The new GDPR regulations kick in on May 25 and whether you are running a major online retail outlet, a news site or a personal blog, you will be subject to the regulations if you collect data from visitors to your site, even if you use third-party providers to collect or analyse it.
For example, if your website gathers visitor data through Google Analytics, newsletters or contact forms, or contains cookies, an e-Commerce module or social media links, you could be at risk of being GDPR non-compliant. So it’s a good idea to check your compliance before the deadline.
How to make your website GDPR compliant
The key thing to remember about GDPR is that if your site processes visitor data in any way, you are required by the regulations to put data protection procedures in place to ensure that visitor privacy is maintained. AMJ UK has put together some helpful guidelines that should make it easier for you to ensure that your site is GDPR compliant.
Key Principles of GDPR
If a business collect personal data, then it will need to implement data protection procedures to ensure customer privacy taking into account your website requirements and in line with the following principles:
- Collect the minimum level of personal data necessary
- Be clear about what data you collect and why you need it
- Ensure that you seek active and explicit consent from visitors
- Ensure that the right to access, rectify, erase, restrict processing and to request data portability can be applied to an individual enquiry.
- If you are adding forms to your site, ensure that your form only asks for essential information.
- Visitors to your site must be informed of any potential data collection and given the chance to opt into or out of data collection, such as by agreeing to terms and conditions.
- If the visitor accepts an opt-in, the details must be recorded by the site Data Administrator.
- Under every form that includes an opt-in, you should include a clause containing relevant information on data collection, including details of the Data Administrator.
Active and Unbundled Opt-In
- Every instance of data collection should be flagged up to visitors and they will need to give explicit permission via an opt-in box describing what the data will be used for.
- Separate opt-ins, such as terms and conditions and signing up to a newsletter can’t be dealt with at the same time and must be covered with two checkboxes.
- Checkboxes must not be pre-checked.
If the data being gathered will subsequently be passed to a third-party for analysis or marketing, the visitor must be informed and their permission sought separately for each type of processing.
Right to Opt-out
Everyone who uses your site should be given the right to withdraw their consent at any time, and must also have the option of being able to access their data records and amend them at any time. It is important to note that under GDPR, you will have to satisfy such a request within 30 days.
Right to be forgotten
Any user of your site can demand that you remove all data you hold on them. This includes registration data, forum posts, comments and any other data relating to the user. It is the responsibility of the Data Administrator to ensure that all this data is removed.
It is also important to note that the key word is ‘removed’. It is not enough to deactivate or hide a user’s profile. All data relating to that user must be deleted. GDPR also obliges you to ensure that data you have passed to a third-party is deleted.
- Who you are and the identity of the data administrator
- What type of information is collected and how you use it
- Why it is necessary for your site to collect this data
- How the data is stored and protected
- Who the data is shared with
- How long you will retain the data
An easy way to do this is through a cookie banner, which is usually displayed when a user visits your site for the first time. It is important that the cookie banner is not passive but includes agreement options covering each group of cookies used on the site.
One way to do this is to divide your cookies into separate groups and give each group its own agreement checkbox. Cookies can be separated into those which are necessary to use the site, statistics gathering cookies or marketing cookies. By providing separate opportunities for users to agree to each cookie type, you will be helping users to make an informed choice.
A good way to approach this is to group cookies for example as necessary, preferences, statistics and marketing as it allows users to make an informed decision about what they are willing to allow.
Many sites are set up to use Google Analytics to gather user data. The basic configuration of Google Analytics does not allow for the collection of personal data and so does not come into conflict with GDPR. But you will need to obtain explicit user consent if you set up Google Analytics to employ the user ID, demographic reports or remarketing functions
For more information please have a look at our Google Compliance information
Any e-Commerce web company is likely to be using a payment gateway to carry out financial transactions, your site may well be gathering personal data before sending details to the payment gateway. If this is the case, you will need to alter your site processes to ensure the removal of personal data after a reasonable period of time.
A vital part of GDPR compliance is ensuring that your web data is completely secure. Adding new layers of security such as SSL will help to keep sensitive information secure as it passes through the internet. SSL is also an essential protection for your website since it provides security and data integrity for your data and the data of your users. And don’t forget that backing up your site and carrying out regular security updates is an important part of keeping your site secure.
If you use a live chat service on your website, you will need to make sure the third party service offered is compliant with GDPR policy as very often such services offer a transcript of the chat to be emailed to both parties once completed.
The guide above covers the most common issues that are likely to arise with most websites under GDPR. But there are other ways in which you can prepare for May 25:
- Set up a registry for personal data processing.
- Authorise and train employees who will have access to data.
- Creating a record of any breach personal data processing regulations
- Drawing up a risk analysis of your data processing procedures.
Although this may all seem daunting, compliance with GDPR is vital if you are serious about having a continuous web presence, your users are likely to appreciate the efforts you make to keep their data safe.
AMJ IT is a specialist IT Company providing IT support London and IT Support Kent. We have experts in every IT field including web services and we can help you to make your website compliant. Get in touch today and find out how AMJ IT can help you to prepare your website for GDPR.
The Information Commissioners Office (ICO) have also compiled a comprehensive document on twelve major steps for businesses to take in line with GDPR, available here as GDPR ICO 12 STEPS.
Please note that the above information provided in not an exhaustive review of all the elements of the regulation and what you need to look at depends on your organisation’s particular circumstances. This material has been prepared for informational purposes only, and is not intended to provide, and should not be relied on for legal advice. You should consult your own legal advisors where required.