The General Data Protection Regulation (GDPR) comes into effect from the 25th May 2018 and it's going to impact various aspects of your business. This blog is focused on how to ensure your website complies with the new regulations as there are likely going to be adjustments to be made and terms to update.

Over the past 6 months I've been speaking with a number of consultants and solicitors, looking at various areas of our own business. As part of this, I've written down 9 specific areas I feel every business needs to address on their website. A key point to note here is that compliance isn’t the responsibility of your website provider (although like us, hopefully they are advising on what should be done and able to ensure it is). The point is that if your company gets investigated, there's no point looking over your shoulder, it's down to the leaders of every business to ensure compliance.

My View On GDPR
There are lots of worried faces when GDPR gets mentioned and like any acts which require compliance, I understand why. The fines are significant so this isn’t something which should be ignored. If you read up on it the fines can be €20m or 4% of your turnover, whichever is greater. If that doesn’t make you sit up and take notice, nothing will - and that’s the idea.

So firstly, this is very very important to read up on and I recommend going through the GDPR section of the ICO website as it’s very thorough and relatively straightforward to read through. They have a checklist you can download and a guide of steps to take right now across your business (as this impacts HR, legal and finance in addition to marketing).

Overall, I feel the whole move forward with data protection is positive as blatant disregard for personal privacy makes it harder for everyone who does work in an ethical way to make an impact. If I think about how little I use my personal email account now due to the deluge of irrelevant emails in there, it’s a shame. What this revised policy will do is make every company invest some time to work out how to make an impact in the right way. The reason for this is that you’re going to have to be able to prove how someone got on your email list now - because should they complain about you emailing them, you need to know. Offering an unsubscribe link isn’t enough and neither is giving them the chance to opt-out. You have to prove they opted-in! So this is big and where you need your website, your team and your marketing to be on top form.

Is your website compliant with the requirements of EU General Data Protection Regulation (GDPR) that will be enforced on the 25th May 2018?
Here are 9 changes that you need to make now so that your website will stay on the right side of the law, and keep your customers happy.

Disclaimer
It’s important to point out that these tips are based on the research we have conducted and are advisory. This list is not exhaustive and we refer to the ICO website for full details. To ensure full compliance, we recommend you seek professional advice from a GDPR compliance consultant and/or your solicitor.


1/ Identify what information you are collecting, where & why
Information may include details via contact forms, newsletter sign-ups, details of e-commerce transactions and associated information. It’s likely you are utilising cookies to gather web stats (such as Google Analytics for example) and possibly collecting IP addresses so anything that could be deemed as ‘personal identifiable information’ is vital. You need to ensure you know what you are collecting, how it’s being stored and who has access to this information. The key point is that you need to show what that person has opted-in for so that if you have a complaint you can justify how and why that person is receiving communications from you. So opt-in consent is absolutely key.

Equally important is how you can delete it if someone contacts you under the ‘right to be forgotten’ as you need to be able to prove you can ‘forget’ someone entirely with no trace of their details if they request it. If you write down exactly what you are collecting, where you are collecting it and why you need it, you will have the basis of a process document to refer to.

2/ Ensure your website terms of use and privacy policy are up-to-date
Make sure your terms and privacy policy have been reviewed and are compliant with GDPR.

3/ Install a SSL Certificate
SSL stands for Single Socket Layer and it’s a file which binds a cryptographic key to an organisation's details. When you see the padlock icon to the left of a website address it indicates it has a SSL certificate and Google also values this highly. So there are additional marketing benefits which come from taking this extra security measure. SSL certificates typically cost £20-£35 to get per year - speak to your developer to find out more, it’s relatively quick to install (additional fees may be required but it shouldn’t take anyone long to do). Having a SSL certificate on your website gives your customers peace of mind and increases your favour with Google.

4/ Review all of your website forms
This area focuses on your contact forms, including brochure and whitepaper download requests and quote forms. It’s a huge area to focus on as you can no longer include pre-ticked boxes with regards to consent or options to ‘opt-out’. Everything needs to be focused on enabling individuals to opt-in and provide consent to hear from you going forward. If you plan on marketing to people through different channels, you should provide an option to be contacted via email, post, SMS or calls as individual options so that you can prove specific consent. Additionally should people wish to take themselves off of one (or more) forms of contact, it means you don’t lose them altogether. So this should prove to be an invaluable exercise and also help you learn more about the personal preferences of your audience.

If you intend to pass details to a 3rd party, this should also be an additional opt-in for each specific 3rd party. If you are asking for permission to pass details onto a third party – again, you need another tick box. If you are collecting data through one website on behalf of several third-parties, then you need to clearly give an opt-in option for each party. Offering them something like a whitepaper if they sign up to something is a great way of getting more user sign-ups, but you still need to provide an opt in tick box, otherwise consent has still not been given freely.

5/ Ensure it’s easy for people to unsubscribe or be forgotten entirely
Every individual has the right to withdraw their consent for you to market to them or even communicate to them - no matter what their history is with your company. Our recommendation is to include a link to ‘Update Communication Preferences’ with a form which allows any individual to request updates to their details. This might include updating/changing their preferences or complete removal. Ideally this would be linked to a system which manages this directly but as a minimum it can be a request form to be completed by one of your team. Just ensure that when people submit their requests it states on the page the process and time-scales involved so you can manage the expectations of the individual.

The last point is more about emails than your website but ensure all marketing related emails include unsubscribe links. We would also recommend including a link to update communication preferences in your email signature for direct emails so you are still making it easy for anyone to update their preferences and save you time in the process.

6/ Be clear on cookies, re-marketing & IP tracking
All cookies in use (typically Google Analytics for example which gathers website statistics and other tools like Facebook pixel) need to be outlined in your privacy policy. You should be clear on the information being collected and what it will be used for. Users can opt-out of cookie tracking in their browser’s privacy settings so it’s worth referencing this advice as good practice.

Remarketing enables you to target visitors with your advertising when they visit other websites (that’s how you sometimes see things you’ve looked at elsewhere pop-up on other websites). If you’re running this type of activity you need to identify it in your privacy policy.

If you are in the B2B market (typically) you may be tracking IP addresses that visit your website to identify the companies within which visitors to your website are based. This is different to the anonymous data found in Google Analytics as it will identify a company and could be linked to an individual which therefore moves it into the realm of being personal identifiable information. This is therefore subject to GDPR and it needs to be covered.

7/ Social media advertising
Certain social networks now allow you to upload lists of existing customers which are then reviewed for common ground to enable you to target advertising towards other people who share similar characteristics. This data is treated anonymously (you should certainly find out exactly how it would be used before going down this route) but naturally if you are providing email addresses of others you need to ensure you have their consent (via a tick-box and explanation) plus an option to opt-out in the future (which in our recommendation would be handled on the communication preferences form).

8/ Taking payments
If you are an e-commerce business, you will likely be using PayPal, SagePay, Stripe or another payment gateway for your financial transactions. Prior to this you may collect data before passing those details onto the payment gateway to make the process streamlined so you definitely need to have a SSL certificate in place to ensure this information is encrypted. If your website, ordering system and accounting system are also storing that information you need to be clear about this in your privacy policy. You should also look at web processes which remove personal information from non critical systems after a reasonable period, for instance, from 30 to 90 days. Currently there isn’t a specific number of days so the key is to keep it as short as possible and ensure you can justify the number should you be investigated.

9/ Document how you will deal with issues and data breaches
Naturally we hope this is a document you won’t need to refer to but in reality you need to have a robust process to follow for even basic updates to communication preferences to ensure compliance. This needs to be shared throughout the business to all relevant personnel.

Should you have a breach of data you are duty bound to report certain types of breach to the Information Commissioner’s Office website (ICO), and in some cases, to individuals direct.

NOTE: You only have to notify the ICO of a breach where it is likely to result in a risk to the rights and freedoms of individuals – if, for example, it could result in discrimination, damage to reputation, financial loss, loss of confidentiality or any other significant disadvantage.


Final summary
The GDPR states that your privacy information must be ‘concise, transparent, intelligible and easily accessible; written in clear and plain language – particularly if addressed to a child; and free of charge.’

Take time to go through these points and consult with experts to ensure compliance throughout your whole business. Advise and best practice seems to be evolving all the time so we will do our best to share relevant updates where we can. We are however not GDPR consultants or solicitors - so once again, I recommend you seek professional advice.

I hope you have found this guide useful. For Digity clients with websites under our control we are offering a GDPR website audit and update package for a set fee should you opt for us to make specific updates.

Please contact us directly for details.