With the General Data Protection Regulation (GDPR) coming into effect on 25th May 2018, it’s important you know how to make your website GDPR Compliant.
This new law is designed to offer individuals greater protection in respect of their personal data whether as an employee, a customer, a supplier or a potential client. The new law applies to businesses or organisations in the European Union. Those outside the EU who offer goods and services (whether paid or not) to people living within the EU, or monitor their behaviour, must also comply. GDPR becomes the global standard for data protection.
You can use this great checklist to help you get your business ready for the new GDPR regulations: https://ico.org.uk/media/1624219/preparing-for-the-gdpr-12-steps.pdf
Disclaimer: I am not an expert on GDPR but have made the following changes to clients’ websites following their requests. I have done a lot of my own research and consequently made all of these changes to my site in an effort to be GDPR compliant. I accept no responsibility for any consequences you have following this advice; you should always do your own research.
What do the regulations mean for your website?
Essentially, you need to be transparent about how you process and use personal and sensitive data.
1. Update privacy and cookies policies
GDPR will mean you’ll need to have clear statements and policies in place with regards to data processing within your business or organisation.
"Like most websites, this site uses Google Analytics (GA) to track user interaction. I use this data to determine the number of people using my site, to better understand how they find and use my web pages and to see their journey through the website.
Although GA records data such as your geographical location, device, internet browser and operating system, none of this information personally identifies you to us. GA also records your computer’s IP address which could be used to personally identify you but Google does not grant us access to this. I consider Google to be a third party data processor.
Disabling cookies on your internet browser will stop GA from tracking any part of your visit to pages within this website."
Contact and sign-up forms
You need to document your internal policies for processing and erasing the data you keep.
You also need to provide users with a way to withdraw consent and purge personal data collected on them; i.e. the ‘Right to Be Forgotten’. The easiest way to do this is to have a dedicated email (firstname.lastname@example.org, for example) for them to get in contact with you.
You’ll need to appoint a Data Protection Officer for your business who’s job it is to manage these requests alongside other GDPR related admin.
It is also a requirement of GDPR that you verify requests to remove or edit data via email. The easiest way to manage this is to ask your customers/users to send their email to you using the email account that they subscribed/enquired with so you can verify their identity and right to edit the data you hold.
2. Add a cookies banner to your site
What are cookies?
Your site is collecting information every time someone visits your site, i.e. cookies (you can turn this off on your browser). To remain transparent under the new GDPR regulations, you need to add a banner to ensure that people are aware of the information that you’re collecting when they are on your site. This should have a link to your updated policies and a continue button.
3. Contact and sign-up forms compliance
People will need to confirm that they have read and agree to your terms and conditions before proceeding to submit the form. It will no longer be acceptable to use pre-populated check boxes (check box already ticked).
Note that the Google re-captcha is not a GDPR requirement but helps to ensure that your new subscribers are real people, not robots.