How to make your website GDPR compliant
GDPR has significant ramifications on organisations around the world. Although businesses are primarily focused on what happens “behind the scenes”, such as data storage and processing issues, organisations should be aware that they may need to make adjustments to their websites to ensure that they are fully compliant with the new regulations. Below we outline some of the first steps organisations should consider while making their websites GDPR compliant.
Privacy Policies
GDPR stipulates that organisations must be transparent with their consumers regarding the use of their data. In their privacy policies, organisations should include information about data collection practices, cookie usage, and data privacy rules regarding if and when user data may be shared. Furthermore, consumers should be informed about any plugins that the website uses which may collect user data.
Organisations should not just copy a generic privacy policy for use on their website. Consumers must be informed about that organisation’s specific business practices. Businesses should use simple, clear language while writing their privacy policies to convey as much information as possible to ensure that GDPR’s ‘transparency’ stipulation is met.
Cookies
Cookies are often used by organisations to record a user’s browsing activity. Under GDPR, cookies are considered items of personal data, as they can be used to identify an individual. Businesses must obtain explicit consent from consumers to collect cookies. The most straightforward way of achieving this is by implementing a popup when a user first visits the website. The popup must be transparent in its request, and merely ask users if they grant the website permission to use cookies. GDPR requires users to give their consent; therefore the popup cannot use a pre-checked box stating ‘accept’. If the user does not give their consent, businesses are forbidden from using cookies. Websites must not bar users for rejecting cookies.
Plugins
Businesses may use plugins on their websites that utilise user data. Businesses should perform an audit on their website’s plugins to ensure that their use is compliant with GDPR. For example, many plugins may use cookies, which, as stated above, GDPR considers as personal information. Businesses should list the plugins they use in their privacy policy. As with cookies, consumers must grant their consent for the use of specific plugins on websites. Websites using plugin submission forms should configure the plugins such that the “do not store form-data” is selected.
Email Communications
Mailing lists have attracted a great deal of attention surrounding the introduction of GDPR. Websites must obtain explicit consent from consumers to be added to mailing lists. Before GDPR, websites often included “add me to your mailing list” in the same section in which
consumers agreed to Terms and Conditions. Therefore, if a consumer wished to use a service and agree to T&Cs, they must also sign up to a mailing list. This method is no longer permitted; consumers must give their consent in a different question, and websites cannot use pre-checked tick boxes.
Businesses may find themselves needing to prove that all the users on their mailing lists gave their consent to be featured. This may involve sending new emails asking users to reconfirm their consent. Using double opt-in emails, while not required by GDPR, is a good way of ensuring consumers consent to subscribe. Double opt-in means that after the user provides their email, the website sends an email containing a confirmation link that the user must click on to finalise their subscription. It is also recommended that unsubscribe links are included in any email communication.
User Information
GDPR grants consumers the ‘right to be forgotten’. Users must be able to delete their information from a website. As this can be tedious if done manually each time a user wishes to be ‘forgotten’, implementing an automatic solution is recommended.
All businesses must carefully consider what types of data they wish to collect for their website. Under GDPR, businesses can only collect the minimum necessary information needed for processing. GDPR also requires all personal data to be secured, so data encryption should be considered.