New legislation in the area of data protection means businesses and organisations must ensure their website is compliant. There are quite a few bases to cover here, so let’s dive straight in.
The General Data Protection Regulation (GDPR) is a series of changes to the way data is captured, used and managed. Due to come in effect in May 2018, making sure your website is compliant will be critically essential.
At this point, it’s important to remember that GDPR will impact more than just your website. It’s going to have a much broader impact across all areas of your business or organisation regarding the storage of personal data. But for the sake of specificity, we’re just talking about websites here, making recommendations for the specific changes you will need to make.
Associated fines of non-compliance with GDPR are up to €20 million, or 4% of your global turnover — whichever is greater.
It’s also worth noting that even though this new regulation is created by the European Commission — with the aim of standardising data protection procedures across the EU — it does not mean that GDPR will not be of importance to companies within the UK. Even with Brexit looming, we will still remain in the union when GDPR officially comes into effect this year. What’s more, compliance is essential for any UK based company that wishes to conduct business within the EU.
Regardless of the fact, failure to comply with GDPR can result in a hefty fine that could be detrimental to your company. So without further ado, here are 3 key areas you should consider in order to make your website GDPR compliant.
Disclaimer: These are some tips to help you understand the impact of GDPR compliance. Make sure you search for legal advice in case you are not sure how to tackle the new European Regulation, before May 25th.
1. Getting consent — Active, Unbundled, and Granular opt-in
Consent is a key part of GDPR legislation and it is important for any website that collects personal data — for whatever reason — to obtain specific permission to use it in the course of their business. This means being absolutely transparent about obtaining personal information from your website visitors.
Forms that invite users to subscribe to newsletters or indicate contact preferences must default to “no” or be blank. You can’t force your user to actively opt-out with pre-selected tick-boxes, or bury consent under lengthy terms and conditions or already checked any more; that’s classed as bad user experience, and definitely needs to be changed by May.
In addition to the above, the consent you are asking for should be set out separately for accepting terms and conditions, and acceptance of consent for any other ways you intend to use data. In other words, it needs to be totally unambiguous what action they’re taking at each and every level.
Your users need to be able to provide separate consent for different types