The General Data Protection Regulation (GDPR) is fast approaching and comes into force on 25 May 2018. GDPR will have a huge impact on website design, which will have a ripple effect on how your website integrates with your other digital activity like email marketing, social media, and eCommerce activities.
After 25 May, any data you gather on your website must be processed lawfully, transparently and for a specific purpose. This could include obvious data such as names, addresses and contact numbers but also less obvious data that you may not be aware of such as cookies and IP addresses.
There are a number of steps that you can take to achieve GDPR compliance with your website data processing.
Understand Consent Guidelines
If you plan to send email marketing to anyone who submits your web forms, GDPR requires that you get their explicit consent to do so. This means active opt-in from the user through unchecked boxes on web forms.
Consent must be granular so you need to feature separate check boxes for different types of processing. For example, if you plan to use the data for post, email or telephone communication, or pass user details onto a third party, then you must feature a separate, unchecked box detailing each data processing purpose.
GDPR also states that consent must be easily withdrawn if an individual no longer wants to provide their data.
Encrypt Your Data With An SSL Certificate
A Single Socket Layer or SSL certificate is a small file that digitally binds a cryptographic key to organisations details. When you have one as part of your website, it activates the ‘padlock’ symbol that you see in web browsers. It provides you with that https:// in your address bar – making all of your content secure between servers, it increases your Google search engine optimization (SEO) rankings which is a bonus and builds/enhances customer trust, resulting in improved conversion rates – especially within e-commerce websites.
Forms on your website must no longer include pre-ticked boxes. This is considered implied consent and not freely given. Users should be able to provide separate consent for different types of processing. For example, an option to be contacted by post, email, or telephone as three separate tick boxes.
If you are asking for permission to past details onto a third party – again, you need another tick box. If you are collecting data through one website on behalf of several third-parties, then you need to clearly give an opt-in option for each party. Offering them something like a whitepaper if they sign up to something is a great way of getting more user signup’s, but you still need to provide an opt in tick box, otherwise consent has still not been given freely.
If you are an eCommerce business, you are likely to be using a payment gateway for financial transactions – PayPal or any other.
Your own website may be collecting personal data before passing these details onto the payment gateway. If this is the case, you will most certainly require an SSL certificate to make sure this information is properly encrypted.
The GDPR legislation is not explicit about the number of days, it is your own judgment as to what can be defended as reasonable and necessary. You simply need to be prepared to provide the details you have to an individual who asks for it and, remove the data if an individual asks you to.