Easy to implement steps for website GDPR ComplianceOn 25 May 2018, General Data Protection Regulation, the EU data protection directive, will come into effect. It’s quite confusing, even for experienced marketers like us, so we’ve put together this small guide to help your site move towards overall GDPR compliance.
GDPR compliance In five steps
- Got a WordPress site? What about plugins?
- Cut down the data you collect and store using your website forms.
- Clean up your mailing list.
It’s really not a good idea to cut-and-paste someone else’s user policy, as its probably not going to contain the proper information relating specifically to your site. You may also need to include items like:
- We do not sell data.
- We do not share data unless compelled to by the law.
- We will only ask for your personal information if it is needed to provide some sort of service to you.
Then it’s likely you should follow this up with details about the type of data you collect, how you use it, and what you do to protect it.
The new GDPR compliance rules state that cookies definitely consist of ‘personal data’, mainly because what they collect can be used to identify an individual. It is best practice to obtain clear, and very specific consent from users to place cookies and track them. This can be achieved by a pop-up shown to the user on their first visit allowing them to consent or decline overall cookie use. However, be aware, to fully comply you must not have a default answer such as “decline”, it must force them to overtly select an option. You can’t place cookies on their browser if the user doesn’t explicitly give you permission.
3) WordPress plug-ins/plug-ins and GDPR compliance
Both WordPress and Joomla! Site owners should keep a close watch as many of the plug-ins currently installed on both platforms are definitely not compliant. Developers from both platforms are frantically working on these issues so it’s probably a good idea to follow the social media channels of any plug-ins that you currently use to stay abreast of their latest updates.
Basically it’s your responsibility to make sure any plug-ins used on your website can export, provide and delete the user data they collect.
To meet the GDPR compliance rules, in some cases it might be necessary to change to a different plugin altogether.
4) Cut down on data you collect and store using website forms
As marketers, we always advocate collecting the least amount of data possible on any web form. This has always been because the less ‘form fields’ a potential client has to complete, the higher the likelihood of them converting into an actual lead.
It is best practice to improve conversion rate optimisation (CRO) by using landing pages when running Pay Per click / Facebook advertising campaigns, a common thread is to keep the forms as simple as possible to ensure maximum conversions. In fact only 3% of users will fill out four fields on a contact page form. To stay on the right side of GDPR compliance, collect data only from fields actually needed for processing. Also be aware that many from plug-ins such as “Contact form 7”, or “Ninja forms”, store user data in a separate database within your CMS.
5) Lastly you definitely need to clean up your mailing list
Does your website and marketing already incorporate an email list? Best practice has always been to use double opt-in features for your list. In case you didn’t know double opt-in basically means that after the user provides an email address, you automatically send a message containing a ‘confirmation link’ that they need to click on to finalise their subscription.
For some reason, up until now, there was a prevailing panic amongst British businesses that you needed double opt-in for GDPR, you don’t. Double opt in is definitely something you can use as it is an excellent way of proving that you obtained proper consent, however it’s not actually required.
Lastly, if you ever purchased a mailing list from a third party you should stop using it now and definitely delete it forever.
Individual rights-key presumptions of GDPRThe GDPR provides the following rights for individuals:
- The right to be informed.
- The right of access.
- The right to rectification.
- The right to erasure.
- The right to restrict processing.
- The right to data portability.
- The right to object.
- Rights in relation to automated decision making and profiling.
The full list can be found on their individual rights page but basically we’ve included the things that we feel most concern ourselves and our customers:
Access rights and data portability
If you use a CMS (such as WordPress or Joomla!) it’s not that difficult to implement a system for exporting user data to a standard CSV file or other easy format. Often this will be accomplished through a pretty easy plug-in of some sort, if you don’t use one of the common CMS platforms this may be something you need to get hardcoded yourself.
The right to erasure
The GDPR rules introduce the right for individuals to have personal data erased (also known as the right to be forgotten). Website owners need to implement a system that deals with any request for data erasure either verbally or in writing. There are some exceptions that allow you to keep data, but if the user asks you to erase their data you must. This can include content created by the users themselves, such as forum comments or blog posts and form submissions.
Remember you have only one month to respond to any request of this nature.
Privacy from the ground upBasically, you need to ensure that you have adequate safeguards to both restrict datasharing and protect the data itself. You should only collect data that is completely necessary, restrict any forms to less than four fields and get rid of any data that is no longer relevant. You should also ensure that the minimum amount of staff members at your organisation have access to this data rather than everybody who works there.
Lastly it is very much worth considering moving your website to HTTPS which also encrypts all communications between your users browser and the website itself.
It also has the added benefit of increasing your search engine optimisation score as Google is now taking HTTPS seriously as part of it’s algorithm.
While website GDPR compliancy isn’t simple, by taking the necessary steps you will be substantially more compliant than you were before. If you’re using any sort of CMS, you should definitely watch for changes to any plug-ins you use as well as the core version of the platform itself) WordPress has recently put out a version that is significantly more compliant).