GDPR has significant ramifications on organisations around the world. Although businesses are primarily focused on what happens “behind the scenes”, such as data storage and processing issues, organisations should be aware that they may need to make adjustments to their websites to ensure that they are fully compliant with the new regulations. Below we outline some of the first steps organisations should consider while making their websites GDPR compliant.
GDPR stipulates that organisations must be transparent with their consumers regarding the use of their data. In their privacy policies, organisations should include information about data collection practices, cookie usage, and data privacy rules regarding if and when user data may be shared. Furthermore, consumers should be informed about any plugins that the website uses which may collect user data.
Mailing lists have attracted a great deal of attention surrounding the introduction of GDPR. Websites must obtain explicit consent from consumers to be added to mailing lists. Before GDPR, websites often included “add me to your mailing list” in the same section in which
consumers agreed to Terms and Conditions. Therefore, if a consumer wished to use a service and agree to T&Cs, they must also sign up to a mailing list. This method is no longer permitted; consumers must give their consent in a different question, and websites cannot use pre-checked tick boxes.
Businesses may find themselves needing to prove that all the users on their mailing lists gave their consent to be featured. This may involve sending new emails asking users to reconfirm their consent. Using double opt-in emails, while not required by GDPR, is a good way of ensuring consumers consent to subscribe. Double opt-in means that after the user provides their email, the website sends an email containing a confirmation link that the user must click on to finalise their subscription. It is also recommended that unsubscribe links are included in any email communication.
GDPR grants consumers the ‘right to be forgotten’. Users must be able to delete their information from a website. As this can be tedious if done manually each time a user wishes to be ‘forgotten’, implementing an automatic solution is recommended.
All businesses must carefully consider what types of data they wish to collect for their website. Under GDPR, businesses can only collect the minimum necessary information needed for processing. GDPR also requires all personal data to be secured, so data encryption should be considered.