Ways to Make Your Website GDPR Compliant

March 13, 2018

This blog post is not legal advice for your company to use in complying with EU data privacy laws like the GDPR. Instead, it provides background information to help you better understand the GDPR. If you are concerned about complying with the GDPR, we recommend that you consult an attorney familiar with the new laws.

Please note: This post borrows heavily from a similar article created by Susan Hallam, which can be found here. We appreciate her insight and original research into this matter.

The General Data Protection Regulation (GDPR) comes into effect on May 25, 2018.

In this article, we will cover the narrow area of how to make your website GDPR compliant with specific recommendations for changes you will need to make.

The thread that ties together all of these recommendations is that under the GDPR, the concept of specific informed consent being given freely is being strengthened with new rules, which means businesses need to provide more transparency on their website when collecting or processing personal data.

Forms: Active Opt-In

Forms that invite users to subscribe to newsletters or indicate contact preferences must default to "no" or be blank (or be single-purpose - e.g., a self-contained newsletter signup form like the one we have on this page).

You will need to check your forms to ensure this is the case.

As an example, the current LL Bean registration form pre-ticks the join our newsletter box, forcing the user to actively opt-out. This must be changed to be opt-in by May.

Unbundled Opt-In

The consent you are asking for should be set out separately for accepting terms and conditions, and acceptance of consent for other ways of using data.

In this example, Sainsbury's separates the acceptance of their terms and conditions from their active opt-in contact permissions, though they could have been more granular in terms of communication opt-in preferences (email, SMS, etc.).

Granular Opt-In

Users should be able to provide separate consent for different types of processing.

In this example, ABC Awards is asking for specific permission for each type of processing (post, email, telephone) and also asking permission to past details onto a third party.

Easy to Withdraw Permission or Opt-Out

It must be just as easy to remove consent as it was to grant it, and individuals always need to know they have the right to withdraw their consent.

In terms of your web user experience, this means unsubscribing could consist of selectively withdrawing consent to specific streams of communication:

Or easily change the frequency of communication, or stop all communications entirely:

Named Parties

Your web forms must clearly identify each party for which the consent is being granted. It isn't enough to say specifically defined categories of third-party organizations. They need to be named.

In this example, Waitrose reveals that they will be using the information as well as their affiliates John Lewis and John Lewis Financial Services -- and provides named permissions for each.

Though to be compliant, they must be opt-in rather than opt-out and the language should then change to more proactive: I would like to receive updates from Waitrose.

Privacy Notice and Terms and Conditions

The Information Commissioner's Office (ICO) has very kindly provided a sample privacy notice that you can use on your website. It is concise, transparent, and easily accessible.

You will also need to update your terms and conditions on your website to reference GDPR terminology. In particular, you will need to make it transparent what you will do with the information once you've received it, and how long you will retain this information both on your website and also by your office systems.

You will also need to communicate how and why you are collecting data. Your privacy policy will need to detail applications that you are using to track user interaction.

Online Payments

If you are an e-commerce business, then you are likely to be using a payment gateway for financial transactions. Your own website may be collecting personal data before passing the details onto the payment gateway.

If this is the case, and your website is storing these personal details after the information has been passed along, then you will need to modify your web processes to remove any personal information after a reasonable period, for example, 60 days. The GDPR legislation is not explicit about the number of days, it is your own judgment as to what can be defended as reasonable and necessary.

Third Party Tracking Software

Many websites are using third-party marketing automation software solutions on their website. These might be lead tracking applications like HubSpot, Lead Forensics, Leadfeeder or CANDDI. Or they could be call tracking applications like Infinity Call Tracking or Ruler Analytics.

The use of these tracking applications raise interesting questions in terms of GDPR compliance and remains a grey area. At first glance, these applications track users in ways they would not expect and for which they have not granted consent. For example, it is tracking my behavior each time I return to your website or view a specific page on your site.

However, the suppliers of these applications assure us they are GDPR compliant, assuming there is proper notification.

Because they are collecting personal data the suppliers like CANNDI are advising that banners stating clearly and unambiguously that cookies are being used.

And, they argue that the use of cookie tracking technology is in the legitimate interest of your business as a data controller, and specifically Recital 47 allowing for “processing for direct marketing purposes or preventing fraud.”

CANNDI advises:

Legitimate Interest - If using the legitimate interest principle within your website tracking it is advisable to have on record during your GDPR preparation that this is the case. This should include the grounds on which you are using this.

Though they seem confident that they are GDPR compliant, if 3rd party software is doing something illegal, it is still your business's responsibility as the Data Controller.

The real question is to identify the GDPR compliance risks in using this kind of software and to mitigate your risks as a business owner. As a result, you need to review your contract with software providers that clearly store and track personal data carefully -- or discontinue their use.

What About Google Analytics and Google Tag Manager?

If you are interested in Google's commitment to GDPR then a good place to start is this website: How Google complies with data protection laws

Many websites are configured to use Google Analytics to track traffic behavior. Google Analytics has always been an anonymous tracking system. There is no "personal data" being collected (unless it's been modified to do so, which is against Google's Terms of Service), so GDPR does not have an impact on using Google Analytics.

With regards to Google Tag Manager; it's a powerful tool that enables your website to send information to third-party applications by inserting small amounts of code. You can integrate in-house data repositories, as well as external remarketing and retargeting systems, and a host of other services.

The issue for businesses with regards to Tag Manager is to ensure you have a contract in place with the individuals that have access to your Tag Manager (which may well be your web designer or digital marketing agency) to ensure they understand their legal responsibilities as a data processor on your behalf as a data controller.

So, the underlying issue with the new GDPR is to identify and have in place contracts with your third-party data processors to protect both your own interests.

One last thing...

The changes being introduced with GDPR will permeate your entire business, and in this article, we are focusing purely on your digital marketing.

As you confront the detail of your website, you will uncover other parts of your business that use this data. You will need to consider what happens after data leaves the website and enters your internal ecosystem.

The Information Commissioner has provided an excellent set of resources for your reference, but here are a few key questions to be considering now as we approach the May deadline:

You probably have lots of personal data stored in various places around the business. Do you have a good understanding, and documented record of the data you hold?
Do you need to either gain or refresh consent for the data you hold?
Do you have a defined (written) policy for how long you retain personal data, so you don't retain it unnecessarily, and ensure it's kept up to date?
Is your data being held securely, keeping in mind both technology and the human factors in data security?
Whether you are a data controller or data processor (or both), do you have the correct legal arrangements in place?