Key changes are coming into place with reference to the EU General Data Protection Regulations (GDPR). The GDPR takes over from the Data Protection Act 1998 on 25th May 2018. Are you aware of the changes you need to make to your website in order to be compliant.
The key changes in the new policy is you must obtain consent from website users, delete any data that is not being used for it’s intended purpose and revoking consent must be as easy as giving consent.
How do you prepare you website for these changes?
- Determine how your organisation gains consent and allows customers to have control of what they consent to, this could be through contact forms and sign up forms.
- How can customers withdraw consent?
- How secure is the data held on your website?
- Do you need consent for marketing or sensitive data processing?
- Who do you share data with?
GDPR ensures that there is fair, lawful and transparent processing of data
- Data collected and processed online through the sales process maybe kept on record, ie stored in the websites database, but purely to enable the organisation holding the data to defend itself against potential future litigation. Data is not to be used for any other purpose ie marketing without the customers consent, using a checkbox giving consent on the customer checkout form is considered acceptable
- Checkout forms and contact us forms on your website should be relevant and limited to what is necessary, and data should if possible be kept up to date. Forms shouldn’t have any unnecessary fields collecting data just incase it becomes useful
- Data security, all data stored within the website, needs to be kept secure from hackers and data breaches. These can be prevented by installing security software such as wordfence and anti malware. Websites that use HTTPS send data over an encrypted connection, so you need to make sure your website has an SSL certificate. Your hosting provider should also address this, because if your database itself is unencrypted, your contacts will be left exposed in a breach.
Website users must be given clear opt in procedures and it must be given entirely voluntary and freely given.
Acceptable obtaining consent:
- Ticking a box
- Choosing settings
- Downloading instructions
Unacceptable obtaining consent:
- Pre-ticked options
- Unsubscribe options
- Failure to opt out
- Any other passive reaction
Terms & Conditions
Most websites will have their terms and conditions in the footer, consent must not be buried in the T&Cs, it can be in the same document but should be clearly distinguishable. You’ll need to update these terms and conditions on your website to reference GDPR terminology. You’ll particularly need to make it clear what you intend to do with the information once you’ve received it, and how long you’ll retain this information both on your website and elsewhere.
Right to withdraw consent
Website users must be able to withdraw consent easily and be the same mechanism consent was granted.
Pre-exisiting consent, this needs to be re-applied for i.e organisations that use Mailchimp or a similar newsletter platform must send out a new sign up form to pre-exisiting members on the list to get their consent to continue to market to them.
Key facts to ensure compliancy on your website
- Ensure all forms on your site have check boxes asking for consent
- Sales data can still be stored within your website has long as it’s not used for any marketing practices unless the customer has given consent.
- An SSL certificate should be fitted to your site to encrypt the data.
If you’d like support in making your website GDPR compliant, contact us at Next Phase Digital and one of our specialists will be in touch.