Make sure your Website is GDPR Compliant1 May 2018
We are often asked about GDPR and how it affects websites, analytics, sign up forms etc.
So we have put together a checklist of 11 issues you should consider when making your website GDPR compliant.
We hope this information helps. If you have any comments or additions you think we should add please email email@example.com
This is not legal advice - the below are just pointers to the things you should be thinking about.
For advanced Analytics users and Tag manager users, you should also make sure that you are not importing data into Analytics to help you identify people. This would break Google's Guidelines as well as creating issues with GDPR compliance.
If you are using other tracking software such as Lead Forensics or CANDDI, or call tracking apps such as CallRail, Infinity or KeyMetrics, then you need to tell people you are doing this. You need to make it clear what data you are collecting and what you are going to do with this data. You will need to get their consent - you can't hide this in your terms and conditions!.
When someone completes an enquiry form on your website this data is passed over the web and can easily be intercepted/stolen. Under GDPR it is your legal responsibility to keep any personal data safe.
So if you have any contact forms on your website you have two choices
A/ Change to HTTPS (HTTPS is the secure version of HTTP, the protocol over which data is sent between the users' browser and your website)
B/ Remove the form and just have an email address
The second option is not really an option for most companies as it removes your ability to ask key questions and it makes tracking enquiries less reliable and more complex to measure.
Changing to HTTPS is, therefore, the route most companies are taking. Not just to ensure GDPR compliance but also because Google has begun showing a 'Not Secure' message to your website visitors where you have a web form on a page that it is not HTTPS.
However, changing your website to HTTPS has its own issues - see our article on changing to HTTPS
It is very likely that you will need to change your terms and conditions on your website due to GDPR
You will need to make sure that you tell people clearly:
i/ If and how you are using cookies
ii/ What data you will collect on people who use your website
iii/ What you will do with any data users provide to you when using your website, including marketing purposes, profiling, or any processing
iv/ Whether you are going to share any of this data (including to any group companies)
v/ How they can change or request deletion of the data you store on them
- What personal data you store
- What you will do with any personal data you store
- How long you will store this personal data
- How you are keeping this personal data secure
- Who is the 'data controller' within your organisation
- Whether you are going to share any of this data (including to any group companies)
- How they can access the data you store on them
- How they can request the data you store on them is changed or removed (Subject Access Requests)
- If you are going to use their personal data for profiling, credit checks or any other processing
Your Data Protection Policy will also need updating for GDPR. This is policy is primarily about how you store, process and transfer data.
This is usually an internal policy document that provides key information to employees, contractors and other relevant parties on the policies and procedures regarding data protection and security.
No longer will you be able to automatically start sending marketing emails to a user the has sent an enquiry along with their details or using pre-ticked boxes or bundling promotional material consent with other necessary T&Cs
Users will need to give active consent to receive content from you. This means that you need to spell out, in an obvious, clear and transparent manner exactly how you will use the their data and what the users will receive from you and how. Whether that is special offers, company newsletters, product information etc and if it will be by email, phone call, text messaging or direct mail.
Leading on to the next point...
Users should be given the option to receive or not receive certain materials from you, for example; you are going to send them:
A/ updated information on the products they have bought from you
B/ marketing for other products they may be interested in
C/ related information (By Law you cannot send then unrelated information!)
D/ related information from third parties
The user needs to have the option to receive one or more of the above. Again, this should be clearly stated and users have the right to update their preferences at any time. The only time you are exempt from this is if you have a legal or contractual obligation to send information to the user.
You should ensure that any data that is being collected by your website is transferred securely (see HTTPS above) and is being stored securely. If this data is being stored by a third party such as Google, MailChimp, SalesForce or other CRM systems you need to ensure that access to these systems is limited and controlled.
You should review who receives the data that is sent to your organisation via your website(s).
You should restrict this to those who need to know and those people need to be trained in data protection and security.
This includes any agencies you use, contractors and sub-contractors.
Limits should be put on staff and external contractors ability to download this data and those with access to any personal data are fully trained in GDPR.
You should ensure you have a Non Disclosure agreement in place with any third party who has access to any personal data. Your staff should also have a non-disclosure clause within their employment contracts.
It is quite a list but you will already be doing most of this (hopefully!).
Please note: You don't have to have done all of this for the 25th May 2018 but you do have to show that you are working towards compliance.