It’s 2018, meaning the countdown to GDPR enforcement is well underway - and we all need to make sure our websites are in order before 25 May.
The way you collect data through your website isn’t the only thing you’ll need to think about ahead of the May deadline, but if you haven't already, it’s a good place to start.
Before we begin, if you’re thinking “What’s all this about?”, read our summary of GDPR and why you need to take action first. Otherwise, here are some of the things you might need to take a look at:
Wherever you capture personal data on your website, be sure to include the following:
- Privacy notices. Summarise why you’re collecting the data, and how it will be used. Check out our previous blog post for more information on how to write a privacy notice.
- Active opt-ins. If you want to use personal data for any processing that requires consent (such as direct marketing), you need to make sure your website users are actively opting in. This means no more pre-filled ticked boxes or withholding services if users don’t agree to marketing.
- Granulated opt-ins. Make sure your opt-ins are granulated. For example, if you use different forms of direct marketing, have different tick boxes for email, SMS, post etc. so users can choose which ones they agree to.
- Clear consent requests. While we’re on the topic of consent, be sure to keep requests for data processing consent separate to other T&Cs. Different opt-ins need to be provided for each.
But GDPR doesn’t just apply to new data you collect - it will apply to any existing / historic data you control too. You will need to carry out an audit of all the data you have to make sure you are using it compliantly.
For example, your email marketing subscribers. If you can’t demonstrate that you have consent to send marketing emails to someone, they will need to be removed from your database. Also, it would be best practice to remove any of your subscribers who are consistently inactive (e.g. if they haven’t engaged with an email in 6 - 9 months), for two reasons:
- You’ll be paying to send to these subscribers via your email marketing software. Removing people that have consistently shown they’re unlikely to engage could save you money.
- From a branding and perception point of view, you could be damaging your business by appearing in an inbox time and time again without any indication that the recipient is interested in your products or services.
- Data controller’s contact details. Identify your organisation as the data controller and state your contact details.
- Data Protection Officer’s contact details (where applicable). If your organisation is a public authority, you carry out large scale monitoring of individuals (e.g. online behaviour tracking), or you carry out large scale processing of sensitive data (such as criminal convictions / offences), you will be required to appoint a dedicated Data Protection Officer under the GDPR.
- Purposes and legal basis of processing. Outline what data you collect, how you use it and why.
- Legitimate interests. If you process data on the basis of legitimate interests (e.g. fraud prevention), state what these are.
- Who will have access to or use the personal data. Include any other organisation you share personal data with (name them!) and explain what they do with it.
- Transfers to non-EU countries. State any intended transfers and what your legal basis for this transfer is.
- How long you will store the data for.
- Data subject rights. Outline what your users/customers’ legal rights are as a personal data subject.
- Withdrawing consent. Make it clear that (if consent is the basis for processing) data subjects can withdraw consent at any time and explain how they can do so.
- Automated decision-making. If you conduct any automated decision-making, explain why, and what impact this will have on website users.
Of course this isn’t an exhaustive list by any means. Making your data collection GDPR compliant is just one of the steps you can take to improve the security of your visitors’ / customers’ data.
There are other methods you can also implement, such as SSL certificates and fraud prevention tools (which are particularly relevant for eCommerce sites) that can help improve the security and integrity of your website.
More information on the GDPR can be found here: