The EU General Data Protection Regulation (GDPR), four years in the making, will be coming into effect on 25 May 2018 and will apply directly to all EU member states. With a focus on offering more privacy options for site visitors, the General Data Protection Regulation GDPR has been designed to provide individuals with more protection and have more say on how their data is collected and used by organisations.
If any data collected by the website is to be made available to third parties such as Google Analytics, which is almost every site on the planet, then explicit consent will need to be given by every user visiting your site. Consent will need to be given freely, informed, unambiguous, and specific. Every website will need to obtain consent in this way, even if it’s not hosted in the EU.
The General Data Protection Regulation GDPR is a set of rules and regulations which applies to EU citizens. This means if your site can be accessed by anybody residing in the EU then your organization can still be held liable, even if the site is not physically hosted in the EU. Fines are stiff, with non-compliant sites facing a €20m penalty, or 4% of an organisation’s global turnover.
To make it easier for you to avoid hefty fines and remain compliant we have come up with a checklist to help your website become GDPR compliant before the new laws roll out and become official.
1. Make Opt-In Forms Active Only
Forms on the website will no longer be able to use boxes that have been pre-ticked, which is considered implied consent and not freely given. This requirement means that any opt-ins on the site must default to “no,” or be left blank. If visitors wish to receive notifications, then they will have to click on the checkbox to explicitly give permission.
Further to this requirement, the Information Commissioner’s Office (ICO) says that each opt-in should remain separate. In other words, visitors can no longer be forced into an all-or-nothing solution and will need to be able to pick and choose the items for which they provide consent.
Plain, clear language is essential to explaining everything about which your visitors are providing consent.
2. Complete an Audit of the Personal Data You Collect
A personal data audit will reveal all your data processors, which are third-party, such as Google Analytics, and which are first-party (data you collect and use for your purposes).
You will need to ensure every third-party data processor your site uses is GDPR compliant.
4. Affirmative Cookie Notices
Further to this will be the requirement for visitors to supply separate consents for things such as analytics and tracking. It might also be a good idea to advise your visitors on the steps they need to take to opt-out of cookie tracking via their browser’s settings.
5. Audit your Capture and Storage Mechanisms
To ensure you can keep your visitors’ data safe you will need to perform an audit on your data capture functionality, the databases in which it is stored, and the security measures you have in place to protect it.
6. Clean up Your Email List
If you’ve been collecting emails for a few years, then there is a good chance you will have obtained emails through non-GDPR compliant standards. If you have non-compliant emails, then a remedy to bring them up to code would be to send out a fresh email requesting the recipients actively opt-in. This will give you proof of consent and bring your organization into line with the General Data Protection Regulation GDPR.
7. Provide Easy Solutions for Withdrawing
The ability to quickly and simply withdraw consent for any opt-ins must be provided in a way that is as easy as it was to grant it. Visitors must also be informed that they always have the option to withdraw consent whenever they wish.
This requirement means that your website must also have a way for the visitor to withdraw consent, rather than just contain the information in the emails.
8. IP Tracking
IP tracking can also apply to the commenting section of a blog, so visitors will need to be made aware of this situation as well.
9. Social Media Advertising
If you use collected email addresses to facilitate your advertising efforts on social media platforms, then your visitors will need to be made aware of this practice and also have access to active opt-in and opt-out solutions.
10. Online Transactions and Payment Processors
E-commerce businesses usually collect information about their customers before passing it onto their payment processors, such as PayPal and Stripe.
Website’s conducting these sorts of online transactions will require an SSL certificate to ensure the data is securely encrypted.
The GDPR does not specifically state the number of days, but 90 days is a reasonable expectation. You should also be able to provide the details to any of your customer’s who ask for it and be able to remove their data when requested.
If your business is required to keep records for tax purposes, then visitors will also need to be informed about how long you will keep the records, with a statement that you will not use the data for any other purpose.
If you break the General Data Protection Regulation GDPR down to its essence, it becomes clear that it’s all about consent and the user’s right to online privacy. With the new regulations, organisations operating online will no longer be able to take their visitor’s consent for granted.
Playing fast and loose with user data will become a dangerous game and will no longer be tolerated, so make sure your website falls in line by keeping yourself informed about the latest changes.