Influx Digital

11 Simple Tips To Ensure Your Website Is GDPR Ready

The all new data protection laws known as GDPR or General Data Protection Regulations in full come into force on 25th May and it is absolutely essential that your website is ready for them.

The all new data protection laws known as GDPR or General Data Protection Regulations in full come into force on 25th May and it is absolutely essential that your website is ready for them. With the risk of substantial and costly consequences for businesses which fail to comply, it has never been more important to do things right and avoid getting caught out. Although you may find yourself daunted by the incredible amount of information in circulation on the subject, the fundamental principles are fairly straightforward and most small businesses will be relieved to know that getting your website ready may well not be as much of a burden as expected. If you’ve already been following best practices for data protection, cookie transparency, etc then you don’t need to panic. We do however strongly recommend you check these tips and ensure that any required actions are carried out at the earliest opportunity.

1. Update your Privacy Policy / Terms & Conditions

Under the new regulations, there is an explicit requirement on website operators to have a clear, easy to understand privacy policy in place. You must refer to some key terminology included within GDPR and ensure that you have a clear statement of how and why your company will collect, store and use information. In particular, this should include details of how long user data will be held for, why it will be held and how a customer can request details of what information you hold about them.

2. Ensure that it is easy to opt-out

Although it has been best practice for some time to include an opt-out with any form of registration, there is an emphasis on making this much clearer. Whilst programs such as Mailchimp look after this internally, sign up forms on your website may be less clear. As well as ensuring that there is a clear and easy to follow opt-out in any forms or electronic communications that your customers may receive, you may wish to consider adding a specific link on your website that is easy to find.

3. Separate your signups

If you are asking customers to sign up to receive electronic communications, it is now a requirement that they are able to opt in to each channel separately and explicitly. This means that if you wish to communicate by email, SMS and mail, for example, a check-box will be required to express consent for each. A one-for-all that simply lists the different ways you might communicate is no longer acceptable.

4. Named parties

You must ensure that all parties with whom you may share customer data are named. As well as marketing partners, this includes payment processing companies and any other parties that you may share customer data with. All forms should specifically name who permission is being granted to – including if that is your company. Even if your website is, you must state that permission is granted to Acme Ltd – although perfectly logical to assume this is the case, it is not enough for this to simply be implied.

5. Payment processing

The vast majority of websites use third party payment gateways such as Worldpay, Sagepay or Paypal to process online payments and a large amount of the responsibility under GDPR will fall on them directly. However, most websites will also collect and store a certain amount of personal data such as information required to process the order. It is essential that you have a process in place to remove this data after a reasonable period of time has elapsed – for example 60 days after the order is completed. Although there is no specific timescale indicated in GDPR, reasonable judgement should be applied.

6. Updated cookie notice

Cookie notices have been best practice (although somewhat unenforced) for some time now since the EU introduced new laws in 2011. However, this may need to be updated in light of GDPR. Banners should state clearly and unambiguously that cookies are being used, and there should be an option for customers to learn more about what cookies are in use and what for. It will, however, still be acceptable to assume consent upon continued browsing as at present.

7. Cookies explained

Again, it has been best practice for several years now to provide website visitors with an opportunity to identify which cookies are in use and why they are being used. This is made a definitive requirement under GDPR. There is no specific guidance as to where to make this information available, but as a minimum it should be linked from your cookies banner and in your privacy policy / terms and conditions The key to compliance is making sure that access to this information is not obfuscated.

8. Establish if you are a data controller or a data handler

This particular element of the GDPR requirements reaches beyond your website, affecting every aspect of your business whether online or offline. But the particular nature of your business and the role your website plays within it may play a key role in defining which category you belong to. The easiest way to establish whether you are a data handler or a data processor is to use this online self-assessment from the Information Commissioner’s Office (ICO). Once you have established your position, you will be able to seek further guidance on any additional changes required.

9. Enable SSL

Google made changes some time ago to encourage sites to adopt SSL encryption as the standard, and is committed to continuing their efforts to get all websites up to this minimum level of security. One way that they are supporting this is to include SSL within their SEO algorithms, meaning that insecure sites will effectively be penalised in search results. With GDPR, taking proactive measures to prevent your website visitors from hacking and data breaches becomes a legal requirement – and ensuring you have a valid, up to date SSL certificate in place is one component of this chain. Do note, however, that it is only one element of this vast field and should not be relied on as your sole line of defence.

10. Review your hosting arrangements

With so much focus on the new responsibility of companies to both prevent and report data breaches and hacks, it has suddenly become much more important to have some awareness of your hosting arrangements and what measures your hosts are taking to comply with GDPR, as this can have a knock-on effect on you. Don’t be afraid to ask your hosts what protection and procedures they have in place to protect data that is stored or exchanged on or via their servers.

11. Review tracking software

If you are using established, mainstream tracking software such as Google Analytics or Lead Forensics, then you can be safe in the knowledge that they have taken extensive measures to ensure GDPR compliance. If, however, you are using lesser known, lower cost alternatives then questions may arise as to the compatibility with the new regulations. If you haven’t already taken measures to establish how compliant any tracking software is, now is the time to do your research. Regardless, be sure to include references to any tracking software in your cookies notice and privacy policy.

Want to know if Influx Digital can help you get your website ready for GDPR? Call us on 0161 468 2612 or click here to contact us today!