The all new data protection laws known as GDPR or General Data Protection Regulations in full come into force on 25th May and it is absolutely essential that your website is ready for them. With the risk of substantial and costly consequences for businesses which fail to comply, it has never been more important to do things right and avoid getting caught out. Although you may find yourself daunted by the incredible amount of information in circulation on the subject, the fundamental principles are fairly straightforward and most small businesses will be relieved to know that getting your website ready may well not be as much of a burden as expected. If you’ve already been following best practices for data protection, cookie transparency, etc then you don’t need to panic. We do however strongly recommend you check these tips and ensure that any required actions are carried out at the earliest opportunity.
2. Ensure that it is easy to opt-out
Although it has been best practice for some time to include an opt-out with any form of registration, there is an emphasis on making this much clearer. Whilst programs such as Mailchimp look after this internally, sign up forms on your website may be less clear. As well as ensuring that there is a clear and easy to follow opt-out in any forms or electronic communications that your customers may receive, you may wish to consider adding a specific link on your website that is easy to find.
3. Separate your signups
If you are asking customers to sign up to receive electronic communications, it is now a requirement that they are able to opt in to each channel separately and explicitly. This means that if you wish to communicate by email, SMS and mail, for example, a check-box will be required to express consent for each. A one-for-all that simply lists the different ways you might communicate is no longer acceptable.
4. Named parties
You must ensure that all parties with whom you may share customer data are named. As well as marketing partners, this includes payment processing companies and any other parties that you may share customer data with. All forms should specifically name who permission is being granted to – including if that is your company. Even if your website is Acmeltd.com, you must state that permission is granted to Acme Ltd – although perfectly logical to assume this is the case, it is not enough for this to simply be implied.
5. Payment processing
The vast majority of websites use third party payment gateways such as Worldpay, Sagepay or Paypal to process online payments and a large amount of the responsibility under GDPR will fall on them directly. However, most websites will also collect and store a certain amount of personal data such as information required to process the order. It is essential that you have a process in place to remove this data after a reasonable period of time has elapsed – for example 60 days after the order is completed. Although there is no specific timescale indicated in GDPR, reasonable judgement should be applied.
6. Updated cookie notice
Cookie notices have been best practice (although somewhat unenforced) for some time now since the EU introduced new laws in 2011. However, this may need to be updated in light of GDPR. Banners should state clearly and unambiguously that cookies are being used, and there should be an option for customers to learn more about what cookies are in use and what for. It will, however, still be acceptable to assume consent upon continued browsing as at present.
7. Cookies explained
8. Establish if you are a data controller or a data handler
This particular element of the GDPR requirements reaches beyond your website, affecting every aspect of your business whether online or offline. But the particular nature of your business and the role your website plays within it may play a key role in defining which category you belong to. The easiest way to establish whether you are a data handler or a data processor is to use this online self-assessment from the Information Commissioner’s Office (ICO). Once you have established your position, you will be able to seek further guidance on any additional changes required.
9. Enable SSL
Google made changes some time ago to encourage sites to adopt SSL encryption as the standard, and is committed to continuing their efforts to get all websites up to this minimum level of security. One way that they are supporting this is to include SSL within their SEO algorithms, meaning that insecure sites will effectively be penalised in search results. With GDPR, taking proactive measures to prevent your website visitors from hacking and data breaches becomes a legal requirement – and ensuring you have a valid, up to date SSL certificate in place is one component of this chain. Do note, however, that it is only one element of this vast field and should not be relied on as your sole line of defence.
10. Review your hosting arrangements
With so much focus on the new responsibility of companies to both prevent and report data breaches and hacks, it has suddenly become much more important to have some awareness of your hosting arrangements and what measures your hosts are taking to comply with GDPR, as this can have a knock-on effect on you. Don’t be afraid to ask your hosts what protection and procedures they have in place to protect data that is stored or exchanged on or via their servers.
11. Review tracking software
Want to know if Influx Digital can help you get your website ready for GDPR? Call us on 0161 468 2612 or click here to contact us today!