GDPR website compliance – General Data Protection Regulation
GDPR (2016/679) – General Data Protection Regulation was agreed by the European commission in January 2012 after 4 years of deliberations and this is the Data Privacy law which comes in to effect on May 25th 2018 or 9th January for Financial firms. It replaces the 1995 Data Protection Directive. Failure to comply will carry very large fines to be imposed by the Data Protection Commissioner. This is all about personal rights, security and protecting any identifiable persons data, such as email address, name, address, postcode etc, to avoid spamming or abuse or much worse, such as illegal accessing of bank accounts. This ‘personal data’ is also referred to as ‘data subject’.
GDPR governing websites and mailing lists
GDPR website compliance – 15 recommendations to keep you compliant
GDPR website compliance – Here are 15 ways to help keep you compliant and avoid big fines
1. email opt-ins – include a double opt-in so that after signing up, the person gets an email asking them to confirm that they did indeed opt-in to receive your communications. It is a useful protection for you, to show that you were asked to sign this person up. Mailchimp will do it for you, if you have the settings correctly set up. This will cover you going forward.
2. Lists – If you have a current list, then do offer people the chance to opt out, which will be evidence that you did give people the opportunity to opt-out. Ideally do cleanse your ‘list’. Use it as a reason to reach out to that list and find out who cares. Remember that under GDPR people have the right to ‘be forgotten’. Platforms like Mailchimp have updated their platform to include GDPR optins.
3. Unsubscribe – get out of jail card. Always include the option to ‘unsubscribe’, in your emails. Make it clearly visible. By all means add a message to explain why it would be a good idea to stay on the list rather than unsubscribe.
4. T’s & C’s – Include your terms and conditions on your website and ensure you refer to how you handle personal identifiable information data. Are people signing up to a mailing list or just to get a one off FREE guide or something similar. Provide informed consent about what you would like to do with that data..
5. Essentials – Only ask for the minimum amount of data. What do you really need? Name and email might do, so why ask for address or postcode? Keep it at a minimum. If you need postal addresses or date of birth in order to ship goods, then ensure that you only have this for real customers.
6. Pirating – Never buy or sell ‘lists’ – it is just wrong.
7. 3rd Party – Beware of third party applications such as your CRM to ensure that they are GDPR compliant. They may by default ask for more information than they need for you. Your email programme needs to protect against misuse. Your website will have third party plugins and each needs to be checked to ensure that they are GDPR compliant or they need to be replaced with a better option.
8. Clarity – Do not make it confusing when asking for information in opt-ins or asking people to opt-in to something, be clear about what is being offered or asked. Be honest.
9. Security – Protect your list data, use some form of security, as you will be held responsible, if your data is hacked. You need to show that you did apply some security. Ask your insurers if you can get some form of cover, if you are worried that your data might be breached. Get your laptops encrypted.
10. Data retention – Consider how long you might hold data. If someone buys off you once, are they likely to buy again/ Or if someone buys in 2017, but does not buy again within a set time, say one year or five years, can you decide to cleanse their information from your records. decide on a best before date for this sort of data.
11. Cookies on a site can gather information, so check your settings or be up front about what you do with the PII personal identifiable information. In Google analytics settings set the option for anonymization/masking the IP data.
13. CTAs – Simple calls to action on your website may be set to gather information, so again make sure you state what you do with such information.
14. Platform – Your website is built on some platform, possibly WordPress, Drupal, Joomla, Wix, Squarespace. This platform itself needs to be GDPR compliant, so check that it is to cover your self. These platforms all have new GDPR plugins to make all this much easier.
15. Check boxes – ensure that if you have check boxes when asking people to opt in, that they are not pre checked. The visitor must check the boxes themselves.
GDPR website compliance – Next steps for you
How to ensure GDPR website compliance and manage your existing data, without this becoming available to the wrong people. Truth be told, we should not hold any data on people just for the sake of spamming them. We should only market to people who are likely to want to hear from us or people in our industry, who may have a legitimate interest in what we have to say. Now is a good time to delete any personal data held on people who are not current clients or very likely potential clients. Why chase after people who do not want what you have to offer, when you could be focusing on those who do.
If you need someone to ensure that your website is GDPR compliant, contact us and we can arrange an audit and any remedial work. We offer monthly website care plans that help ensure GDPR compliance.
Things that simply need to be done for every website include:
2. Do an audit of all your website plugins, to see what data they are collecting via your website. Do you need them to collect this data? Can you change the settings or change the plugin? Note: It is your responsibility to ensure that any plugins used do not breach the GDPR.
3. Ensure that you devise a simple way for visitors to request what data you hold on them and give them the right to delete it or be forgotten.
To book your GDPR website audit click here.
Useful GDPR links:
A & L Goodbody website obligations guideline for online traders websites HERE
Suzanne Dibble – The Small Business Law Expert has a wealth of useful information here.
An you can check out your Personal Rights here.
Facebook explains its GDPR policy here.
Whilst here is Googles statement.
And Mailchimp. .
In the UK they have a great resource at the Information Commissioners Office which has a great Guide to the General Data Protection Regulation (GDPR). And the ICO has a good page on Key Definitions as well as a page on the Principles of GDPR and one specifically on Consent covering the gathering of any Personal Data and one on Contracts around the use of Personal Data, as well as one on our Legal obligations. It also has an explanation about Personal Data breaches and about GDPR in relation to Children.
Data Controller versus Data Processor
There is a distinction between these, as one is the person who controls data such as payslips and health records, whilst another is someone who send out payslips or appointment notifications using that data. The Data Controller is always responsible for the data and their data processors.
REMEMBER – Ignorance is not a defence in the eyes of the law. Putting in some form of Best Practice for GDPR website compliance and responding quickly and efficiently to any GDPR queries from visitors, will go a long way to avoiding any fines.
Share this information.
Feel free to share this information. This is what we use when we do a GDPR website Audit for clients, but you are welcome to use it to help you stay compliant.
GDPR is a good thing, however there are steps we all have to take in order to improve compliance, avoid penalties and upsetting visitors.
To get started book your GDPR website audit here
To get Googles take on GDPR with regards to Google Analytics – see below their recent email titled Review your data retention settings before they take effect on May 25, 2018:
“Dear Google Analytics Customer,
We recently sent an email introducing new data retention controls that allow you to manage how long your user and event data are stored by Google Analytics. We would like to remind you that the new data retention settings will soon take effect – on May 25, 2018.
If you haven’t already done so, please review and confirm these settings (Property ➝ Tracking Info ➝ Data Retention) as Google Analytics will begin to delete data according to these settings starting May 25.
Impact of this setting as of May 25 is the following:
• Any user and event data that is older than your retention setting will be marked for permanent deletion, and will no longer be accessible in Google Analytics.
• Deletion will affect the use of segmentation, some custom reports and secondary dimensions when applied in date ranges older than your retention setting.
• Reports based on aggregated data will not be affected.
Find out more
You can also learn more about these data retention settings or how Google Analytics is committed to safeguarding your data.
The Google Analytics Team
Our Web Partners Designers, Developers, Digital Marketers & Hosting
FACTS & FIGURES
In business for 30 years, 18 in web design. With 100s of business website designs created, we #lovetalkingbusiness
How to build a website.
Everything you need to know to do it yourself - DIY
Get a 30 minute strategy session on us - No charge. Lets talk about your business and see where it goes
Get a competent team to ensure that your website is kept secure and performing well