The General Data Protection Regulation
All companies processing the personal data of residents of the EU are required to be GDPR compliant. This means that explicit consent is given freely, specific and informed and for a certain period of time for the use of personal data.
The impact on website design is in gaining consent for cookies, marketing and that consent is not simply implied, but it is actively given.
The GDPR covers the whole business, but for this article I will list the specifics of GDPR on website design to ensure all current and future websites are GDPR compliant. The consequences of not being compliant are fines and potential compensation claims listed at the end of this article.
For WordPress users there are a couple of GDPR compliant plugins designed to assist the Website Managers but further research is required.
How to make your website GDPR compliant
1- Forms must request opt-in
The website must not contain forms that automatically register people or opt in without their active approval.
Note: No auto enrolments, consent must be asked and actively given.
2 – Do not hide consent in a bundle
Consent must be clear and not contained in a bundle i.e. terms and conditions.
Note: consent must be specific and clear.
3 – Easy to opt-out of consent on the website
Visitors must have the ability to opt-out of any given consent easily and at any time on the website.
Note: Somewhere on the website to withdraw consent.
4 – Name business for giving consent
If you have more than one business be clear as to what business the consent relates to.
Note: Name business giving consent to.
5 – Privacy and Terms
The Information Commissions Office (ICO) has provided a sample privacy notice to be used on websites.
Terms and conditions also need the correct terminology and be transparent about what you will do with the information and how long you will retain the information.
Note: Terminology needs to correct and applications specified.
6 – Online payments
If you website is collecting data before sending to the payment provider then your website is storing personal data. If this is the case, the website must remove this data after a reasonable time i.e. 60 days.
Note: personal data from online transactions can not be stored indefinitely.
7 – Tracking software
Some websites use third party marketing software to track activity and these applications must be compliant.
Marketing software companies are making their applications compliant but as a holder of personal data the website owner must take responsibility for this and check compliance.
Note: Review contract with third party suppliers.
8 – Google
Most websites use Google Analytics so how GDPR compliant is Google?
Google Analytics does not use personal data so the GDPR rules may not apply, it is simply tracking activity.
Note: Have a contract with third party data processors to protect both interests.
9 – It is not just the website that needs to be GDPR compliant
In this article I have covered the website GDPR compliant rules that come into affect on 25th May 2018 but every business will need to carryout a a thorough review of.
Review the business process and where and how personal data is stored.
- What personal data do you have stored?
- Do you have written consent?
- when was consent given and do you need to request fresh consent?
- What is your policy on how long your store personal data?
- Is the personal data stored securely?
- Is your business process GDPR compliant?
Implications for not being GDPR compliant
Fines of up to €20 million or 4% global turnover and compensation claims for damages suffered and damage to reputation and loss of consumer trust – see ITGovernance.
SOURCE: Hallam Internet