Is your website compliant with the requirements of GDPR due to come in effect in May 2018? Here are 10 changes you need to make to your website now to stay on the right side of the law and to keep your customers happy.
In this post, we want to cover specifically the narrow area of how to make your website GDPR compliant and make recommendations for the specific changes you will need to be making. GDPR will have a huge impact on website design, which will have a ripple effect on how your website integrates with your other digital activity like email marketing, social media, and e-commerce activities. The golden thread that ties together all of these recommendations is that under the GDPR, the concept of consent to be given freely, specific and informed is being strengthened, with new rules, which means businesses like ours need to provide more transparency. Here are 10 steps you will want to review for your website and discuss necessary changes with your web development team. Any questions, feel free to get in touch with us at Lowaire.
1. FORMS: ACTIVE OPT-IN
Forms that invite users to subscribe to newsletters or allow them to contact you, contact preferences must default to “no” or be blank with granular opt-in options i.e. phone, email and SMS. You will need to check your forms to ensure this is the case or you won’t have consent to contact visitors who contact you via your contact forms, from the 25th of May.
2. UNBUNDLED OPT-IN
The consent you are asking for should be set out separately for accepting terms and conditions, and acceptance of consent for other ways of using data you require.
In the example below, Sainsbury’s clearly set out the acceptance of their terms and conditions, and separately set out the active opt-in for their contact permissions, but there is no granular opt-in.
3. GRANULAR OPT-IN
Users should be able to provide separate consent for different types of processing of data i.e. marketing.
In this example below, ABC Awards are asking for specific permission for each type of processing (post, email, telephone) and also asking permission to pass details onto a third party. We at Lowaire have ours already. This is something that all sites will have to adopt.
4. EASY TO WITHDRAW PERMISSION OR OPT-OUT
It must be just as easy to remove consent as it was to grant it under the GDPR, individuals always need to know they have the right to withdraw their consent as well as view the information you hold about them.
In terms of your web user experience, this means unsubscribing could consist of selectively withdrawing consent to specific streams of communication or easily change the frequency of communication, or stop all communications entirely.
5. NAMED PARTIES
Your web forms must clearly identify each party to which the consent is being granted. It isn’t enough to say specifically defined categories of third-party organisations. They need to be named.
In this example, you can see John Lewis understands, that we need to give named permissions for updates each from Waitrose, John Lewis, and John Lewis Financial Services.
The Information Commissioner’s Office (ICO) has very kindly provided a sample privacy notice that you can use on your website. It must be concise, transparent, and easily accessible. It needs to be Transparent and Easily accessible.
You will also need to update your terms and conditions on your website to reference GDPR terminology and meet the key principles of the GDPR. Specifically, you will need to make it transparent what you will do with the information once you’ve received it, and how long you will retain this information both on your website and also by your office systems.
- Make sure all your websites have the all-important items such as:
- How personal data is collected by your site, why you collect it, how you use it and how you protect this data, who else has access to this data and you must provide all your subjects with the right to give or receive data.
- You must also make sure you have a transparent and easy for subjects to remove or gain the information you have on them.
- Don’t forget to assign a data protection officer and make sure their information is clear and easy to find.
- You will need a DPIA (data protection impact assessment) this is a legal requirement. As well as the DPIA you will also need a Data Flow this needs to clearly explain data access points. This can be presented however you like but you must have one.
7. ONLINE PAYMENTS
If you are an e-commerce business, then you are likely to be using a payment gateway for financial transactions (lucky for you!). However, your own website may be collecting personal data before passing the details onto the payment gateway.
If this is the case, and your website is storing these personal details after the information has been passed along, then you will need to modify your web processes to remove any personal information after a reasonable period, for example, 60 days. The GDPR legislation is not explicit about the number of days, it is your own judgment as to what can be defended as reasonable and necessary but the GDPR does also state that you must not hold onto unnecessary data without a lawful basis.
8. THIRD PARTY TRACKING SOFTWARE
Things now start to get tricky when it comes to third-party tracking software.
Many websites are using third-party marketing automation software solutions on their website. These might be lead tracking applications like Google Analytics, Lead Forensics, Clicky. Or they could be call tracking applications like Infinity Call Tracking etc.
The use of these tracking applications raises some very interesting questions in terms of GDPR compliance. At first glance, these applications track users in ways they would not expect and for which they have not granted consent. For example, it is tracking your behaviour each time you return to a website or view a specific page on that site.
However, the suppliers of these applications assure us they are GDPR compliant and they do seem to be changing the systems to protect the privacy of visitors. For example, Hot Jar now hides any sensitive information or numbers which visitors are inputting into your website.
The providers of these tools are confident that they are GDPR compliant. But if the software is doing something illegal, then it is your business’ responsibility as the Data Controller. So make sure you understand your third-party tracking.
9. WHAT ABOUT GOOGLE ANALYTICS AND GOOGLE TAG MANAGER?
If you use either of these take a look at their page: How Google complies with data protection laws
Many websites are configured to use Google Analytics to track user behaviour. Google Analytics has always been an anonymous tracking system. It is against google analytics policy to collect PII (Personal Identifiable Infomation)
- If you use Google analytics this means that Google is your data processor, you are the data controller.
- With regards to Google Tag Manager; it’s a powerful tool that enables your website to send information to third-party applications by inserting small amounts of code. You can integrate in-house data repositories, as well as external remarketing and retargeting systems, and a host of other services.
- Again Google Tag does not collect PII. As it is against their policy.
10. COOKIES, WHAT ARE THEY ALL ABOUT?
Under the GDPR, you must clearly display which active cookies are used within your website. In addition, a cookie notification banner must be present which provides a user with the ability to disable non-necessary cookies or all of them together.
When it comes to cookie notifications, you must:
- Tell Data subjects what they are the best way to do this is to create a hyperlink to the cookie information page.
- You must tell the data subject how you use them
- You must also give the data subject the right to disable the cookies on your site as well.
This is an example of a non-compliant cookie notification, which assumes consent:
11. AND FINALLY... IT ISN'T ONLY YOUR WEBSITE THAT NEEDS TO BE GDPR COMPLIANT
The changes being introduced with GDPR will permeate your entire business, and in this series of articles, we are focusing purely on your digital marketing.
As you start planning the detail of your website, you will uncover an Aladdin’s cave of issues you will need to consider. The Information Commissioner has provided an excellent set of resources for your reference, but here are a few key things you should be asking yourself as we approach the May deadline:
- You probably have lots of personal data stored in various places around the business. Do you have a good understanding, and documented record of the data you hold?
- Do you need to either gain or refresh consent for the data you hold?
- Do you have a defined policy for how long you retain personal data, so you don’t retain it unnecessarily, and ensure it’s kept up to date?
- Is your data being held securely, keeping in mind both technology and the human factors in data security?
- Whether you are a data controller or data processor (or both), do you have the correct legal arrangements in place?
- And don’t forget if there is a data breach you now have only 72 hours to tell both the ICO and the data subject.
So, if you’re looking for support to help prepare your website for the General Data Protection Regulations (GDPR), speak to our friendly team today to find out how we can help get your website compliant through flexible one-off website development support. Contact us on 01509 357587 or feel free to navigate to our contact us page to send over your requirements.