GDPR website compliance – General Data Protection Regulation
GDPR (2016/679) – General Data Protection Regulation was agreed by the European commission in January 2012 after 4 years of deliberations and this is the Data Privacy law which comes in to effect on May 25th 2018 or 9th January for Financial firms. It replaces the 1995 Data Protection Directive. Failure to comply will carry very large fines to be imposed by the Data Protection Commissioner. This is all about personal rights, security and protecting any identifiable persons data, such as email address, name, address, postcode etc, to avoid spamming or abuse or much worse, such as illegal accessing of bank accounts. This ‘personal data’ is also referred to as ‘data subject’.
GDPR governing websites and mailing lists
GDPR website compliance – 15 recommendations to keep you compliant
GDPR website compliance – Here are 15 ways to help keep you compliant and avoid big fines
1. email opt-ins – include a double opt-in so that after signing up, the person gets an email asking them to confirm that they did indeed opt-in to receive your communications. It is a useful protection for you, to show that you were asked to sign this person up. Mailchimp will do it for you, if you have the settings correctly set up. This will cover you going forward.
2. Lists – If you have a current list, then do offer people the chance to opt out, which will be evidence that you did give people the opportunity to opt-out. Ideally do cleanse your ‘list’. Use it as a reason to reach out to that list and find out who cares. Remember that under GDPR people have the right to ‘be forgotten’. Platforms like Mailchimp have updated their platform to include GDPR optins.
3. Unsubscribe – get out of jail card. Always include the option to ‘unsubscribe’, in your emails. Make it clearly visible. By all means add a message to explain why it would be a good idea to stay on the list rather than unsubscribe.
4. T’s & C’s – Include your terms and conditions on your website and ensure you refer to how you handle personal identifiable information data. Are people signing up to a mailing list or just to get a one off FREE guide or something similar. Provide informed consent about what you would like to do with that data..
5. Essentials – Only ask for the minimum amount of data. What do you really need? Name and email might do, so why ask for address or postcode? Keep it at a minimum. If you need postal addresses or date of birth in order to ship goods, then ensure that you only have this for real customers.
6. Pirating – Never buy or sell ‘lists’ – it is just wrong.
7. 3rd Party – Beware of third party applications such as your CRM to ensure that they are GDPR compliant. They may by default ask for more information than they need for you. Your email programme needs to protect against misuse. Your website will have third party plugins and each needs to be checked to ensure that they are GDPR compliant or they need to be replaced with a better option.
8. Clarity – Do not make it confusing when asking for information in opt-ins or asking people to opt-in to something, be clear about what is being offered or asked. Be honest.
9. Security – Protect your list data, use some form of security, as you will be held responsible, if your data is hacked. You need to show that you did apply some security. Ask your insurers if you can get some form of cover, if you are worried that your data might be breached. Get your laptops encrypted.
10. Data retention – Consider how long you might hold data. If someone buys off you once, are they likely to buy again/ Or if someone buys in 2017, but does not buy again within a set time, say one year or five years, can you decide to cleanse their information from your records. decide on a best before date for this sort of data.
11. Cookies on a site can gather information, so check your settings or be up front about what you do with the PII personal identifiable information. In Google analytics settings set the option for anonymization/masking the IP data.
13. CTAs – Simple calls to action on your website may be set to gather information, so again make sure you state what you do with such information.
14. Platform – Your website is built on some platform, possibly WordPress, Drupal, Joomla, Wix, Squarespace. This platform itself needs to be GDPR compliant, so check that it is to cover your self. These platforms all have new GDPR plugins to make all this much easier.
15. Check boxes – ensure that if you have check boxes when asking people to opt in, that they are not pre checked. The visitor must check the boxes themselves.
GDPR website compliance – Next steps for you
How to ensure GDPR website compliance and manage your existing data, without this becoming available to the wrong people. Truth be told, we should not hold any data on people just for the sake of spamming them. We should only market to people who are likely to want to hear from us or people in our industry, who may have a legitimate interest in what we have to say. Now is a good time to delete any personal data held on people who are not current clients or very likely potential clients. Why chase after people who do not want what you have to offer, when you could be focusing on those who do.
If you need someone to ensure that your website is GDPR compliant, contact us and we can arrange an audit and any remedial work. We offer monthly website care plans that help ensure GDPR compliance.
Things that simply need to be done for every website include:
2. Do an audit of all your website plugins, to see what data they are collecting via your website. Do you need them to collect this data? Can you change the settings or change the plugin? Note: It is your responsibility to ensure that any plugins used do not breach the GDPR.
3. Ensure that you devise a simple way for visitors to request what data you hold on them and give them the right to delete it or be forgotten.
To book your GDPR website audit click here.
A & L Goodbody website obligations guideline for online traders websites HERE
Suzanne Dibble – The Small Business Law Expert has a wealth of useful information here.
An you can check out your Personal Rights here.
Facebook explains its GDPR policy here.
Whilst here is Googles statement.
And Mailchimp. .
In the UK they have a great resource at the Information Commissioners Office which has a great Guide to the General Data Protection Regulation (GDPR). And the ICO has a good page on Key Definitions as well as a page on the Principles of GDPR and one specifically on Consent covering the gathering of any Personal Data and one on Contracts around the use of Personal Data, as well as one on our Legal obligations. It also has an explanation about Personal Data breaches and about GDPR in relation to Children.
Data Controller versus Data Processor
There is a distinction between these, as one is the person who controls data such as payslips and health records, whilst another is someone who send out payslips or appointment notifications using that data. The Data Controller is always responsible for the data and their data processors.
REMEMBER – Ignorance is not a defence in the eyes of the law. Putting in some form of Best Practice for GDPR website compliance and responding quickly and efficiently to any GDPR queries from visitors, will go a long way to avoiding any fines. We are not solicitors so we are not qualified to give any Legal advice.
Share this information.
Feel free to share this information. This is what we use when we do a GDPR website Audit for clients, but you are welcome to use it to help you stay compliant.
GDPR is a good thing, however there are steps we all have to take in order to improve compliance, avoid penalties and upsetting visitors.
To get started book your GDPR website audit here
To get Googles take on GDPR with regards to Google Analytics – see below their recent email titled ‘Review your data retention settings before they take effect on May 25, 2018’:
“Dear Google Analytics Customer,
We recently sent an email introducing new data retention controls that allow you to manage how long your user and event data are stored by Google Analytics. We would like to remind you that the new data retention settings will soon take effect – on May 25, 2018.
If you haven’t already done so, please review and confirm these settings (Property ➝ Tracking Info ➝ Data Retention) as Google Analytics will begin to delete data according to these settings starting May 25.
Impact of this setting as of May 25 is the following:
• Any user and event data that is older than your retention setting will be marked for permanent deletion, and will no longer be accessible in Google Analytics.
• Deletion will affect the use of segmentation, some custom reports and secondary dimensions when applied in date ranges older than your retention setting.
• Reports based on aggregated data will not be affected.
Find out more
You can also learn more about these data retention settings or how Google Analytics is committed to safeguarding your data.
The Google Analytics Team”
Optout options – some tips
Do not Opt In for stuff if you can avoid it. Do not buy personal items online or even instore using a loyalty or credit card. Giving over any data that tells Data Collectors what your preferences will lead to you being sold to OR worse. If you do not opt in then you wil not have to opt out.
When sites like Facebook or Linkedin ask you to share your Contacts or Address book with them, click NO.
You can go to https://simpleoptout.com/ and find links to opt out from all of these companies, one at a time:
1stdibs • 23andMe • AAA • Adobe • Ancestry.com • Amazon.com • American Express • Apple • AT&T • Bank of America • BeenVerified • Biden 2020 Campaign • CapitalOne 360 • Carnival Cruises • CB2 • CenturyLink • Chase • Choice Hotels • Comcast Xfinity • Condé Nast • Costco • CoreLogic • Crate & Barrel • Disqus • Facebook • Frontier Communications • Google • Guitar Center • HBO • Hearst • Home Depot • Hulu • Instant Checkmate • InterContinental Hotels • Kustomer • LendingClub • Lexis-Nexis • LG • LinkedIn • Marriott Hotels • Mastercard • Meredith/Time Inc. • MetLife • Microsoft • National Geographic • Nature Conservancy • Netflix • NYTimes • OptOutPrescreen.com • PayPal • PeekYou • People Search Now • PictureFrames.com • Pinterest • Reddit • Retail Equation • Riskified • Rockler • Roku • Roomba (iRobot) • Samsung • Saatchi Art • Seattle Art Museum • Seattle Times • Slashdot Media • Southwest Airlines • Spokeo • Sprint • Taunton Press • T-Mobile • TruePeopleSearch • Trump 2020 Campaign • Tuft & Needle • Twitter • United Airlines • US Postal Service • Verizon • Visa • Vizio • Wells Fargo • Whitepages.com • Wiliams-Sonoma • Woodcraft • Yahoo/Oath • Yelp • YouTube • Zeta Global
What about cookies and GDPR in 2022?
Lots of users block any unwanted cookies by default in their web browser software especially in Chrome. Website Developers can add a general cookie notice with a page outlining the actual cookies in use on the website. The website will or should only include cookies necessary to the use of the site, such as to log in to an account and edit any of the website content, and to record website usage without PID personally identifiable data through Google Analytics. This should referred to your IT department or whoever is responsible for security, as it is not something that should be left to your web design agency.