On May 25th 2018, the EU’s General Data Protection Regulation (GDPR) will replace the Data Protection Act 1998. The advent of GDPR will update data protection for the digital age. GDPR aims to give people more control over how organisations collect and process their data. GDPR applies to all businesses regardless of size or sector. Failure to comply with the requirements can result in large fines from the ICO and/or fines from individuals who suffer data breaches.
The items below represent what you should be looking to implement for your website in order to meet with GDPR requirements. For other GDPR requirements with the remainder of your business, we suggest that you consult with a GDPR expert to help you with implementing this.
1. Secure your website (SSL)
If your website has forms on it (personally identifiable data), it will need to have an SSL certificate (https). SSL certificates should really be implemented as good practice anyway for two reasons. Firstly, major browsers are now informing users that sites without one are ‘unsecure’ which will put off website visitors. Secondly, having an SSL certificate is a search engine ranking factor and not having one will negatively impact your website rankings.
Action: Implement an SSL certificate on your website.
2. Opt-in forms
It will no longer be ok to provide pre-checked ‘opt in to marketing’ (or unchecked opt out) tick boxes on your website forms. Your website visitors need to explicitly opt in to receiving future marketing communications from you. In addition, it is no longer ok to bundle a number of things within one sign-up e.g. website visitor gives personal details for a download but then also gets added to a newsletter list. You also need to explain how to withdraw consent e.g. all emails contain an unsubscribe link. Finally, if you have ‘partners’ that you wish to share data with all of these should be listed with individual check boxes. You need to be specific and transparent using clear and plain language (and link to your Privacy Information Notice).
An opt-in only approach will likely lead to a slowdown in your mailing list growth in terms of pure numbers, however, there are some positives. Those who do subscribe to your list should have a genuine interest in what you have to offer. Having a larger proportion of ‘engaged’ users will mean a higher open rate and less chance of emails going into junk. Moreover, the way CRM pricing is structured (number of contacts) will mean you will be paying less for the same number of ‘engaged’ users.
Action: Update your forms with an empty checkbox and a corresponding invitation to tick it in order to receive your newsletter, or anything else in your marketing arsenal.
Note You can have multiple checkboxes for different lists.
3. Contacts Database
Consent to receive your updates needs to be recorded in such a way that you are able to demonstrate how and when it was obtained. If you can’t prove consent for all or some of your list, then you need to reach out to them to obtain their consent and record this.
Action: If you use a CRM tool ensure that it is set-up to do this. Reach out to existing contacts and obtain and record consent.
4. Privacy Information Notice
A Privacy Information Notice (PIN) should be made available when data is collected direct from a data subject (e.g. website visitor filling in a contact form). Website visitors should be provided with a concise and transparent information notice which outlines what and how their personal data is being used, by whom and for how long.
Action: Create a Privacy Information Notice and ensure it is easily accessible on your website, especially where users submit their data.
Get in Touch
If you are looking for help with getting your website ready for GDPR, we would be happy to help. Please do get in touch on firstname.lastname@example.org or call us on 0131 258 0307.
The contents of this blog are given in relation to the GDPR Fundamentals Standard and we cannot guarantee that it would meet GDPR requirements. This can only be tested in court at a later date on a case by case basis by the ICO over the coming months and years.