GDPR is a Buzzword right now and it is going to affect a lot of Website owners, Email marketers, Re marketers; the whole internet, in short. Making your website GDPR Complian is a big fact! Let me explain,
As a smart website owner in 2018, the most important change you need to bring to your website is to make it GDPR compliant, otherwise, you’re looking at a potential fine of £20M or 4% of your turnover!
Table of Contents
GDPR – What actually is it?
The full form of is GDPR is General Data Protection Regulation. It mainly means to bring a change in the way that data is captured, used and managed, for all individuals in the EU.
The reason EU brought about this legislation is they want to provide individuals empowerment to have control over the data is captured, the way it is captured, and later used.
That said, if you think only those websites in EU need to bring about changes to comply with the regulation, it’s not. The Internet is an open place and even if you don’t target EU included countries, you might here and there get a visitor from EU countries.
And, if you capture even 1 EU person’s data without following GDPR, you’re in risk to get doomed!
So you better follow the GDPR, even if you don’t target EU countries!
The Main Aspects That GDPR Will Affect:
- The privacy policy – the things it needs to cover and the way it needs to be written.
- The way you use the cookies in activities like remarketing, you need to be transparent about it.
- Opting in into anything, the way you imply it.
- Journalisation of how you got a particular data, where from you got it, and how long you’re storing it for as well.
Who Are Most Likely To Get Affected?
As I said earlier, the internet is an open place, so it’s likely to affect everyone. But to be specific, any organization or website that collects, holds and uses users’ data for their marketing purpose or digital communication, are most likely to get affected by it.
What are the Fines and When will it come into Force?
In the worst case, if you don’t comply with the regulation, you will face a fine of up to €20 million or 4% of your global turnover, whichever is greater.
25th of May is the final deadline to make your website GDPR compliant and there won’t be any transitional or grace period after this.
What are the things you need to do to make your website GDPR compliant?
Before I explain things and steps, I’d point out a particular aspect ‘consent’, which is a very strong phenomenon in GDPR.
GDPR desperately wants to make sure that users have their consent with your every action regarding data collection or use.
Most of the steps I ‘ll suggest, have consent into the center of it.
Lets’ see.
1.”Active” Opt-In to Forms
Users need to ‘actively’ do something (maybe ‘yes’ a ‘no’, or tick a blank box) to opt-in a subscription to newsletters or vice versa.
The forms that invite users to subscribe must be set to ‘No’, or the box that users have to tick to opt-in, must be set to blank by default.
If a user really wants to subscribe, he/she has to consciously choose to do that by ticking the box. They can’t just ‘not-notice’ and get subscribed to something.
Take a look at the example of a bad practice of getting users into subscription list. The pre-ticked the box which is against the GDPR and needs to be changed. You should avoid this practice.
2.Unbundled Opt-In
The consents that you are asking for should not be bundled. They need to be set out separately for accepting terms and conditions, and the consent of getting contacted. Look at the example below, where the permission seeker clearly set out the acceptance of terms and conditions, and asked for the permission to contact them separately.
They did not blend in the contact permission with acceptance of terms of conditions, meaning you automatically allow them to contact you through different channels if you accept their terms and conditions.
3.Granular Opt-In
Users should have the options to select specific channel(s) they want to get contacted through.
One may not mind getting emails, but there’s a possibility that he/she won’t like getting calls for contact purpose.
So the website should let the user know which the channels they have to contact the user are and which channel(s) the user would prefer.
Also, if the website has to pass the data to a third party user to serve the purpose better that the user is willing to receive, they have to ask permission for that as well.
The example will clear things out.
4.Easy to Opt-Out or Withdraw Consent
The website owners have to make the consent withdrawal process as easy as it was accepting it.
Many websites ask for our topics of interest by compiling a list of topics that they can offer us, and can easily tick the topics we’d like.
But in case of unsubscribing, when we get the email, we see a very little unsubscribe button at the very bottom most often. Even if we find them after a thorough search, we often get automatically subscribed from only that topic the email was about.
Ideal practice is, we should land in a similar page consisting of the list when we subscribed, and have the option to uncheck the topics that we won’t like to get emails about ahead. Like the one below.
Another good practice is shown in the opt-out form below. It offers to change the frequency of emails, or even completely not get any email whatsoever from them.
5.Named Third Parties
Remember I told that the user needs to allow you to provide data to third parties, but the term ‘third parties’ ain’t enough. The example I showed when I was talking about that, had mentioned the third party name which they would like to provide the data to.
That was a good practice, and that’s the practice you should follow too. If you need to provide users’ data to multiple third parties, or different categories or section of a third party, you need to point that out.
Look at the example below where John Lewis differentiated permissions for John Lewis, Waitrose, and John Lewis financial services. Though it’s an opt-out form, you can apply that in an opt-in form too.
6.Privacy Policy and Terms & Condition
You’ll need to update your privacy policy page too to comply with GDPR.
You need to mention why and how you are collecting data, what purpose you’re going to use that data for, and if you’re going to pass that data to any third party user.
If you’re using any applications to collect data, mention that as well.
These, you have to do in every opt-in form as well, as I mentioned, but those may be customized as per the situation. But these basic and core questions have to be answered in a privacy policy page.
Information Commissioner’s Office (ICO) was very kind to provide a sample privacy notice that is to the point, straightforward and easily accessible. You may consider using that in your website.
7.Online Payments
If your website is an e-commerce one, you’re likely to be connected to a payment gateway to take care of financial transactions. But does your own website collect data before it passes the details onto the payment gateway?
If so, you will have to bring changes in your data passing process to remove any personal information after a reasonable period of time, maybe 60 days or so.
There’s no out and out mention of number of days this “reasonable” period, so it’s your own call to judge which can be defended as reasonable.
8.Third Party Tracking Software
Things start to get a little tricky when you use third-party software to collect data. If your software is not collecting data in a GDPR compliant way, you’re in risk to get sued for using that software, along with that software itself.
You, as a website owner, have to make sure that the software you’re using it is GDPR compliant. Do a little research and check something out by yourself.
If they’re using cookie, make sure that they’re displaying a cookie banner that let users’ know that their activities are being tracked.
Check out other processes it obtains to do things and make sure they’re okay in terms of GDPR compliance, and do some research.
A Little Summary and Wrap Up:
You might be understanding by yourself that the core message of this whole thing, is you need to apply the good practice of letting users know each and everything about the way their data is collected, used, hold and passed on.
Everything related to users’ data has to be very transparent. The points I mentioned are the common ones, but you might need to bring additional changes depending on the process you website operates.
Just run an audit, and point out the operations that relate to user personal data and bring changes to make them GDPR compliant.
Hope this helps. If you’ve any additional questions, ask me in the comment section below. I’ll be happy to help further.