heard about GDPR. If you haven’t, it stands for General Data Protection Regulation and is a new piece of EU legislation that recently came into effect. The aim of it is to give EU citizens more control of their data and how it is processed and stored.

The regulations came into effect on May 25, so if your site isn’t already compliant, you need to get it sorted now! If you are accepting traffic from EU countries and processing data on behalf of EU citizens then you are affected and need to comply.

If you want to learn more about GDPR itself, there are many great resources online including from the UK Information Commissioners Office (link: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/)

Depending on the complexity of your website this list will vary, but it is aimed to be a rough guide:

Privacy Policy

If your website doesn’t have a privacy policy, you need one, and if you do have one, it may need updates. Essentially you need to clearly state what data you collect from the user (this covers things like forms but also data you might be storing in cookies and is not 100% anonymised), how you will store that data, if you will share it with anyone (third parties outside your organisation) and how they will use it. As an organisation you are responsible for what any third party does with data you send them, for example if you are storing user details in third party mailing list software you should cover this. For more info you can check out this excellent Econsultancy article. (Link: https://www.econsultancy.com/blog/69256-gdpr-how-to-create-best-practice-privacy-notices-with-examples)

Security

If you don’t already have one, and you should for many reasons, then now is the time to fully protect your website with an SSL certificate! It’s an easy task and crucial to protecting users privacy and security while interacting with your site.

Implied and clear consent

This one is very important. Remember that form you created where you decided to pre-tick some boxes to make sure as many people as possible signed up to your newsletter? That is a big no! You will need to change all forms to have those fields not pre-selected.

The other area is to ensure the user has a clear understanding and agreement of how you may contact them. It is no longer sufficient to just say “You agree to us contacting you for marketing purposes”, instead you should give the user each method you might contact them by and let them opt-in individually. If by opting in they might be contacted by more than one company (for example if you have a group of companies, or a set of partners) then give the user granular options as appropriate rather than a blanket opt-in for all companies. If you plan to pass their details onto a third party or any related company the user would not reasonably understand their details would be passed to, you need to have a clear set of checkboxes for opt in.

Easy to withdraw consent

Going hand in hand with the point above, allow the user to easily withdraw consent, via an unsubscribe form on any comms and a link on your website ideally in the privacy policy.

Cookies

If your site uses cookies then you should display a banner explaining this and what they are used for, and explaining to the user how they can opt out by disabling cookies in their browser. There are many great examples on the web.

IP tracking

IP addresses count as personal data so if you are doing any tracking and processing based on IP addresses, or storing IP addresses in logs or CMS etc, this needs to be clearly set out in your privacy policy.

Data Retention and Deletion

You need to tell users how long you will store their data for and this should be reasonable. No time is specified in the regulations so this is up to your judgement on what is reasonable and necessary. Again it should be set out in your privacy policy clearly. You need to ensure that after this period, the data is fully deleted from all locations you store it. The same applies if a user requests you delete their data, which is a valid request under GDPR.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Powered by WordPress.com.

Up ↑

%d bloggers like this: