The General Data Protection Regulation (GDPR) is fast approaching and comes into force on 25 May 2018. GDPR will have a huge impact on website design, which will have a ripple effect on how your website integrates with your other digital activity like email marketing, social media, and eCommerce activities.
After 25 May, any data you gather on your website must be processed lawfully, transparently and for a specific purpose. This could include obvious data such as names, addresses and contact numbers but also less obvious data that you may not be aware of such as cookies and IP addresses.
There are a number of steps that you can take to achieve GDPR compliance with your website data processing.
Privacy Policy
Once you have analyzed the data that you are gathering (and, if there is a lot of it, you would need to assign a Data Protection Officer (DPO) who is responsible for monitoring this data), you then need to set this out in a revised privacy policy on your website.
Your privacy policy needs to be written very clearly and cover details about how you are capturing data, where you are storing it, how long you intend to keep it for, how people can view what information you have stored and finally, how they might go about having their data removed from your systems (The right to forget).
Understand Consent Guidelines
If you plan to send email marketing to anyone who submits your web forms, GDPR requires that you get their explicit consent to do so. This means active opt-in from the user through unchecked boxes on web forms.
Consent must be granular so you need to feature separate check boxes for different types of processing. For example, if you plan to use the data for post, email or telephone communication, or pass user details onto a third party, then you must feature a separate, unchecked box detailing each data processing purpose.
GDPR also states that consent must be easily withdrawn if an individual no longer wants to provide their data.
Encrypt Your Data With An SSL Certificate
A Single Socket Layer or SSL certificate is a small file that digitally binds a cryptographic key to organisations details. When you have one as part of your website, it activates the ‘padlock’ symbol that you see in web browsers. It provides you with that https:// in your address bar – making all of your content secure between servers, it increases your Google search engine optimization (SEO) rankings which is a bonus and builds/enhances customer trust, resulting in improved conversion rates – especially within e-commerce websites.
Website Forms
Forms on your website must no longer include pre-ticked boxes. This is considered implied consent and not freely given. Users should be able to provide separate consent for different types of processing. For example, an option to be contacted by post, email, or telephone as three separate tick boxes.
If you are asking for permission to past details onto a third party – again, you need another tick box. If you are collecting data through one website on behalf of several third-parties, then you need to clearly give an opt-in option for each party. Offering them something like a whitepaper if they sign up to something is a great way of getting more user signup’s, but you still need to provide an opt in tick box, otherwise consent has still not been given freely.
Cookies
As per the 2011 regulation The Privacy and Electronics Communication Regulation, advertising the use of and requiring acceptance of cookies became law. The use of cookies should also be outlined in your privacy policy and what the information collected will be used for. Users also can opt out of cookie tracking in their browser’s privacy settings. It is worth giving the user this advice.
If you are using third-party plugins such as Google Analytics to capture autonomous data, then you still need to make your users aware of this via your privacy policy.
Online Payments
If you are an eCommerce business, you are likely to be using a payment gateway for financial transactions – PayPal or any other.
Your own website may be collecting personal data before passing these details onto the payment gateway. If this is the case, you will most certainly require an SSL certificate to make sure this information is properly encrypted.
If your website is then storing these personal details after the information has been passed along then you will need to modify your privacy policy and web processes to remove any personal information after a reasonable period, for example, 90 days.
The GDPR legislation is not explicit about the number of days, it is your own judgment as to what can be defended as reasonable and necessary. You simply need to be prepared to provide the details you have to an individual who asks for it and, remove the data if an individual asks you to.