The GDPR is a set of new regulations designed to give EU citizens more control over how their personal data is stored and used. The GDPR will become law in all member states on May 25th 2018 and must be adhered to by any business that offers goods or services to, or monitors the behavior of, people living in the European Union. This is regardless of whether or not payment is involved, and regardless of where a business is located. Many of the ideas and terms used in this article are described in more detail in our Introduction To The GDPR For Website Owners.
A wide range of aspects of website management and online marketing are affected by the GDPR, and even the most well-managed website will require thorough checking and at least some changes to become fully compliant. Here are 4 steps to follow to help you on your way to compliance:
Review Your Data-Handling
The primary focus of the GDPR is personal data and how it is stored, used and protected. Here are some suggested steps to take for making your organization's data-handling GDPR compliant:
- If your website collects any information from users:
- Your website should be secured using HTTPS
- Ask your web developer if this data is stored and where it is stored.
- You should only ever ask for information that you actually need. If you website forms ask additions questions these should be removed and any previously collected data removed.
- If your organization collects sensitive information (for example medical records, sexuality or religious beliefs) from anyone and has lawful grounds to do so, you should consider:
- Storing all of your data in an encrypted form that requires a separately-stored key to un-encrypt.
- Pseudonymizing all of your data so that sensitive information and personally identifiable information are stored separately.
- Delete any data from your website database and/or offline databases that:
- Does not conform to the new regulations (i.e. you have no lawful justification for collecting, storing or using). For example, you should delete mailing list subscribers if you cannot prove that consent was given under the same conditions as the new regulation, or request consent from them again under GDPR conditions before it becomes law, as many companies have been doing.
- You either never needed or no longer need. Introduce a policy of always deleting data that is no longer needed after a certain period of time, and consider making this an automatic part of your website or other systems.
- Prepare to respond to GDPR-related data requests by having a written plan for confirming the identity of someone making a request and making sure you are able to fulfill requests to promptly access, update, move or completely delete a person's data. It is also recommended that you log any such requests and when they were acted upon.
- Create a plan for reacting to data breaches of different levels of severity. Under the GDPR, you are required to notify someone within 72 hours if data your business holds about them has been stored, processed or disseminated by you or a third party in a way that they have not given consent for.
Review Your Consent Mechanisms
The GDPR's philosophy is that you should only collect data that you have a specific plan for, and that plan must be legally justified. For example, a doctor has a legitimate reason to store data about your health, but anyone else would need to attain your explicit consent before doing so. The GDPR spells out exactly how your organization needs to attain consent and for what:
- Consent must be given for each specific use of data. For example, you would need to have two separate checkboxes on a website registration form if you want consent for both sharing the user's data with third parties as well as using the data yourself.
- Consent cannot be "bundled". For example, you cannot make it compulsory for a user to give their consent to sell their data in order that they be able to sign-up to use your service.
- If your website display third-party adverts, you should gain consent from your website visitors if you want to display personalized ads to them, or you could choose to serve only non-personalized ads to all users in the European Union.
- Implied consent (whereby consent is considered to have been given if the user continues to use your website after receiving fair notice) is possibly still only appropriate if none of your website's cookies contain any personally identifiable information or pseudonymous data.
- If any of your website's cookies contain pseudonymous data, you may wish to consider requesting explicit consent from your website visitors before sending these cookies to their browser, particularly if they persist for longer than the user remains on your website, in order to be completely sure that your website is GDPR compliant. At this time, it is not completely clear whether implicit or explicit consent is required for cookies that contain pseudonymous data which exist for only as long as the user remains on your website (or for a "limited" persistent duration),or for those that are strictly necessary for functionality.
- If any of your website's cookies contain any personally identifiable information, you must have a legitimate, specific reason for using them, and if not, you must stop using them. If you have a legitimate reason, you must get explicit consent from your website users before sending these cookies to their browser. There is some debate about which cookies should be included in this category, with some experts even including cookies associated with Google Analytics.
- In all cases, you should record the date you attain consent from someone and exactly what that consent is for.
Review Your Third-Party Service Providers
Very few websites exist in a vacuum, and most use multiple third-party services such as Mailchimp, Google Analytics, Hubspot and PayPal. Think about all of the online services you use for email marketing, web analytics, contact forms, web hosting, file hosting, payment processing and advertising exchanges/servers and make sure that they are either GDPR compliant or have a reasonable plan to become compliant (US-based data processors should be "Privacy Shield" compliant). Some third-party services may require you to change your implementation of their service or update certain settings for them to become compliant, as is the case with Google Analytics. For advertising exchanges/servers, part of being GDPR-compliant requires them to have an option to serve non-personalized ads.
You should also review the third-party providers such as web developers and marketing agencies that previously or currently have access to your IT systems, website(s) and data. Any third-parties that have access to your data should be GDPR compliant and need to inform you how they secure your data, who they share your data with (for example, do they outsource your work) and how long they retain it for. If you suspect that they have retained more data than they need then you should demand that they delete it. There are also strict new rules about providing access to personal data to people who reside in countries that do not meet relevant standards for privacy.
If you decide you need to change a third-party service provider because they do not intend to become GDPR compliant, you should insist that they securely delete your data from all of their digital systems.
Update Your Website Policies
- What data you collect from your visitors.
- How you collect data.
- Why you collect data.
- Where the data is stored.
- How long you intend to retain data for.
- Information as to how individuals can exercise their rights with respect to the data you hold about them. For example, if someone would like to know what data you hold about them, you may want them to provide a link to a specific form or your contact form.
- What cookies your website uses
- The purpose of the cookies your website uses (for example to identify users or collect traffic information) and confirmation that the cookie will only be used for the purpose stated.
- Whether the cookies are essential to make your website function or used only to enhance the performance of your website
- Whether the cookies expire after the visitor leaves your website or persist for longer (you should make sure that none of your cookies persist for longer than one year after being set).
- Whether the cookies are first- or third-party and the identity of any third parties
- If you request explicit consent from your website visitors to use any cookies, you should also include details of how they can withdraw this consent.
The GDPR emphasizes the need for written policies and audit trails, so it is a good idea to have written evidence of all of the steps you have worked through in your attempt to become GDPR-compliant and what plans you have for dealing with GDPR-related data requests and potential data breaches. That way, in the unlikely event that your business is the subject of a complaint you will be able to demonstrate that you made serious attempts to comply with the new regulations.