10 Steps To Make Your Website GDPR Compliant
General Data Protection Regulation (GDPR) is looming and is set to come into play on the 25th of May 2018. If you handle any kind of data, you need to make sure that your company stays on the right side of GDPR, and in this blog, we will outline 10 steps to make your website GDPR compliant.
Before we begin with step one, what is GDPR?
GDPR will harmonise data privacy laws in the European Union, changing the ways in which organisations shape their data privacy policies, and giving EU citizens greater protections over their personal data.
The fines which have been set out for GDPR breaches, which are up to €10 million, or 2% of the worldwide annual revenue of the prior financial year at lower level or up to €20 million, or 4% of the worldwide annual revenue of the prior financial year, whichever is higher, at upper level, making non-compliance a ‘non-option’ – so which are the best ways to ensure your website is safeguarding your GDPR compliance? Let’s get into it…
2. Use an SSL certificate
If your web address does not start with ‘https://’ in the address bar, it is not as secure as it could be. A Single Socket Layer (SSL) certificate offers cryptographic protection to your details, making your content more secure between servers. Not only is it good for search engine optimisation, but it also provides visitors with a reassuring padlock symbol when they navigate to your site, which can prove that their privacy is assured. If your hosting is with us, we can arrange for this to be installed and configured.
3. No pre-ticks!
If your website features forms which already have boxes for consent ticked, under GDPR this is a big no-no. That could mean a box which provides permission for you to contact a visitor again by a number of different means. Boxes should be offered – in the case that you want to contact a visitor in the future or pass on a visitors information to a third party – but they should not be pre-ticked.
4. The option to opt out
6. Define your IP tracking activities
7. Email use in social campaigns
Email addresses can be ‘gold dust’ in targeting your social campaigns, but you need to let your users know you are doing this, as well as ask their permission to use them in your campaigns. As ever, you will also need to provide a clear route to ‘opt out’, as well.
9. Perfect your payment system
Payment systems always need to be secure, this has become all the more pertinent in the face of GDPR. Ecommerce businesses, in particular, need to be aware that their website will be collecting personal data as part of the payment process before the data goes into the payment gateway. An SSL certificate is one way of ensuring that all this information is sufficiently encrypted, and you need to be aware if your website is storing details after the payment has been processed, and have the processes in place to remove those details so you do not hold on to them for a significant period. The length of this period is not specified in GDPR, but it can be safe to assume it refers to a total of no more than around two months. You should also be prepared to notify a person of any data which you hold on them as a result of payments, and to delete this data should they request that you do so.
10. Report your data breaches
Should you fall foul of GDPR, it is important that you report it in the right way to the Information Commissioner’s Office website (ICO). You should also know that you might have to report the breach to the individual themselves. The regulations state that you should notify the ICO of a breach if the compromise of information is likely to result in a risk to the rights and freedoms of individuals – that could mean financial loss, discrimination or damage to reputation.
If there is one part of the GDPR regulations to cling to with regards to the privacy information that you provide on your website, it is that the information should be “concise, transparent, intelligible and easily accessible; written in clear and plain language – particularly if addressed to a child; and free of charge”.
We hope you have found this blog useful and wish your organisation the best of success, post-GDPR.