How to Make Your Website GDPR Compliant
A couple of weeks ago we gave you 4 important signs that you need to redesign your website, but as it is only three months away from GDPR regulations coming in we thought it would be a good idea to make sure you are clued up on your website’s GDPR compliance too.
We have written various posts about GDPR in the past, from e-mail security to BYOD policies, to securing your personally identifiable information. This is because GDPR brings a huge change to the way you hold and use data, with a huge risk of either €20 million or 4% of your global turnover if you don’t comply. For an overview, have a look at this breakdown by the Information Commissioner.
The best first step is to conduct a personal data audit, this is necessary to determine whether your data processors are first party or third party. For your first party processors, list the details of where and how this data is kept as well as why you need this data to consider whether it is necessary to still keep it. For the third-party processors, you need to check their privacy policies to ensure that they are GDPR compliant, have the conversation with them and if there are problems you will need to replace them. The results of this audit can be published on your website to comply with GDPR’s heavy focus on the transparency of your data policies.
This audit will help you identify any problems for you to work on, but other key areas that need consideration are sign-up forms and contact forms. If you have a form on the website for clients to fill out to get in contact with you, or a sign-up form for content on your website and newsletters, then you need to check that this is GDPR compliant:
- You may be familiar with filling out forms in the past that often you select a box for whether you wish to receive e-mail marketing. Sometimes these can be confusing because it is unclear whether you need to select the box to not receive e-mails or to receive them. With GDPR regulations, this stage is important as it determines the consent of your client to give the business the access to the data that they have submitted. From May 2018, it will be a default that you have opted out because now a company needs your explicit consent, and therefore these boxes will be ticked to opt into marketing communications. For this reason, it is a good idea create multiple boxes (e.g. one for e-mail, one for telephone, etc.) to make it very clear to the client what they are signing up to.
- Another familiar box is to consent to share your data with a third-party. Often this is just listed without specifying who exactly will be receiving your data, but when GDPR comes into effect you must name who the third-parties are to ensure that the client knows where their information is being kept.
- ‘The right to be forgotten’ is also a big feature of GDPR, you must make sure it is very simple for your client to request to unsubscribe to a mailing list or to delete their account from your website. This can be done by adding a permissions and account page on your website so that any decision can be modified at any time.
- It is also a good idea to review your e-mail databases for these types of communications, you need to check that the subscriber’s data was collected following GDPR standards. If it was not, or if you are unsure, it is a good idea to send an e-mail asking your clients to re-opt into your communications. This may be good practice anyway just to double check that you are totally GDPR compliant.
If you are at all concerned about GDPR or confused as to whether you are compliant, please get in touch! We would be more than happy to check it over for you. We offer a web design service, so if you think your website could do with a remodel while you are making these changes, that can also be arranged for you. Do not hesitate to get in touch with us about any questions you have, or just for a chat so we can explain what we can offer in more detail!