A lot has happened since the GDPR (General Data Protection Regulation) was introduced back in 2018, so you could be forgiven for having other things on your mind. But data breaches are still happening every day, and companies of all sizes are still finding themselves being fined for failing to look after their customers’ personal information.The sum total of GDPR fines made in Q3 2021 reached over €1 billion – that’s 20 times more than those levied in Q1 and Q2 combined. So, if you’ve found yourself getting a little distracted by everything that’s been going on in the world recently, now’s a good time to do some housekeeping.
We’ve written this short guide to help you make sure your website is compliant with data protection laws, so you’ve got one less thing to worry about.
What is a GDPR Compliant Website?
The GDPR is focused on being clear and open about how you use people’s data. That means all websites must make it easy for users to understand how their information is stored and how they will be communicated with during and after visits.
Users must be able to select and update their preferences with ease, and language must be accessible, open and jargon free. Here’s how you achieve a GDPR compliant website:
1) Opt-In, Not Opt-Out
Until the new laws came into play it was standard for opt-in boxes to be pre-checked, assuming that website visitors were happy to receive future communications. Now the emphasis is on customer choice, which means you have to give people the opportunity to tick that box for themselves.
Even if you’re using a third party to handle your email communications and marketing, the ultimate responsibility of clear user consent lies with you. This means making sure your signup forms always contain clear statements about the information you collect, how you use it, and how potential customers can opt in or out.
A lot of organisations are choosing to use double opt-in forms now to confirm that individuals really do want to be added to mailing lists. When someone provides their email address, they’ll receive another message asking them to confirm they want to sign up to things like newsletters and special offers, so you can be absolutely sure they’re happy. There are tools to help with this - if you use services like MailChimp, you can set your profile to always use double opt-ins for all email signups.
2) Keep Everything Clear and Concise
The GDPR is all about transparency, which means you have to be totally clear about how your organisation uses personal data. It’s important to keep your terms and conditions separate from your opt-in features and provide a clear explanation of the kind of communications the user is choosing to opt into, should they want to.
You also have to make sure you never transfer consent between different types of communication, e.g., if someone signs up to receive special offers you can’t assume they will also want to receive marketing emails, brochures or phone calls. Be very clear about the different types of communication you use, and give people the opportunity to select each type individually.
3) Let People Know How You Will Communicate with Them
Businesses communicate with customers in lots of ways now, including text messages, emails, phone calls and good old fashioned paper mailing lists. While someone might be happy receiving a special offer via email, they might absolutely hate being called on the phone, so it’s imperative to give them the option to opt-in or out of each type of communication.
4) Make it Easy to Unsubscribe
We all change our minds about things from time to time, so it’s important to give people the option to stop receiving marketing information from your organisation. Don’t take it personally – because your products and services were relevant to someone once it doesn’t automatically follow that they’ll always want to hear from you.
Always provide a clear unsubscribe option at the end of your emails, and one day they might come back. It’s also worth noting that the unsubscribe button doesn’t necessarily mean goodbye – you can give people the opportunity to stop receiving weekly marketing emails but still hear about special offers, for example.
5) Be Clear About Third Parties
If you have an e-commerce website, you’ll be more likely to be working with third parties, which means you have to be very clear about how those organisations use personal data too.
Even before the GDPR came into play it was good practice to have a privacy policy on company websites. Now it’s essential, particularly if you have something like Google Analytics installed.
Draw up a clear privacy policy and be totally transparent with people about how you collect, review and share customer information with others. Personal data should only be kept for a certain period of time and it’s up to you to decide how long that is. What’s really important is that you’re honest about how long you keep that information, what you do with it, and give people the right to have their details removed.
6) Undertake Regular Audits
Particularly when you’re busy, it’s easy to just assume everything’s working smoothly and get on with other pressing tasks. When it comes to data protection though, you can’t afford to take your eye off the ball, so it’s important to organise regular website audits to make sure everything’s still under control.
Book in some time once a year to review your privacy policy and check that any third parties you’re working with are still collecting data in a safe and compliant way. Ensure you have a contract with all third parties that outlines their data responsibilities, and review your own policies regularly too.
Don't Forget....
Your obligations don't end there.
In the UK you are legally obliged to provide registered information relating to the identity of your business to include;
- Company name and Registered number
- Place of company registration
- Company Registered Office Address
- Contact details to include email address
- How to contact the business by non-electronic ways
- VAT Number if applicable
- Details of any Trade Body or Regulatory Registration such as ICO
If you have Google+ icon and link on your webpage you should know that Google removed this service April 2019.
Summary
Your website is your main mechanism for communicating with, and collecting data about, your customers. Because the GDPR is evidence based, it’s essential that you’re always totally clear about how you use people’s personal information and can demonstrate your commitment to data protection. Have clear policies in place, review them regularly, and make sure people know (and can easily choose) what they’re signing up to.
It may all sound like just more red tape to deal with, but in truth being transparent with customers can only be a good thing. By getting your permissions right from the outset and having active opt-in options, you’ll know that the people you’re contacting actually want to hear from you – which means higher response rates, more successful campaigns and happier customers.
To find out more about how to keep your data safe, contact our friendly team today.
Free Phishing Security Test
Would your users fall for convincing phishing attacks? Take the first step now and find out before the bad guys do. Plus, see how you stack up against your peers with phishing Industry Benchmarks. The Phish-prone percentage is usually higher than you expect and is great ammo to get budget.
Here's how it works:
- Immediately start your test for up to 100 users (no need to talk to anyone)
- Select from 20+ languages and customise the phishing test template based on your environment
- Choose the landing page your users see after they click
- Show users which red flags they missed, or a 404 page
- Get a PDF emailed to you in 24 hours with your Phish-prone % and charts to share with management
- See how your organisation compares to others in your industry