GDPR: Is Your Website Compliant?
Is your website up to date to comply with the new GDPR regulations coming into effect on 25th of May 2018? To answer that question, we first need to understand what GDPR actually is and how it will affect your business.
Disclaimer
Before we start, I want to mention that web designers & developers are NOT legal experts. Therefore, everything in this article is based on research we have made as a business and does NOT represent legal advice.
In fact, when it comes to GDPR, the website is just one of the key areas that needs to be looked at. You should still do your own research and seek legal advice from a GDPR Compliant officer to find out how GDPR will affect your business.
Other key areas include (but not limited to):
- Network & device security
- IT infrastructure
- Third-party software
- Data privacy policies
What is GDPR?
GDPR stands for General Data Protection Regulation, a privacy regulation approved by EU Parliament in 2016, meant to provide better control & protection for EU residents.
GDPR is not dependent on the location of the business. If you have one single customer based in EU, you need to comply with GDPR regulation. Businesses who fail to do so can be fined up to 4% of their global revenue.
In other words, the goal behind GDPR is to make sure that companies who collect personal information are completely transparent with their intention on how the information collected will be used; how it will be stored in order to provide the utmost protection and give the individuals more control of their personal data: the right to access the information the company has on them & the right to be forgotten (delete all that information).
Now, that we’ve got that out of the way, let’s look at the main areas that you need to consider in order to make your website GDPR compliant.
1. Website Contact Forms
One of the most important elements of GDPR is consent.
Consent goes all the way back to the first interaction that your client has with your business, in most cases that might be through a contact form. Considering their personal details will be collected and probably stored on the website or email server, we need to get clear consent from the visitor, that they agree with our Privacy Policy and give us the permission to contact them back in regards to their enquiry.
GDPR regulations are very clear on what we need to achieve, get consent in this case, but still quite vague on how exactly we do that. One thing we know for sure is that the contact form needs to have a checkbox, that is unticked by default, separate from other website terms and conditions, through which the visitor gives their consent when they submit their contact details.
There might be different ways of achieving this but a good example is our Contact Page.
2. Lead Magnet & Newsletters Opt-ins
Moving on from contact forms, we need to think what other entry points for data do we have on the website. Newsletter signs ups and lead magnets opt-ins are perfect examples.
Do your subscribers really know what they are signing up for? When asking for their contact details: name & email address, you need to be clear about the consent – not just consent to send them a free guide or ebook, but also get their permission to email them in the future.
You also need their consent if you want to send them other types of emails. For example, if a customer has given you their email address to download a Product Brochure, you can’t turn around and suddenly start sending them other promotional emails!
3. Other Data Entry Forms
Contact forms and lead magnet opt-ins are probably the most obvious ones but in order to be GDPR compliant you really need to do a proper website audit (something which we’re happy to help) and identify other data entry points.
Where else on your website are people leaving their contact details? Perhaps you’re asking people to sign up for a Free Consultation or a Request Call Back form. One of the less obvious ones are blog comments. If you have a blog and you allow people to comment on your articles, all those comments together with visitors data will be stored on the website, therefore you need to have a consent for that as well. An example can be seen a the end of this article.
4. Third Party Software
Google Analytics, Facebook Advertising / Facebook Pixel and other software, are using cookies to track and collect data on your visitors. It would seem reasonable to think that as long as the name of the person is not being collected that we are got to go, however, that’s not always the case.
Quoting from EU GDPR documentation:
(30) Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags.
In other words, there are other types of data that can identify a person, such as cookies, IP addresses, etc.. and we need to make sure that is GDPR compliant.
5. Website Policies
So far we’ve talked about consent, as naturally, that’s the first thing visitors need to give in order for you to collect their data. Next, and as important are Policies: Privacy Policy & Cookie Policy.
Every consent on the website needs to have a link to your Privacy Policy. You can’t ask someone’s consent if they don’t know what they are consenting to, right?
Copy & Paste policies from other websites where NEVER a good option, although a lot of people got away with it. Now it’s more important than ever to have policies that are tailored to the way you collect and handle, store and share the data. Everything mentioned above, they type of data you collect, through contact forms, lead magnets, blog comments, third-party software, these are just one of many other things that need to be included in the privacy policy.
As an example, you can have a look at our Privacy Policy. We use iubenda to generate our privacy & cookie policy. They are specialised in this and provide an easy way of putting a policy together by selecting the different type of data you collect on your website, a list with the most popular 3rd party software that you might be using on your website, and even add your own custom policies.
Their prices start from $27 per year for 1 website. By using the following link, you can get a 10% discount: click here for more details.
6. Use an SSL Certificate for your website
Having a secure website, the green lock (https://yoursite.com vs http://yoursite.com) is very important for SEO (search engine optimisation), but now with the new GDPR regulations, it’s become a must-have for data security as well.
Installing an SSL certificate on your website is a pretty straightforward process, and not only that ensures your website ranks well in search engines like Google, it encrypts the data thereby keeping the data safe, but more important than everything, it provides trust to your visitors and potential customers.
There are Paid and Free SSL certificates, depending on your business needs. Good web hosting companies like the one we use, Siteground, which we also recommend to all our clients, provide an easy 1-click Free SSL certificate install. If you need any help to install an SSL certificate you should contact your web host provider, or alternatively, give us a shout and we’ll be happy to assist you with that.
7. Keep your website up to date
Moving on from SSL certificates, into another key area that is important to GDPR from a security point of view, keeping your website maintained and up to date.
Website maintenance was always important as it’s the main platform for all your digital marketing strategies, is the front door to your online business, so we took the time to write a separate article about the importance of website maintenance.
GDPR regulations are all about protecting customer data. By not keeping your website software up to date, you’re becoming a target for hackers who try and find security breaches in old, outdated software, therefore you might be putting at risk the data you have on your visitors & customers.
For a WordPress website, the solution is very easy, regularly maintain your website, do software updates, backups, ad an extra layer of security, all of which can be taken care of by us, through one of our Website Care Plans.
Final Thoughts
I hope this article shed some light on what GDPR is and the main key areas that will need attention on your website. GDPR is not a one-off thing, it’s not a task, but an ongoing process, where do your best to store and protect customers data in the safest way possible.
As mentioned above, this article is NOT a legal advice, we still suggest you should do your own research, even better get in touch with someone who is specialised in this and is able to offer legal advice.
The next step to get your website GDPR compliant is to seek help from a company specialised in web design like us or get in touch with your web designer or developer, conduct on GDPR audit, and take the necessary steps to get your own business website GDPR compliant.
If you need our help, get in touch through our contact page, or you can directly send us an email at info@brilliant.digital.
Let's work together!
From building and managing websites, to helping you grow your business through through various digital marketing channels, we're here to support you on your digital journey. Contact us today to learn more.