On May 25th 2018, companies across the UK scrambled in a last-minute attempt to ensure their methods complied with the European Union’s new privacy laws. ‘The General Data Protection Regulation,’ or GDPR for short, presented a headache for the unprepared, as business owners considered the implications of the ruling and feared how it would affect their collection of online data.
While GDPR demands transparency towards consumers and will likely require a little bit of work to bring your website up to speed, there’s no reason why becoming GDPR compliant should cause issues long-term. Below we outline some of the ways in which GDPR impacts your online presence and what it means for the collection and storage of customer data. The deadline may have passed, but it’s still important to make your website GDPR compliant in order to avoid any hefty fines for breach of law. As the old saying goes… ‘better late than never’.
The pillars of GDPR and whom they apply to
The new ruling essentially makes it illegal to store a person’s data without their express permission. Just sitting on swathes of data is no longer considered acceptable, as the GDPR provides your customers with the power to refuse any and all connection to your business. Moreover, GDPR means you have a responsibility as a business to take all reasonable steps to ensure a person is aware of the data held so they can remain in control of how it’s used.
GDPR states that consent must be ‘freely given, specific, informed and unambiguous’, which means that presumed consent will no longer cut it in most situations. You’ll also need to ensure that the data, no matter how small and irrelevant you believe it to be, is stored safely and with considerable security measures in place. These rules apply to data for all consumers in the UK and the European Economic Area, so unless you’re planning to move to the US and deal entirely with an American audience, you’ll want to make sure your website is GDPR ready as soon as possible.
What this means for your website and existing data
Compliance with the regulation often sounds more intimidating than it actually is. When in doubt, remember that GDPR was created to serve the best interests of your customers, so any action you take should reflect that message. For a business that sells items in an online store, this means you can no longer demand that customers agree to share their data with a third party in order to make a purchase. Users must always have the choice to opt-in and opt-out at will, and forced consent in such a case won’t be thought of as valid.
Another aspect of GDPR is that data you consider to be negligible must be handled with the same respect you’d reserve for a name and address. Rightly or wrongly, this means cookies are also considered private data, so users need to see what purpose they serve.
Ways to make your website GDPR compliant
Now that you understand the necessity for GDPR and how it affects your collection of data, it’s time to thoroughly test your website for any GDPR issues. If your site includes a contact form, this will likely be the biggest culprit. Going forward, you’ll have to make very clear what you’re asking of the customer, whether their data will be shared with another company and, if you wish to send them regular material, provide them with an opt-in checkbox or equivalent. You cannot sign them up for marketing collateral without their express consent, so it’s a good idea to research how competitors make their own forms GDPR compliant.
At this stage the best thing you can do is to look at the data you hold, think about whether your methods are ethically sound and offer users the option to opt-out and – wherever possible – provide them with a means to remove themselves from your records. In some instances, allowing customers to edit their profile information in your website is one way of placing the power in their hands. For those using a basic contact form not fit for purpose, however, Mailchimp has a number of great sign-up forms designed especially to comply with the new legislation. They also provide a handy unsubscribe link at the bottom of each email sent, so users are free to opt-out at any time.
Transparency in how you hold information is expected, so dedicated terms and conditions, cookie notice and privacy policy pages are standard fare for any website collecting personal data. You’ll want to ensure these pages are concisely written, with clear language that conveys the site’s usage of data and explains how a user can contact you to remove their data or make a complaint if needed. While it may be tempting to reword these policies from a competitor, it’s a much better idea to ask a lawyer for help at this stage to make sure all the bases are covered.
From a security standpoint, ensuring that usernames and passwords are kept under lock and key is the minimum required. A popular way of ensuring a higher level of safety is to include an SSL certificate on your website – particularly if it’s used to sell products. Once active, the certificate will ensure that your site is safe and secure, with the bonus of an improved rank in search engines such as Google and Bing.
One final note if you’re unsure
If your website uses software to track your users’ behaviour (such as Google Analytics or Heatmaps) then it’s a certainty that cookies are used; this is because such software can’t function otherwise. To be GDPR compliant, it’s a legal requirement that you display a cookie notice as soon as a visitor lands on your website, allowing them to consent to cookie use before any data is stored.
If you own a website that’s less than GDPR-ready and you’re concerned about hefty fines then talk to the team at Reactive Graphics. As an experienced group of web developers, we understand how to ensure your website complies with GDPR in a way that’s both professional and visually pleasing. Contact Reactive Graphics today!