How to make your website GDPR compliant

What is the GDPR?

You have no doubt heard about the new EU “General Data Protection Regulation” (GDPR ) legislation that comes into effect on 25 May 2018. This update to privacy law is important, as the penalties are severe and it effects all businesses worldwide, assuming anyone from the EU may be visiting your website.

For the complete background on the law, I refer you to the most authoritative source for UK businesses, which is the Information Commissioner’s Office (ICO) Guide to the GDPR.  Here you will find a ton of information and how to start the road to compliance.

For most businesses, especially small ones, this is a lot to take in. In this article I attempt to explain what you need to consider doing as soon as possible (or before 25 May), for the narrow focus of your website, and what you need to do on an ongoing basis, to ensure compliance.

What do I need to do NOW to ensure my website is GDPR compliant?

Unfortunately this is more than just updating (or creating) the privacy notice on your website. The law covers how you collect, store and use anyone’s personal data; which covers not just your website but any computers, networks, and third-party tools you use for your business. I suggest you start with the areas mentioned below which are typical for most business websites, and will cover major issues addressed by the regulations. Please note, these steps alone with not ensure compliance. See the section below on “long term compliance” for details on what this entails.

Website contact forms

Even basic forms on websites collect what would be considered “personal data”.  Examples of these forms are contact or enquiry forms, newsletter opt-ins, or event registrations.

The form data is usually sent to someone via email, but is in most cases also stored by a website content management system (CMS) such as WordPress. The main issues here are form and data security, only collecting data that is needed, third-party compliance, and data storage.

Forms and data security

• What information do you ask for on your forms? You should only collect information that meets your business needs and nothing more. Weigh what you collect against the person’s right to privacy, in the event of a data breach. Collecting less in most cases also helps you get more form completions. Don’t ask for a birth date on a contact form!
• Include a link to your privacy policy in relevant form areas. This also helps reduce worries and encourages more form completions.
• It is best that any form used be on a secure web page, meaning it has an “https” in the top left URL address window. This enables data encryption at the time the form is completed.
• Also, if the data is stored in the website CMS, it should only be accessible behind a “https” secure page, which again ensures the data is encrypted.
• How long do you store the data you collect? Both in your website CMS, and even on your computer? If it is not actively being used, or has been transferred to your email newsletter or CRM system, you don’t need it in more than one place. It is a good idea to remove duplicate or unneeded data as soon as possible, within 60 days.
• Do you use third-party system for your forms? If so, you need to be sure the above principles hold true.

Newsletter opt-ins

• Forms for newsletter subscriptions should include a default “no” option to allow users to positively opt-in, rather than a default “yes”. Don’t try to manipulate someone, which creates distrust. You need to record a positive action was taken.
• A double opt-in process is strongly advised. This is where someone fills out the form, then receives an email to click a verification link to confirm their subscription.
• You need to be able to verify the language used at the time someone subscribed. If you change your form, keep a record of the old language and the date it changed.
• The opt-out process needs to be very clear and easy to do. Most email programs such as Mailchimp use a one-click unsubscribe process.

Online payments

Many websites include some sort of payment gateway such as PayPal or Stripe. These can be used to buy products, pay invoices, or register for events. Most will hand the payment transaction to a separate website but will also keep some information with the business website. You will want to ensure all of the recommendations above under the “forms” are considered, as well as:

• Be sure you understand what information is stored on your website and on others. Only store what is needed, and delete what is not after it’s business use is no longer needed.
• Be sure you are not storing any bank account or credit card information on your website. Most transaction sites store this for you.
• Make sure any transaction websites you are using are secure and following GDPR requirements.

Website registrations

Some businesses have websites that invite users to register to view content restricted to those who have an account. These can be used for membership, partner, or client sites.

• The registration process typically collects personal data. The user must agree to Terms and Conditions that explicitly state what will happen to this information.
• A double opt-in process (involving an email verification) is highly recommended for these accounts.
•  Account cleansing should be performed annually. Your system should record a users last login or use, and you should have a way to make accounts inactive after a year with no use. Any personal data should be deleted so that remaining data is made anonymous.

Website sessions and cookies

Most websites use a session-cookie to tell users apart, however they still remain anonymous. These are used for website functions such as form anti-spam CAPTCHA messages. These are also referred to as first party cookies, as they are issued by the website itself for it to work correctly.

Many websites also use third party cookies from other websites or software providers to track users, segment them for reporting, do usability tests, or perform other actions. These include sites/software such as Google Analytics or Crazy Egg. Most providers are saying their systems are GDPR compliant.

• You, not the software provider you are using, are responsible for knowing how you are tracking website users and if the software used is GDPR compliant. You need to ask them and get a positive response in writing, or use another provider (or none at all).
• In some cases, software providers have new options to make their services anonymous. Check if this is the case, and use any settings that can accomplish this.
• Audit any third party cookies on your website to be sure you know how the data is being used, and include those in your privacy policy.
• Consider implementing a cookie opt-in on your website, which would allow users to accept your use of third party cookies. Many feel this interferes too much with user experience, however, and are considering an updated cookie message with a link to an updated privacy policy. The choice you make is likely centred around how you use third party cookies in relation to a visitors privacy. Watch this space as current regulations are confusing, and it is expected to be clarified over coming months.

Website Analytics

Most websites use Google Analytics to report on website usage.  There are also cookie free options that provide a privacy first approach to data control and security.  This may be used in conjunction with Google Tag Manager, depending upon your website setup. Google is saying they are GDPR compliant, and have provided some options.

• Consider options such as Plausible Analytics that are more accurate and do not use cookies.
• Google Analytics now has a data retention control which can be changed to reduce how long user or event level data is stored for more advanced, detailed reports. Use this setting to remove data older than your preferred reporting history comparison dates, to avoid keeping it longer than needed.
• Turn on IP anonymization, which is more easily done using Google Tag Manager. This will make your geo reporting a little less accurate, but will help with GDPR as complete IP addresses are considered personal information.
• If you are using Google Tag Manager, audit who has access to the account, and who can add code to your website. Also know what software/scripts you have running on your website and how they effect visitors privacy. These need to be included in your privacy policy. Clean out or deactivate old scripts which are no longer being used.

Right to access and right to be forgotten

In some situations GDPR gives users the right to access the personal data that is held about them, and the right for this information to be corrected or deleted.

• Any request for data access or removal can likely be processed manually by the website owner or agency/developer – there is no legal requirement for the user to be able to do this themselves. If they have an account and can do this, that is all the better, but not required.

Privacy notice

You already should have a privacy notice on your website to give visitors your identity and identify how you process their data. GDPR adds more requirements:

• Include the legal basis for processing the data (from Article 6 of the regulations).
• The period you are storing any personal data.
• Meaningful information about the significance and consequences of processing the data, with the logic involved.
• This needs to include not just what your website does, but how you process the information offline.
• Make it concise, transparent, easily understood and accessible in clear, plain language.
• For more details see the ICO guidance on privacy notices under GDPR, and also this helpful article from Econsultancy on how to create GDPR friendly best practice privacy notices.

Terms and conditions

You also need to review or add a Terms & Conditions statement which has to do with your terms for customers using your products or services.

• Explain what personal data is collected and why. Keep it clear and out of the legal speak. This can also link to your privacy policy or other page if needed.
• Link to this page from your customer registration forms, emails, etc.
• Use GDPR language where needed, such as “data subjects”, “data controllers”, and “data processors”.

What should I do long term to ensure my business is GDPR compliant?

As mentioned, the above steps won’t make you totally compliant, but will show you are taking important first steps. These laws are part of a recommended process which will be new for many businesses. For full compliance, the following steps are recommended:

• Review the GDPR guidance information on the ICO office website.
• Complete the ICO data protection self-assessments for all areas you are involved in, usually as a data controller, marketing, etc.
• From the self assessments, work through the actions in order, documenting your progress by keeping records.
• Watch the news for related activity in this area, so you can be aware of changes to the requirements and better guidance as it is published.

What if I need help?

We can help with any of the areas mentioned above, on a time and materials basis. As these services are chargeable at our hourly rate, I suggest starting with the information provided above to see what progress you can make. Feel free to contact us if you would like to discuss getting additional help.