Is your website prepared for GDPR?

What is GDPR?

In a nutshell, the General Data Protection Regulation (GDPR) sets out changes in the way that data is captured, used and managed. It is due to come into force on 25 May and there will be harsh consequences for companies that use personal data without explicit consent.

For businesses like you, this new regulation is not simply about getting opt-in for your email newsletter mailing lists. It’s about the internal processes you use to keep personal data safe. You need to know exactly what personal data you hold and why you hold it. You need to have permission to use that data, know where it is stored, who has access to it, and how you are keeping it safe.

Now while we can’t give you advice on all of these areas, in our research into this area we’ve picked up a few pointers on how these changes might translate into the way your website works.

So, what are the key things you might want to think about when considering how to make your website GDPR compliant?

1. Ask for express permission

If you collect personal data from your website users, you need to get their permission. Contact forms should include check boxes where users agree to the collection of data in line with your privacy policy. Email subscription forms should have double opt-in consent, which means that when a new subscriber adds their email to your list, you’ll send them another email so they can confirm their subscription. This is best practice from a marketing perspective anyway, as we all want high open rates and engaged readers!

Using clear and unambiguous language makes sure individuals know what they are signing up for. They must understand how you are planning on using their data and they must agree to each specific purpose separately. For example, if you collect personal data for one reason, say to provide a quote, you cannot use it for another like sending marketing emails – you need to get separate permission for that and ‘unbundled consent’ for the different channels you might use such as email or text message.

2. Keep personal data safe

High up on the list of important tasks is to ensure that you have a Secure Socket Layer (SSL) certificate. A security measure that ensures passwords, card details or other sensitive information sent from a user’s browser to your website server is encrypted and therefore kept private. You may already have an SSL certificate – if there is a padlock icon next to your domain name, then you’re already using it. If not, then organise this with your hosting company.

3. Don’t ask for data you don’t need

Holding unnecessary personal data is a breach of GDPR, so get rid of all data you don’t need or use and revise your contact forms to request only the necessary information. It must be easy for users to withdraw permissions too, so make sure your contact preferences page is noticeable.

4. Using 3rd parties

It is your responsibility as the data owner (also known as the ‘data controller’) to ensure that all personal data you control is processed properly, even if the processing work is subcontracted out. When 3rd parties are involved, for example, when data is transferred to payment gateways for e-commerce websites, you need to confirm they are complying with GDPR. Also, your customer needs to know which 3rd parties are being used and who is handling their data.

5. Keep it clear and transparent

Your privacy policy must explain what data you collect and why, how you store it, what you intend to do with it, how long you intend to keep it and who you share it with. Make sure it is written in plain English and signposted.

Have a system in place for users to acknowledge the use of cookies. Provide easy access to information on what the cookies do and details on how to block them. You may want to carry out an audit of cookies on your website.

6. Update regularly

You can make sure that everything is kept up-to-date by:

  • Ensuring your website and plugins are updated regularly to prevent the site becoming hacked
  • Making sure your website files and database are backed up every day over a secure connection
  • Regularly reviewing permission levels in your website admin systems
  • Ensuring your systems and processes take into account how long data remains and how it’s deleted
  • Ensuring you have a good understanding and documented record of the data you presently hold

Remember, the advice we offer here is only our interpretation of the facts and is just the tip of the iceberg. GDPR is about much more than requesting permissions for your digital marketing. It will affect your whole business – but your website is a good place to start.

Is your website ready for GDPR? Find out if your website is compliant. Get in touch if you need help with your cookie policy, hosting and making your website compliant. Here's 6 points you need to think about before May 2018

Need more help?

If you’re struggling to get your head around how to make your website GDPR compliant, then get in touch. We can help with some of the technical stuff to make the process a little easier. We can carry out a cookie audit on your website or install a tick box function in your contact forms, for example. Or review your hosting, security or plugins.

You don’t have long now, so make sure your website and online marketing are GDPR compliant. Put the security of personal data at the heart of all your business processes and you shouldn’t go too far wrong.

Contact us