10 Steps To Make Your Website GDPR Compliant

GDPR Website Compliance

General Data Protection Regulation (GDPR) is looming and is set to come into play on the 25th of May 2018. If you handle any kind of data, you need to make sure that your company stays on the right side of GDPR, and in this blog, we will outline 10 steps to make your website GDPR compliant.

Before we begin with step one, what is GDPR?

GDPR will harmonise data privacy laws in the European Union, changing the ways in which organisations shape their data privacy policies, and giving EU citizens greater protections over their personal data.

The fines which have been set out for GDPR breaches, which are up to €10 million, or 2% of the worldwide annual revenue of the prior financial year at lower level or up to €20 million, or 4% of the worldwide annual revenue of the prior financial year, whichever is higher, at upper level, making non-compliance a ‘non-option’ – so which are the best ways to ensure your website is safeguarding your GDPR compliance? Let’s get into it…

1. Get your privacy policy straight

Your website is the perfect platform to publicise your privacy policy, making it clear how you go about collecting data, where it is stored, how long you keep it and where people can access details which you have stored. You should also set out steps which make it possible for visitors to have their information ‘forgotten’ on request.

2. Use an SSL certificate

If your web address does not start with ‘https://’ in the address bar, it is not as secure as it could be. A Single Socket Layer (SSL) certificate offers cryptographic protection to your details, making your content more secure between servers. Not only is it good for search engine optimisation, but it also provides visitors with a reassuring padlock symbol when they navigate to your site, which can prove that their privacy is assured. If your hosting is with us, we can arrange for this to be installed and configured.

3. No pre-ticks!

If your website features forms which already have boxes for consent ticked, under GDPR this is a big no-no. That could mean a box which provides permission for you to contact a visitor again by a number of different means. Boxes should be offered – in the case that you want to contact a visitor in the future or pass on a visitors information to a third party – but they should not be pre-ticked.

4. The option to opt out

A user must be able to use a simple process for withdrawing their consent as and when they want to. That means you must offer a way of unsubscribing to email marketing campaigns – you can include a link to do so in your privacy policy.

5. Outline your cookie policy

Your policy when it comes to cookies should be outlined as part of your cookie policy. The way you use the information you collate via cookies should be made clear, and you must offer visitors the option to say no to cookie tracking – they can do this via their browser.

6. Define your IP tracking activities

When you are tracking the IP addresses and geographical locations of visitors using tracking codes on your site, this is different from an analytics platform such as Google Analytics. That’s because while Google Analytics gives you ‘anonymous’ data, IP tracking software can tell you more. So if you are storing IP addresses in any way via your site, you need to include this in your privacy policy.

7. Email use in social campaigns

Email addresses can be ‘gold dust’ in targeting your social campaigns, but you need to let your users know you are doing this, as well as ask their permission to use them in your campaigns. As ever, you will also need to provide a clear route to ‘opt out’, as well.

8. Re-marketing

If you are tracking activity using cookies and then using this information to perform re-marketing, this should be included in the cookies section of your privacy policy.

9. Perfect your payment system

Payment systems always need to be secure, this has become all the more pertinent in the face of GDPR. Ecommerce businesses, in particular, need to be aware that their website will be collecting personal data as part of the payment process before the data goes into the payment gateway. An SSL certificate is one way of ensuring that all this information is sufficiently encrypted, and you need to be aware if your website is storing details after the payment has been processed, and have the processes in place to remove those details so you do not hold on to them for a significant period. The length of this period is not specified in GDPR, but it can be safe to assume it refers to a total of no more than around two months. You should also be prepared to notify a person of any data which you hold on them as a result of payments, and to delete this data should they request that you do so.

10. Report your data breaches

Should you fall foul of GDPR, it is important that you report it in the right way to the Information Commissioner’s Office website (ICO). You should also know that you might have to report the breach to the individual themselves. The regulations state that you should notify the ICO of a breach if the compromise of information is likely to result in a risk to the rights and freedoms of individuals – that could mean financial loss, discrimination or damage to reputation.

To summarise

If there is one part of the GDPR regulations to cling to with regards to the privacy information that you provide on your website, it is that the information should be “concise, transparent, intelligible and easily accessible; written in clear and plain language – particularly if addressed to a child; and free of charge”.

Look at your existing privacy policy and identify any holes – you may need to rewrite it completely. Start with the basics – where does the information on your website come from, where do you store it and how do you use it? Try to steer clear of any jargon, and if your website isn’t SSL certified, it is time to get encrypted!

We hope you have found this blog useful and wish your organisation the best of success, post-GDPR.