With the General Data Protection Regulation (GDPR) that came into effect on 25th May 2018, it’s important you know how to make your website GDPR Compliant.

This new law is designed to offer individuals greater protection in respect of their personal data whether as an employee, a customer, a supplier or a potential client. The new law applies to businesses or organisations in the European Union. Those outside the EU who offer goods and services (whether paid or not) to people living within the EU, or monitor their behaviour, must also comply. GDPR becomes the global standard for data protection.

You can use this great checklist to help you get your business ready for the new GDPR regulations: ICO Preparing-for-the-gdpr-12-steps.pdf

Website changes

Disclaimer: I am not an expert on GDPR but have made the following changes to clients’ websites following their requests. I have done a lot of my own research and consequently made all of these changes to my site in an effort to be GDPR compliant. I accept no responsibility for any consequences you have following this advice; you should always do your own research.

What do the regulations mean for your website?

Essentially, you need to be transparent about how you process and use personal and sensitive data.

1. Update privacy and cookies policies

GDPR will mean you’ll need to have clear statements and policies in place with regards to data processing within your business or organisation. You’ll need to inform your website visitors what sort of data is being collected from them, what it’s used for and how it is stored. Most of this can be covered off in a detailed privacy policy. You should already have one of these on your website so in most cases it will just be a case of updating it.

You should always tailor a privacy policy to your specific business. There are lots of templates out there, but it’s important that the information is all correct and relevant to your website specifically. You can also find mine here to get an idea of the information you need to include.

Google analytics

Here is an extract from a GDPR compliant website privacy policy statement with relation to the use of Google Analytics. It clearly explains what type of data gathering this is (visitor tracking), what it is used for and how to opt out if you wish:

“Like most websites, this site uses Google Analytics (GA) to track user interaction. I use this data to determine the number of people using my site, to better understand how they find and use my web pages and to see their journey through the website.
       Although GA records data such as your geographical location, device, internet browser and operating system, none of this information personally identifies you to us. GA also records your computer’s IP address which could be used to personally identify you but Google does not grant us access to this. I consider Google to be a third party data processor.
       GA makes use of cookies, details of which can be found on Google’s developer guides. My website uses the analytics.js implementation of GA. User and event data is held on Google servers for 38 months. You can read more about Google Analytics Data Retention here.
       Disabling cookies on your internet browser will stop GA from tracking any part of your visit to pages within this website.”

Contact and sign-up forms

You need to document your internal policies for processing and erasing the data you keep.

Other privacy policy requirements

You also need to provide users with a way to withdraw consent and purge personal data collected on them; i.e. the ‘Right to Be Forgotten’. The easiest way to do this is to have a dedicated email (gdpr@domainname.co.uk, for example) for them to get in contact with you.
You’ll need to appoint a Data Protection Officer for your business who’s job it is to manage these requests alongside other GDPR related admin.

It is also a requirement of GDPR that you verify requests to remove or edit data via email.  The easiest way to manage this is to ask your customers/users to send their email to you using the email account that they subscribed/enquired with so you can verify their identity and right to edit the data you hold.

2. Add a cookies banner to your site

What are cookies?

When you visit a site that uses cookies for the first time, a cookie is downloaded to your browser. The next time you visit that site, your browser will check to see if it has a cookie that is relevant and sends the information contained in that cookie back to the site. The site then ’knows’ that you have been there before. It helps to load your pages faster if it remembers the information from a previous visit.

Your site is collecting information every time someone visits your site, i.e. cookies (you can turn this off on your browser). To remain transparent under the new GDPR regulations, you need to add a banner to ensure that people are aware of the information that you’re collecting when they are on your site. This should have a link to your updated policies and a continue button.

Example of cookies banner:


3. Contact and sign-up forms compliance

People will need to confirm that they have read and agree to your terms and conditions before proceeding to submit the form. It will no longer be acceptable to use pre-populated check boxes (check box already ticked) and opt-out. You will need to provide a check box that your users can ‘opt-in’ to. This also applies for e-commerce sites when collecting user data at checkout.

Example opt-in option on sign-up form:

Note that the Google re-captcha is not a GDPR requirement but helps to ensure that your new subscribers are real people, not robots.