What is GDPR?
In a nutshell, the General Data Protection Regulation (GDPR) sets out changes in the way that data is captured, used and managed. It is due to come into force on 25 May and there will be harsh consequences for companies that use personal data without explicit consent.
For businesses like you, this new regulation is not simply about getting opt-in for your email newsletter mailing lists. It’s about the internal processes you use to keep personal data safe. You need to know exactly what personal data you hold and why you hold it. You need to have permission to use that data, know where it is stored, who has access to it, and how you are keeping it safe.
Now while we can’t give you advice on all of these areas, in our research into this area we’ve picked up a few pointers on how these changes might translate into the way your website works.
So, what are the key things you might want to think about when considering how to make your website GDPR compliant?
1. Ask for express permission
Using clear and unambiguous language makes sure individuals know what they are signing up for. They must understand how you are planning on using their data and they must agree to each specific purpose separately. For example, if you collect personal data for one reason, say to provide a quote, you cannot use it for another like sending marketing emails – you need to get separate permission for that and ‘unbundled consent’ for the different channels you might use such as email or text message.
2. Keep personal data safe
High up on the list of important tasks is to ensure that you have a Secure Socket Layer (SSL) certificate. A security measure that ensures passwords, card details or other sensitive information sent from a user’s browser to your website server is encrypted and therefore kept private. You may already have an SSL certificate – if there is a padlock icon next to your domain name, then you’re already using it. If not, then organise this with your hosting company.
3. Don’t ask for data you don’t need
Holding unnecessary personal data is a breach of GDPR, so get rid of all data you don’t need or use and revise your contact forms to request only the necessary information. It must be easy for users to withdraw permissions too, so make sure your contact preferences page is noticeable.
4. Using 3rd parties
It is your responsibility as the data owner (also known as the ‘data controller’) to ensure that all personal data you control is processed properly, even if the processing work is subcontracted out. When 3rd parties are involved, for example, when data is transferred to payment gateways for e-commerce websites, you need to confirm they are complying with GDPR. Also, your customer needs to know which 3rd parties are being used and who is handling their data.
5. Keep it clear and transparent
6. Update regularly
You can make sure that everything is kept up-to-date by:
- Ensuring your website and plugins are updated regularly to prevent the site becoming hacked
- Making sure your website files and database are backed up every day over a secure connection
- Regularly reviewing permission levels in your website admin systems
- Ensuring your systems and processes take into account how long data remains and how it’s deleted
- Ensuring you have a good understanding and documented record of the data you presently hold
Remember, the advice we offer here is only our interpretation of the facts and is just the tip of the iceberg. GDPR is about much more than requesting permissions for your digital marketing. It will affect your whole business – but your website is a good place to start.