At last! A practical guide how to get your website GDPR compliant! Next month new GDPR regulations come into force, requiring significant changes to the way that you store and process personal data on your website. So what do you need to do to get your website GDPR compliant? It's not as difficult as you may fear. We've done all the hard work of researching what needs to be done for our own websites and are happy to share our practical, actionable steps to help you get your website compliant. If you need any help with GDPR implementation contact us today.
Before we assess what you need to get your website GDPR compliant, let's just remind ourselves what GDPR is all about...
GDPR doesn't just affect large companies. If you have a website or hold any personally identifiable information (including name, email address, phone numbers etc) for your clients, suppliers, partners and / or employees you have to be compliant. GDPR does not apply to non-personal or commercial data eg sales@ email addresses.
In a nutshell it means you have an obligation to:
- Be clear about the legal basis upon which you are storing or processing the personal data and only use it for the purpose that the consent was given. There are 6 types of lawful basis (consent, contract, legal obligation, vital interests, public task or legitimate interest).
- If you don't have a lawful basis upon which to store and process personal data you will no longer have the right to use it after the 25th May 2018 and the data should be erased
- Ensure you get (or, in the case of older data, have) agreement, in a GDPR compliant format, from the individual for you to store the data, and communicate (via privacy notices and help text) how you will process the data collected, including the rights of the individual to access, remediate or erase the data.
- If you are collecting personal data for more than one purpose, gain separate consent (unbundled and freely given) for each purpose and have a clear, audit-able process for recording (and storing) the date and method of consent.
- Only hold the data you actually need and only store it for as long as you need it
- Keep the information secure and, in the event of a serious data breach, notify the ICO within 72 hours
- If you process the data of under 18's, have systems in place to verify individuals’ ages and obtain parental or guardian consent for any data processing activity of individuals under the digital age of consent (in the UK the digital age of consent is 13 years old and over).
For the purpose of this article we have focused on the implications of GDPR for your website. Please be aware that you probably also store and process personal data in places other than your website, such as your email marketing software, CRM software, accounting software, payroll software, in offline printed formats and more. We strongly recommend that you familiarise yourself with your obligations under GDPR for data held elsewhere.
Lets get started!
What does your website need to include to be GDPR (and PECR) compliant?
When it comes to collating data, your website is often the first port of call. There are seven main areas that you need to focus on, to ensure that your website is GDPR compliant:
- Contact form design
- Marketing 'opt-in' forms design
- Privacy notices (often referred to as Privacy policies)
- Website security
- Cookie consent
- Data breaches and your obligations
- Processing data of under 18's
GDPR COMPLIANT FORM DESIGN
1. Contact us forms & GDPR compliance
- It is ok to make the consent field mandatory.
- Include, within the page, other ways that individuals can contact you, including phone, email, social media and online chat
- Consent fields should never be pre-filled - consent or opt-in should be given freely
- Adding help text to the form aids completion
GDPR implications for more complex, information type forms
If your website includes more complex forms, such as registration or application forms or is an e-commerce website, you will capture even more data.
Ask yourself the following:
- Are you making the purpose of the form clear and the lawful basis upon which the data is being collected? Under GDPR there are 6 types of lawful basis (consent, contract, legal obligation, vital interests, public task or legitimate interest). A typical contact form would fall under 'consent'. Whereas a registration form might fall under 'contract'.
- Are you only collecting the data you need? If you ask for 'job role', ask yourself why do you need this information?
- Are you collecting data from children under 18 years old? If you are relying on consent as your lawful basis for processing personal data, when offering an online service directly to a child, only children aged 13 or over are able provide their own consent. For children under this age you need to get consent from whoever holds parental responsibility for the child - unless the online service you offer is a preventive or counselling service.
- Are you collecting confidential data that includes information that, in the wrong hands, is likely to result in damage to a person’s reputation, financial loss, loss of confidentiality, or lead to a major financial or social disadvantage? There are hefty penalties to pay in the event of a breach of data. If a security incident has affected the confidentiality, integrity or availability of personal data that results in a risk to people’s rights and freedoms you have an obligation to notify the ICO within 72 hours of becoming aware of it. Failing to notify a breach when required to do so can result in a significant fine up to 10 million euros or 2 per cent of your global turnover. With even larger fines possible where the breach is considered serious enough.
- Are you collecting sensitive data (race, health, religious or political beliefs, sexual orientation)? Please note: there are special conditions about collecting such information under GDPR, some of which relate to UK law. We strongly recommend that you seek legal advice about collecting such data on your website.
- Do you make it clear what rights the individual has about the collection and use of their private data? Your policies and procedures for this should be documented in your privacy notice / policy.
- Is the data, captured in the contact form, being stored in the content management system for your website? If so, where and how secure is the data? How will you know if there is a breach of the data?
If you have any web forms that are collecting data of a confidential of sensitive nature we recommend:
- That the form is located on a page secured with an SSL certificate (actually, we recommend that all websites / pages are secured over SSL). The SSL certificate establishes an encrypted link between your web server and your visitor’s web browser to ensure that all data passed between the two remain private and secure.
- That you do not store any confidential or sensitive data within your website's content management system. Instead, you should have a policy of regularly deleting such data and store securely offline. We recommend that you run a risk assessment on the data you hold, document a clear process for handling and retaining the data and regularly audit compliance.
- Don't forget, that in addition to your website, you may also be storing personal data within other online services such as your accounting or CRM system, as well as in offline formats. You should review these as well as your website.
- Note: In the event that you are collecting sensitive data we strongly recommend that you seek legal advice about your obligations.
GDPR COMPLIANT MARKETING 'OPT-IN' FORMS
2. GDPR implications for Marketing opt-in forms.
There are many advantages to having dedicated 'opt-in' forms to gain consent for sending marketing communications, such as mailing lists, download white-papers etc, including:
- The purpose of the form is clear to individuals, as is the lawful basis upon which you are asking for the personal data (consent)
- You can use your email marketing software forms (embedded in your website), so that subscribers are automatically added to your (email marketing) or other mailing list
- You can segment subscribers according to the form they use to subscribe and their specific interests
- You can use the forms liberally across your website using 'call-to-action' graphics and exit intent pop-ups to encourage subscription
- You can attract subscribers using lead magnets and 'opt-in' focused dedicated landing pages
- You can redirect opt-ins to dedicated 'thank-you' pages that can be used to track conversions and offer up-sell
- You can trigger automated email sequences / marketing automation series based upon the opt-in
You will need to decide whether the subscription process requires a single opt-in or double opt-in for subscribers. There is no specific requirement under GDPR to use double opt-in, but it is good practice and it also helps you cleanse your lists of malformed emails.
As with all marketing opt-in forms you should ensure:
- That opt-in is given freely and consent fields are not pre-filled or mandatory. Pre-ticked opt-in boxes are invalid.
- That you 'unbundle' consent requests by including separate opt-in statements for each permission request. If, for example, subscribing to a newsletter is required in order to download a white-paper, then consent to the newsletter is not freely given as it is conditional on the white-paper. This is not GDPR compliant.
- You should provide granular options of consent for different types of processing/communication wherever appropriate eg separate tick boxes enabling individuals to determine their communication preferences such as receiving news by SMS or email or by post. For example:
- You should store the date and method of opt-in consent (so you have an audit trail) including who gave the consent, what they were told at the time of consenting and whether they have withdrawn consent. Your email marketing software should also enable this. If not, you need to develop a process for handling this.
- Preferably the opt-in should also be confirmed by email (double opt-in), although this isn't a specific requirement of GDPR
- Consent should be easy to withdraw. For example a promotional email should include a link to unsubscribe or to update communication preferences.
For email marketing please also be aware that the requirements of GDPR are in addition to The Privacy and Electronic Communications (EC Directive) Regulations. Find out more about how these regulations work in conjunction with your permission based email marketing.
Examples of good marketing opt-in forms...
- Use a dedicated form for the purpose of gaining consent for individuals to join your mailing list
- Generate subscription forms from within your email marketing software to ensure subscribers are automatically added to your mailing list with an audit-able record of when the subscription occurred
- Include a clear compelling description (title) of what the individual is signing up to.
- Avoid being boring! Do you really want to say 'Join our Mailing List'? Get creative and give people a reason to subscribe to your mailing list by providing a clear reason / benefit.
- Only keep the data for as long as you need it and regularly review (annually) the data to determine if you still need it
- If your retention policy says that you will retain the data until such time as you decide you no longer need it, or until the individual requests unsubscribes or requests erasion, you don't need to annually re-seek permission to keep in contact; provided you have a GDPR compliant opt-in initially
- Add social proof / links to your marketing opt-in forms linking to your social media platforms encouraging individuals to connect with you in multiple ways
Here are a couple of good examples:
What about your existing mailing lists?
If you have existing databases that you use for marketing purposes you need to audit them and determine if consent was provided in a GDPR compliant way. If it was, or if you don't need to get consent, you can continue to send marketing communications. If consent wasn't obtained, or if you are not sure, you will need to seek re-permission to continue to send marketing communications. Take a look at our latest blog article with tips and ideas for auditing your pre GDPR lists and ideas for running re-permission campaigns.
3. Privacy notices (often referred to on websites as privacy policies) and how to make your website GDPR compliant
The following questions should be considered when writing a privacy notice:
- Who is collecting the information?
- What information is being collected?
- How will it be used?
- Who will it be shared with?
- How will it be used for marketing purposes
- Where will the data be stored
- What security measures are in place to protect the data
- How does an individual request access to see or request deletion of the data you hold about them
- How to contact you
4. Website security and the GDPR implications for your website
Whilst there is no specific requirement under GDPR to install an SSL certificate on your website (displays as a green padlock on your browser address bar - see below) it is good practice to do so. Including an SSL certificate on your website ensures that the browser no longer displays a 'this website is not secure' message and any data submitted into a web form is encrypted as it is being sent to the server, protecting the individuals personal data during transmission. Under GDPR you have an obligation to store the individual's personal data securely and the method in which the data is inputted is the first step in this process. So, whilst GDPR doesn't expressly require you to install an SSL, we strongly recommend that you do.
Just in case you need another reason, there is also increasing evidence that Google and other search engines are ranking websites with SSL certificates above those that don't have them. So there is a marginal SEO benefit in having an SSL.
5. Website cookies and the GDPR implications for getting your website compliant
- explain what the cookies are doing and why
- get the person’s consent to store a cookie on their device.
- There are several third party software apps available that you can use to achieve this. We use UK cookie consent.
6. GDPR implications for Data breaches - your obligations
Under GDPR you have an obligation to keep data secure and, if the breach is likely to result in damage to a person’s reputation, financial loss, loss of confidentiality, or major financial or social disadvantage, you should notify the ICO within 72 hours of you becoming aware of a breach. Check with your hosting provider to see what monitoring / software is in place to track and detect any attempts to hack your website, inject malware or to detect any potential compromise of the data and ensure you have a plan in place with the actions you will take in the event of a breach.
- Appoint a data controller - someone who has overall responsibility for the data you process and store
- Perform an audit to identify any data that you process or store that has the potential, in the event of compromise, to be considered a serious breach
- Determine whether you have a lawful basis to continue to store this data
- Where you have no lawful basis you must delete this data and update your online forms accordingly
- Where you have a lawful basis, run a risk assessment to determine where and how the data is stored.
- If your website currently stores sensitive or confidential data (or documents) we do not recommend that it is stored within the content management system of your website. Instead you should investigate with your web developer how such forms and documents can be automatically purged after they have been received / downloaded.
- Decide where (and for how long) you are going to store confidential or sensitive data going forward. To minimise the risk of a data breach this should be offline or in a secure place designed for such a purpose.
- In the event of you becoming aware of a serious data breach ensure you have a clear procedure for notifying the ICO within 72 hours
7. GDPR implications when processing data for under 18's
If you collect data from children under 18 years old there are specific rules under GDPR. Under the GDPR, you must have a legal basis to process all data, including a child’s personal data. While consent is a basis, due to the inherent vulnerability of children, it’s harder to prove whether this consent is freely given and it’s advisable in some circumstances to rely on another legal basis.
If you are relying on consent as your lawful basis for processing personal data, when offering an online service directly to a child, only children aged 13 or over are able provide their own consent. For children under this age you need to get consent from whoever holds parental responsibility for the child - unless the online service you offer is a preventive or counselling service.
Click here to read more about your obligations when processing personal data for under 18's. Please bear in mind that
- Audit your existing website / service. Even if your service is not overtly, or exclusively aimed at children under the age of 18 it may be designed to be intentionally attractive to children and incorporate various factors which demonstrates this. For example, children’s cartoon characters or child celebrities.
- Run a risk assessment to determine:
- Whether the offering is intentionally made to be attractive to children;
- Whether children have been attracted to the website / service or similar services in the past; and
- Whether the registration process for the service reflects an assumption that the users are above the age of digital consent
- Consider whether you can offer the services of your website without collecting or processing data which is identifying or makes the user identifiable, e.g. a free online game that does not require user registration or the input or collection of any personal data to use the service.
- In low-risk situations, it may be appropriate to require an individual to disclose their year of birth or to fill out a form stating they are (not) a minor eg: I confirm that I am over the age of 13.
- If doubts arise you should review your age verification mechanisms and consider whether alternative checks are required. Any data collected by organisations to this effect, and which is not required for evidential purposes and has no other function, should be immediately deleted following verification, to ensure compliance with the principle of data minimisation.
- Audit any data that you currently hold to determine the lawful basis on which you are holding it. If you have no lawful basis you must delete it.
8. Getting your website GDPR compliant checklist
In summary, these are the key steps you need to take to get your website GDPR complaint:
Read all about GDPR here: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/
Rules about marketing: https://ico.org.uk/for-organisations/marketing/
DISCLAIMER: This article does not constitute legal advice in relation to EU data privacy nor legal advice for your company to use in complying with EU data privacy laws like the GDPR. Instead, it provides background information to help you better understand how LOYALTYNATTERS has addressed some important legal points. This legal information is not the same as legal advice, where a solicitor applies the law to your specific circumstances, so we advise that you consult a solicitor if you’d like advice on your interpretation of this information or its accuracy. In summary, you may not rely on this blog post as legal advice, or as a recommendation of any particular legal understanding. The products, services, and other capabilities described herein are not suitable for all situations and may have restricted availability.