New legislation in the area of data protection means businesses and organisations must ensure their website is compliant. There are quite a few bases to cover here, so let’s dive straight in.
The General Data Protection Regulation (GDPR) is a series of changes to the way data is captured, used and managed. Due to come in effect in May 2018, making sure your website is compliant will be critically essential.
At this point, it’s important to remember that GDPR will impact more than just your website. It’s going to have a much broader impact across all areas of your business or organisation regarding the storage of personal data. But for the sake of specificity, we’re just talking about websites here, making recommendations for the specific changes you will need to make.
Associated fines of non-compliance with GDPR are up to €20 million, or 4% of your global turnover — whichever is greater.
It’s also worth noting that even though this new regulation is created by the European Commission — with the aim of standardising data protection procedures across the EU — it does not mean that GDPR will not be of importance to companies within the UK. Even with Brexit looming, we will still remain in the union when GDPR officially comes into effect this year. What’s more, compliance is essential for any UK based company that wishes to conduct business within the EU.
Regardless of the fact, failure to comply with GDPR can result in a hefty fine that could be detrimental to your company. So without further ado, here are 3 key areas you should consider in order to make your website GDPR compliant.
Disclaimer: These are some tips to help you understand the impact of GDPR compliance. Make sure you search for legal advice in case you are not sure how to tackle the new European Regulation, before May 25th.
1. Getting consent — Active, Unbundled, and Granular opt-in
Consent is a key part of GDPR legislation and it is important for any website that collects personal data — for whatever reason — to obtain specific permission to use it in the course of their business. This means being absolutely transparent about obtaining personal information from your website visitors.
Forms that invite users to subscribe to newsletters or indicate contact preferences must default to “no” or be blank. You can’t force your user to actively opt-out with pre-selected tick-boxes, or bury consent under lengthy terms and conditions or already checked any more; that’s classed as bad user experience, and definitely needs to be changed by May.
In addition to the above, the consent you are asking for should be set out separately for accepting terms and conditions, and acceptance of consent for any other ways you intend to use data. In other words, it needs to be totally unambiguous what action they’re taking at each and every level.
Your users need to be able to provide separate consent for different types of communication (post, email, SMS, telephone etc.) For example, they need to be able to tick email communications, but not post, if they want to. Again, bundling consent for different types of actions/permission is not permitted under new legislation.
While we’re on the subject, it’s equally important to make it just as easy for users to withdraw consent as it was to grant it, and to let them know that they have the option to do so.
2. Highlight and identify — Named parties, T&C’s, and Cookies
As you’ve probably gathered by now, being open and informative with users is essential to GDPR compliance. You will be required to bring a number of important aspects to their attention that may otherwise go overlooked, or simply wasn’t required prior to new legislation.
Web forms must clearly identify each party for which the consent is being granted. It isn’t enough to highlight third-party organisations, you will need to state who they are and how they will be using the data.
Privacy notice and terms and conditions
Terms and conditions on your website will need to be updated to reference GDPR terminology. Specifically, you’ll need to make it clear what you intend to do with the information once you’ve received it, and how long you’ll retain this information (both physically on your website and elsewhere). How and why you’re collecting the data will also need to be mentioned, so you will need to specify any software or applications you’re using to help facilitate that.
It basically states that when cookies can identify an individual via their device, it is considered personal data. This includes cookies for analytics, advertising and functional services, such as survey and chat tools.
To become compliant, consent must be given through a clear affirmative action (same as with the active opt-in forms mentioned earlier), such as clicking an opt-in box or choosing settings or preferences on a settings menu. This must be done before cookies are set on a first visit to a site. If there is then a fair notice, continuing to browse can in most circumstances be valid consent via affirmative action. Simply visiting a site won’t count as consent any more.
3. Security — Access and Encryption
Finally, we come to the heart of GDPR, and that’s the actual protection of the data itself. Under new legislation, you will be required to implement stringent internal processes and online encryption that prevent the loss and theft of data being stored on your website.
Being aware of who has access to personal data that is logged and stored on your website’s CRM is essential. The first step to compliance is to understand exactly who these people are and compile a list. You should then examine the list and determine whether all those people genuinely require access to this data. If the answer is no, their permission should be revoked and measures must be implemented to control future access.
The safest way to prevent data loss is to keep the data on your website encrypted. While some web browsers began penalising unsafe websites back in 2017, new GDPR legislation will require all websites to have an SSL Certificate.
SSL is an additional protocol present in the ‘http’ that typically prefixes all website addresses, and it stands for ‘Secure Socket Layer’ — effectively switching out the old ‘http’ for the newer, more secure ‘https’.
We published an article on the subject last October when Google Chrome introduced measures to mark websites without an SSL Certificate as insecure, which you can read here
But to break it down: Both ‘http’ and ‘https’ serve as variants of the same communication protocol over which data is transferred between your browser and the website you are viewing. The Secure Socket Layer present in https, however, encrypts all data being transferred in order to prevent anyone from hijacking that data in the process.
If you’re unsure whether your website currently has an SSL Certificate, go ahead and check for the little green padlock symbol displayed l on the address bar of your browser when visiting your website (as shown above).
If the green padlock is missing (and you’ll most likely see a red a one in its place) then you’ll need to get in touch with your web developer or web hosting provider.