GDPR Compliance Checklist for Your Business Website
The EU General Data Protection Regulation (GDPR), four years in the making, will be coming into effect on 25 May 2018 and will apply directly to all EU member states. With a focus on offering more privacy options for site visitors, the General Data Protection Regulation GDPR has been designed to provide individuals with more protection and have more say on how their data is collected and used by organisations.
A “click here to read our privacy policy” link will no longer cut it. Every website will need to clearly explain why you are collecting data and for what purpose.
If any data collected by the website is to be made available to third parties such as Google Analytics, which is almost every site on the planet, then explicit consent will need to be given by every user visiting your site. Consent will need to be given freely, informed, unambiguous, and specific. Every website will need to obtain consent in this way, even if it’s not hosted in the EU.
The General Data Protection Regulation GDPR is a set of rules and regulations which applies to EU citizens. This means if your site can be accessed by anybody residing in the EU then your organization can still be held liable, even if the site is not physically hosted in the EU. Fines are stiff, with non-compliant sites facing a €20m penalty, or 4% of an organisation’s global turnover.
To make it easier for you to avoid hefty fines and remain compliant we have come up with a checklist to help your website become GDPR compliant before the new laws roll out and become official.
1. Make Opt-In Forms Active Only
Forms on the website will no longer be able to use boxes that have been pre-ticked, which is considered implied consent and not freely given. This requirement means that any opt-ins on the site must default to “no,” or be left blank. If visitors wish to receive notifications, then they will have to click on the checkbox to explicitly give permission.
Further to this requirement, the Information Commissioner’s Office (ICO) says that each opt-in should remain separate. In other words, visitors can no longer be forced into an all-or-nothing solution and will need to be able to pick and choose the items for which they provide consent.
Plain, clear language is essential to explaining everything about which your visitors are providing consent.
2. Complete an Audit of the Personal Data You Collect
A personal data audit will reveal all your data processors, which are third-party, such as Google Analytics, and which are first-party (data you collect and use for your purposes).
You will need to ensure every third-party data processor your site uses is GDPR compliant.
3. Update Your Site’s Privacy Policy
Your site’s privacy policy will need to outline in clear language what data you are collecting about your visitors and how you will be using it.
The major goal of the EU General Data Protection Regulation GDPR is to ensure your site efficiently communicates to users how and why data is being collected. Putting these details into the privacy policy is an effective way to describe your intent.
4. Affirmative Cookie Notices
The old cookie notice standard of saying that a visitor has implied consent for the use of cookies if they continue to use the site is no longer compliant with the new regulations. All cookie notices will now need to be affirmative action. This means visitors will need to click a box before they can continue through to the site.
Further to this will be the requirement for visitors to supply separate consents for things such as analytics and tracking. It might also be a good idea to advise your visitors on the steps they need to take to opt-out of cookie tracking via their browser’s settings.
5. Audit your Capture and Storage Mechanisms
To ensure you can keep your visitors’ data safe you will need to perform an audit on your data capture functionality, the databases in which it is stored, and the security measures you have in place to protect it.
6. Clean up Your Email List
If you’ve been collecting emails for a few years, then there is a good chance you will have obtained emails through non-GDPR compliant standards. If you have non-compliant emails, then a remedy to bring them up to code would be to send out a fresh email requesting the recipients actively opt-in. This will give you proof of consent and bring your organization into line with the General Data Protection Regulation GDPR.
7. Provide Easy Solutions for Withdrawing
The ability to quickly and simply withdraw consent for any opt-ins must be provided in a way that is as easy as it was to grant it. Visitors must also be informed that they always have the option to withdraw consent whenever they wish.
This requirement means that your website must also have a way for the visitor to withdraw consent, rather than just contain the information in the emails.
8. IP Tracking
Many software solutions give a website the ability to track a visitor’s IP address, which adds an extra level of security for an e-commerce site completing online financial transactions. IP tracking is different to the anonymous data that Google Analytics uses. Your privacy policy should state that you do log IP addresses, what you use them for, and why.
IP tracking can also apply to the commenting section of a blog, so visitors will need to be made aware of this situation as well.
9. Social Media Advertising
If you use collected email addresses to facilitate your advertising efforts on social media platforms, then your visitors will need to be made aware of this practice and also have access to active opt-in and opt-out solutions.
10. Online Transactions and Payment Processors
E-commerce businesses usually collect information about their customers before passing it onto their payment processors, such as PayPal and Stripe.
Website’s conducting these sorts of online transactions will require an SSL certificate to ensure the data is securely encrypted.
If you store this personal information after passing it along to the payment gateways, then your visitors will need to know about it via your privacy policy, and also the timeframe when they can expect you to delete their data.
The GDPR does not specifically state the number of days, but 90 days is a reasonable expectation. You should also be able to provide the details to any of your customer’s who ask for it and be able to remove their data when requested.
If your business is required to keep records for tax purposes, then visitors will also need to be informed about how long you will keep the records, with a statement that you will not use the data for any other purpose.
If you break the General Data Protection Regulation GDPR down to its essence, it becomes clear that it’s all about consent and the user’s right to online privacy. With the new regulations, organisations operating online will no longer be able to take their visitor’s consent for granted.
Playing fast and loose with user data will become a dangerous game and will no longer be tolerated, so make sure your website falls in line by keeping yourself informed about the latest changes.
