Unless you’ve been in hiding from tech talk, the chances are that you will have heard the acronym GDPR being bandied about in hushed tones and almost certainly with anxious looks from website owners. And yet the chances are equally high that you are none the wiser as to just what GDPR actually is and how it will affect your website, never mind how best to adapt your website to GDPR, which comes into force on 25th May 2018.
The lowdown on GDPR
GDPR stands for General Data Protection Regulation and is an EY privacy law that comes into effect in all EU and EEA member states (yes, this includes the UK) on May 25th 2018. It is a law that replaces the current mess of different laws and regulations that currently proliferate. In essence, the crux of the new legislation is that it will give everyone better control over the data about them that others can captured and use. Any person you hold information on will have the right to request that you erase their data. You’ve probably seen the early rumblings of this in relation to Mr Zuckerberg’s Facebook.
What is the point, because…Brexit?
Unfortunately (or fortunately depending on your point of view), despite the likelihood of Brexit, this is one law that is only destined to stay when Brexit happens. The UK plans to bring GDPR into UK law and if anything make it stricter. The penalties for not adhering to the bill are extremely severe. To give you an idea of the severity of the punishment, those caught in breach of GDPR rules will be liable to pay a fine of up to 4% of their company’s global turnover, or €20 million (the higher of the two figures).
Getting your website ready in 7 easy steps
- Make your forms active opt-in. You know those forms on your site that invite users to subscribe to newsletters, well such forms must be defaulted to ‘no’ once GDPR comes in. Any ambiguous check boxes involving data gathering must default to ‘no’ or remain blank.
- Make calls to action and opt ins clear Optional contact and subscription boxes must be kept separate from the terms and conditions and written in unambiguous, plain language.
- You must offer granular opt-in. This means that different types of communication need their own consent boxes. So users can opt out of mail but into email communications, for example.
- Easy withdrawal. Withdrawing consent for communications and other permissions must be at least as easy as granting it.
- There must be no unnamed parties lumped in under the consent banner. Your web forms must indicate exactly which parties users are giving their consent to be contacted by. You also need to make it clear in your terms and conditions exactly how you are collecting data and what you are planning to do with it.
- Check existing data and if it has been obtained prior to the GDPR laws and not in compliance with them, then you should err on the side of caution.
- Update online payment system. If your website stores personal details after the information is passed on to a payment gateway then you will need to modify the web processes in order to delete any personal information after what is termed ‘a reasonable period’.