At last! A practical guide how to get your website GDPR compliant! Next month new GDPR regulations come into force, requiring significant changes to the way that you store and process personal data on your website. So what do you need to do to get your website GDPR compliant? It’s not as difficult as you may fear. We’ve done all the hard work of researching what needs to be done for our own websites and are happy to share our practical, actionable steps to help you get your website compliant. If you need any help with GDPR implementation contact us today.

Before we assess what you need to get your website GDPR compliant, let’s just remind ourselves what GDPR is all about…

The EU’s General Data Protection Regulation (GDPR) is designed to give people more control over how organisations use their data. The regulations overlap with with The Privacy and Electronic Communications Regulations (PECR) which cover the the use of cookies and electronic marketing communications eg email. In the UK, GDPR will replace the Data Protection Act 1998 and will be enforced by the Information Commissioner’s Office (ICO) who have powers to impose hefty penalties up to €20million or 4% of annual turnover (whichever is higher) for organisations that fail to comply with the rules. The fines also extend to organisations that suffer serious data breaches.

GDPR doesn’t just affect large companies. If you have a website or hold any personally identifiable information (including name, email address, phone numbers etc) for your clients, suppliers, partners and / or employees you have to be compliant. GDPR does not apply to non-personal or commercial data eg sales@ email addresses.

In a nutshell it means you have an obligation to:

• Be clear about the legal basis upon which you are storing or processing the personal data and only use it for the purpose that the consent was given. There are 6 types of lawful basis (consent, contract, legal obligation, vital interests, public task or legitimate interest).
• If you don’t have a lawful basis upon which to store and process personal data you will no longer have the right to use it after the 25th May 2018 and the data should be erased
• Ensure you get (or, in the case of older data, have) agreement, in a GDPR compliant format, from the individual for you to store the data, and communicate (via privacy notices and help text) how you will process the data collected, including the rights of the individual to access, remediate or erase the data.
• If you are collecting personal data for more than one purpose, gain separate consent (unbundled and freely given) for each purpose and have a clear, audit-able process for recording (and storing) the date and method of consent.
• Only hold the data you actually need and only store it for as long as you need it
• Keep the information secure and, in the event of a serious data breach, notify the ICO within 72 hours
• If you process the data of under 18’s, have systems in place to verify individuals’ ages and obtain parental or guardian consent for any data processing activity of individuals under the digital age of consent (in the UK the digital age of consent is 13 years old and over).

For the purpose of this article we have focused on the implications of GDPR for your website. Please be aware that you probably also store and process personal data in places other than your website, such as your email marketing software, CRM software, accounting software, payroll software, in offline printed formats and more. We strongly recommend that you familiarise yourself with your obligations under GDPR for data held elsewhere.

Lets get started!

What does your website need to include to be GDPR (and PECR) compliant?

When it comes to collating data, your website is often the first port of call. There are seven main areas that you need to focus on, to ensure that your website is GDPR compliant:

1. Contact form design
2. Marketing ‘opt-in’ forms design
3. Privacy notices (often referred to as Privacy policies)
4. Website security
5. Cookie consent
6. Data breaches and your obligations
7. Processing data of under 18’s

GDPR COMPLIANT FORM DESIGN

1. Contact us forms & GDPR compliance

Most websites include a simple ‘contact us’ form, which typically captures a users name, email address, IP address and a message. However, this is still personal information and you need to get consent to process this data and make clear to the individual what rights they have to access, rectify or even request erasure of information. In most instances adding a tick box, to your contact form, which requires the individual to confirm that they have read and agree to your terms and privacy policy (with links to these pages) is sufficient to make the form compliant.

Our recommendation:

• Add a tick-box to your contact us form, requiring the individual to confirm they have read and agree to your terms and privacy policy. The wording can be as simple as: I confirm that I have read and agree to COMPANY NAME terms and privacy policy.
  
  
• Ensure the consent statement includes clickable links to your terms page and your privacy policy page (tip: it’s a good idea for these to open in a new window so the original contact us page remains open).
• Your privacy statement (or policy) should clearly set out how you process personal data and the rights of the individual (see privacy policy section below).
• It is ok to make the consent field mandatory.
• Include, within the page, other ways that individuals can contact you, including phone, email, social media and online chat
• Avoid bundling multiple consent types into one form. If you do decide, for example, to include a marketing opt-in within your contact form, the consent for this should be separate from the confirmation of consent to your terms and privacy policy – see the Sainsbury’s example below
• Consent fields should never be pre-filled – consent or opt-in should be given freely
• Adding help text to the form aids completion

  

GDPR implications for more complex, information type forms

If your website includes more complex forms, such as registration or application forms or is an e-commerce website, you will capture even more data.

Ask yourself the following:

• Are you making the purpose of the form clear and the lawful basis upon which the data is being collected? Under GDPR there are 6 types of lawful basis (consent, contract, legal obligation, vital interests, public task or legitimate interest). A typical contact form would fall under ‘consent’. Whereas a registration form might fall under ‘contract’.
• Are you only collecting the data you need? If you ask for ‘job role’, ask yourself why do you need this information?
• Are you collecting data from children under 18 years old? If you are relying on consent as your lawful basis for processing personal data, when offering an online service directly to a child, only children aged 13 or over are able provide their own consent. For children under this age you need to get consent from whoever holds parental responsibility for the child – unless the online service you offer is a preventive or counselling service.
• Are you collecting confidential data that includes information that, in the wrong hands, is likely to result in damage to a person’s reputation, financial loss, loss of confidentiality, or lead to a major financial or social disadvantage? There are hefty penalties to pay in the event of a breach of data. If a security incident has affected the confidentiality, integrity or availability of personal data that results in a risk to people’s rights and freedoms you have an obligation to notify the ICO within 72 hours of becoming aware of it. Failing to notify a breach when required to do so can result in a significant fine up to 10 million euros or 2 per cent of your global turnover. With even larger fines possible where the breach is considered serious enough.
• Are you collecting sensitive data (race, health, religious or political beliefs, sexual orientation)? Please note: there are special conditions about collecting such information under GDPR, some of which relate to UK law. We strongly recommend that you seek legal advice about collecting such data on your website.
• Do you make it clear what rights the individual has about the collection and use of their private data? Your policies and procedures for this should be documented in your privacy notice / policy.
• Do you make clear the purposes for processing the individuals personal data, your retention periods for that personal data, and who it will be shared with? You should develop policies for any personal data that you process and store and include the details within your privacy policy. When you no longer need the data, unless you have a legal obligation to do so, it should be erased.
• Is the data, captured in the contact form, being stored in the content management system for your website? If so, where and how secure is the data? How will you know if there is a breach of the data?

Our recommendation:

If you have any web forms that are collecting data of a confidential of sensitive nature we recommend:

• That the form is located on a page secured with an SSL certificate (actually, we recommend that all websites / pages are secured over SSL). The SSL certificate establishes an encrypted link between your web server and your visitor’s web browser to ensure that all data passed between the two remain private and secure.
• That you do not store any confidential or sensitive data within your website’s content management system. Instead, you should have a policy of regularly deleting such data and store securely offline. We recommend that you run a risk assessment on the data you hold, document a clear process for handling and retaining the data and regularly audit compliance.
• Don’t forget, that in addition to your website, you may also be storing personal data within other online services such as your accounting or CRM system, as well as in offline formats. You should review these as well as your website.
• Note: In the event that you are collecting sensitive data we strongly recommend that you seek legal advice about your obligations.

GDPR COMPLIANT MARKETING ‘OPT-IN’ FORMS

2. GDPR implications for Marketing opt-in forms.

There are many advantages to having dedicated ‘opt-in’ forms to gain consent for sending marketing communications, such as mailing lists, download white-papers etc, including:

• The purpose of the form is clear to individuals, as is the lawful basis upon which you are asking for the personal data (consent)
• You can use your email marketing software forms (embedded in your website), so that subscribers are automatically added to your (email marketing) or other mailing list
• You can segment subscribers according to the form they use to subscribe and their specific interests
• You can use the forms liberally across your website using ‘call-to-action’ graphics and exit intent pop-ups to encourage subscription
• You can attract subscribers using lead magnets and ‘opt-in’ focused dedicated landing pages
• You can redirect opt-ins to dedicated ‘thank-you’ pages that can be used to track conversions and offer up-sell
• You can trigger automated email sequences / marketing automation series based upon the opt-in

You will need to decide whether the subscription process requires a single opt-in or double opt-in for subscribers. There is no specific requirement under GDPR to use double opt-in, but it is good practice and it also helps you cleanse your lists of malformed emails.

As with all marketing opt-in forms you should ensure:

• That opt-in is given freely and consent fields are not pre-filled or mandatory. Pre-ticked opt-in boxes are invalid.
• That you ‘unbundle’ consent requests by including separate opt-in statements for each permission request. If, for example, subscribing to a newsletter is required in order to download a white-paper, then consent to the newsletter is not freely given as it is conditional on the white-paper. This is not GDPR compliant.
• You should provide granular options of consent for different types of processing/communication wherever appropriate eg separate tick boxes enabling individuals to determine their communication preferences such as receiving news by SMS or email or by post. For example:

  

• You should store the date and method of opt-in consent (so you have an audit trail) including who gave the consent, what they were told at the time of consenting and whether they have withdrawn consent. Your email marketing software should also enable this. If not, you need to develop a process for handling this.
• Preferably the opt-in should also be confirmed by email (double opt-in), although this isn’t a specific requirement of GDPR
• Consent should be easy to withdraw. For example a promotional email should include a link to unsubscribe or to update communication preferences.

For email marketing please also be aware that the requirements of GDPR are in addition to The Privacy and Electronic Communications (EC Directive) Regulations. Find out more about how these regulations work in conjunction with your permission based email marketing.

Examples of good marketing opt-in forms…

Our recommendation:

• Use a dedicated form for the purpose of gaining consent for individuals to join your mailing list
• Generate subscription forms from within your email marketing software to ensure subscribers are automatically added to your mailing list with an audit-able record of when the subscription occurred
• Include a clear compelling description (title) of what the individual is signing up to.
• Avoid being boring! Do you really want to say ‘Join our Mailing List’? Get creative and give people a reason to subscribe to your mailing list by providing a clear reason / benefit.
• Include a tick-box (not pre-ticked!) with a consent statement: eg I consent to COMPANY NAME collecting my name and email address OR I agree to COMPANY NAME privacy policy and terms
• Ensure your privacy policy clearly sets out how you will process and store the data along with details about your retention policy
• Only keep the data for as long as you need it and regularly review (annually) the data to determine if you still need it
• If your retention policy says that you will retain the data until such time as you decide you no longer need it, or until the individual requests unsubscribes or requests erasion, you don’t need to annually re-seek permission to keep in contact; provided you have a GDPR compliant opt-in initially
• Add social proof / links to your marketing opt-in forms linking to your social media platforms encouraging individuals to connect with you in multiple ways

Here are a couple of good examples:

What about your existing mailing lists?

If you have existing databases that you use for marketing purposes you need to audit them and determine if consent was provided in a GDPR compliant way. If it was, or if you don’t need to get consent, you can continue to send marketing communications. If consent wasn’t obtained, or if you are not sure, you will need to seek re-permission to continue to send marketing communications. Take a look at our latest blog article with tips and ideas for auditing your pre GDPR lists and ideas for running re-permission campaigns.

3. Privacy notices (often referred to on websites as privacy policies) and how to make your website GDPR compliant

The following questions should be considered when writing a privacy notice:

• Who is collecting the information?
• What information is being collected?
• How will it be used?
• Who will it be shared with?
• How will it be used for marketing purposes
• Where will the data be stored
• What security measures are in place to protect the data
• How does an individual request access to see or request deletion of the data you hold about them
• How your website uses cookies
• How to contact you

Your privacy policy should be written to reflect the specific policies of your organisation. If you would like to see an example take a look at our own privacy & cookie policy which has been updated to be GDPR compliant. You are welcome to copy and use this on your own website, although please be aware that it may need modification to meet your own policies with regards to the processing of personal data and please be aware that we are not solicitors; the use of our privacy policy for your own purposes is at your own risk!

4. Website security and the GDPR implications for your website

Whilst there is no specific requirement under GDPR to install an SSL certificate on your website (displays as a green padlock on your browser address bar – see below) it is good practice to do so. Including an SSL certificate on your website ensures that the browser no longer displays a ‘this website is not secure’ message and any data submitted into a web form is encrypted as it is being sent to the server, protecting the individuals personal data during transmission. Under GDPR you have an obligation to store the individual’s personal data securely and the method in which the data is inputted is the first step in this process. So, whilst GDPR doesn’t expressly require you to install an SSL, we strongly recommend that you do.

Just in case you need another reason, there is also increasing evidence that Google and other search engines are ranking websites with SSL certificates above those that don’t have them. So there is a marginal SEO benefit in having an SSL.

5. Website cookies and the GDPR implications for getting your website compliant

The Privacy and Electronic Communications Regulations (PECR) is designed to give people specific privacy rights in relation to electronic communications. The regulations overlap with GDPR when it comes to cookies and email marketing. If your website uses cookies (a small text file that is downloaded onto ‘terminal equipment’ eg a computer or smartphone, when the user accesses a website), it allows the website to recognise that user’s device and store information about the user’s preferences or past actions. Most websites use cookies. If your website has Google analytics, Social media pixels or tracking code installed, then you are using cookies. Under the GDPR and PECR regulations you must:

• tell people that your website uses cookies
• explain what the cookies are doing and why
• get the person’s consent to store a cookie on their device.

Our recommendation:

• Make it clear to visitors that your website uses cookies. Typically this can be achieved by adding a small text notice positioned either as a strip across the top or bottom of your website or, as in the example below, a floating message bottom left. The message displays until such time as it is dismissed by the visitor and doesn’t display again on subsequent visits, unless they clear their cookies.
• There are several third party software apps available that you can use to achieve this. We use UK cookie consent.
• Make sure that your website includes a cookie policy either as a separate page on your website or on a combined privacy and cookies policy page. Take a look at our own privacy & cookie policy page by way of example.

6. GDPR implications for Data breaches – your obligations

Under GDPR you have an obligation to keep data secure and, if the breach is likely to result in damage to a person’s reputation, financial loss, loss of confidentiality, or major financial or social disadvantage, you should notify the ICO within 72 hours of you becoming aware of a breach. Check with your hosting provider to see what monitoring / software is in place to track and detect any attempts to hack your website, inject malware or to detect any potential compromise of the data and ensure you have a plan in place with the actions you will take in the event of a breach.

Our recommendation:

• Appoint a data controller – someone who has overall responsibility for the data you process and store
• Perform an audit to identify any data that you process or store that has the potential, in the event of compromise, to be considered a serious breach
• Determine whether you have a lawful basis to continue to store this data
• Where you have no lawful basis you must delete this data and update your online forms accordingly
• Where you have a lawful basis, run a risk assessment to determine where and how the data is stored.
• If your website currently stores sensitive or confidential data (or documents) we do not recommend that it is stored within the content management system of your website. Instead you should investigate with your web developer how such forms and documents can be automatically purged after they have been received / downloaded.
• Decide where (and for how long) you are going to store confidential or sensitive data going forward. To minimise the risk of a data breach this should be offline or in a secure place designed for such a purpose.
• Document how you are going to process, store and retain data going forward (add, where applicable, to your privacy policy) and ensure you regularly audit the process for compliance going forward
• In the event of you becoming aware of a serious data breach ensure you have a clear procedure for notifying the ICO within 72 hours

Tip: To minimise the risk of data breaches from your website, regularly purge data and documents stored within the content management system your website.

7. GDPR implications when processing data for under 18’s

If you collect data from children under 18 years old there are specific rules under GDPR. Under the GDPR, you must have a legal basis to process all data, including a child’s personal data. While consent is a basis, due to the inherent vulnerability of children, it’s harder to prove whether this consent is freely given and it’s advisable in some circumstances to rely on another legal basis.

If you are relying on consent as your lawful basis for processing personal data, when offering an online service directly to a child, only children aged 13 or over are able provide their own consent. For children under this age you need to get consent from whoever holds parental responsibility for the child – unless the online service you offer is a preventive or counselling service.

Click here to read more about your obligations when processing personal data for under 18’s. Please bear in mind that

Our recommendation:

• Audit your existing website / service. Even if your service is not overtly, or exclusively aimed at children under the age of 18 it may be designed to be intentionally attractive to children and incorporate various factors which demonstrates this. For example, children’s cartoon characters or child celebrities.
• Run a risk assessment to determine:
  • Whether the offering is intentionally made to be attractive to children;
  • Whether children have been attracted to the website / service or similar services in the past; and
  • Whether the registration process for the service reflects an assumption that the users are above the age of digital consent
• Consider whether you can offer the services of your website without collecting or processing data which is identifying or makes the user identifiable, e.g. a free online game that does not require user registration or the input or collection of any personal data to use the service.
• In low-risk situations, it may be appropriate to require an individual to disclose their year of birth or to fill out a form stating they are (not) a minor eg: I confirm that I am over the age of 13.
• If doubts arise you should review your age verification mechanisms and consider whether alternative checks are required. Any data collected by organisations to this effect, and which is not required for evidential purposes and has no other function, should be immediately deleted following verification, to ensure compliance with the principle of data minimisation.
• Audit any data that you currently hold to determine the lawful basis on which you are holding it. If you have no lawful basis you must delete it.

8. Getting your website GDPR compliant checklist

In summary, these are the key steps you need to take to get your website GDPR complaint:

• Be clear about the lawful basis upon which you are collecting data and only collect the data you need. Especially when the data is of a confidential or sensitive nature.
• Add a tick-box to your contact us form(s), requiring the individual to confirm they have read and agree to your terms and privacy policy with clickable links to each page.
• Unbundle consent fields and ensure they are not pre-filled – so that consent or opt-in is given freely.
• Add separate marketing opt-in forms for your mailing list and other opt-ins with a tick box consent to confirm they have read and agree to your privacy policy or (as a minimum) a link to it.
• Update your privacy and cookie policy page to include specific information about how you process and store personal data and the rights of the individual with regards to access, remediation and deletion of their data.
• Install an SSL certificate on your website.
• Include a mechanism which makes it clear to visitors that you use cookies.
• Ensure that your website does not store any confidential or sensitive data within the content management system and that you only keep data for as long as you need it or have a legal obligation to keep it.
• Be aware of your obligations if marketing to under 18’s. Avoid collecting or processing data where possible and include a method for age verification if not.
• Appoint a data controller and establish a clear policy and process in the event a serious breach.
• Don’t forget, that in addition to your website, you may also be storing personal data within other online services such as your accounting or CRM system, as well as in offline formats. You should review these as well as your website.

Further reading

Is your marketing list GDPR compliant?

How to run a re-permission campaign

Read all about GDPR here: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/

Rules about marketing: https://ico.org.uk/for-organisations/marketing/

DISCLAIMER: This article does not constitute legal advice in relation to EU data privacy nor legal advice for your company to use in complying with EU data privacy laws like the GDPR. Instead, it provides background information to help you better understand how LOYALTYMATTERS has addressed some important legal points. This legal information is not the same as legal advice, where a solicitor applies the law to your specific circumstances, so we advise that you consult a solicitor if you’d like advice on your interpretation of this information or its accuracy. In summary, you may not rely on this blog post as legal advice, or as a recommendation of any particular legal understanding. The products, services, and other capabilities described herein are not suitable for all situations and may have restricted availability.