GDPR Compliance Checklist: Is Your Website Compliant?
With Halloween upon us, let us help you avoid a website GDPR nightmare.
General Data Protection Regulation (GDPR) was introduced by the EU on the 25th of May 2018.
Individuals were given the right to access their data, decide how it is used and when it is deleted.
But we’re leaving the EU right?
That doesn’t mean we can ignore GDPR.
If you want to trade with the EU your website will have to comply with GDPR.
If you have a data breach and haven’t attempted to comply with GDPR you can be fined 4% of your annual turnover.
While we always advise that you seek legal advice to ensure that you meet all GDPR regulations, hopefully this checklist will help you get started on making your website GDPR compliant.
To comply with GDPR there is are two fairly straight forward rules to follow:
- Be 100% transparent
- Make it user-friendly
These must be in clear, jargon-free and plain English. You’ll need to:
- Explain how and why you are collecting data
- Define all personal data you collect, process or store (this includes IP addresses)
- Outline all specific data uses
- State how long you will keep the data
A cookies notice should be given if you or any third-party software uses them on your site. Make sure:
- You clearly state what information is collected any way you use them
If your website collects any personal information you need to ensure that it is secure. Consider:
- Has the data been stored in a safe manner (encryption/anonymisation)?
- Has the data been held longer than stated in the terms and conditions?
All uses of data need to be clearly defined and opted into individually. This includes historical data, you might want to question:
- Do you have appropriate consent to keep the data?
- e.g. Email addresses collected before an opt-in/out scheme do not have appropriate consent.
- If the data use has changed the original consent no longer applied?
- e.g. Emails collected for a newsletter for cannot be used for offers and promotions!
Subscriptions and Forms
All forms should be clear and simple. Think about:
- Active Opt-in: Opt-out or pre-filled tick boxes are not acceptable. The user must freely make the decision. Defaults should be either blank or ‘disagree’.
- Separate Opt-in: For each method (SMS, email, post) and type (newsletter, offers & promotions) a separate consent box should be provided.
- Third Party Sharing: Any third parties sharing the data need to be clearly named.
- Easy Opt-out: It should be clear that consent can be withdrawn. If your website has a login area opt-outs should be made easily accessible.
It’s not just your website that needs to be GDPR compliant.
All personal data that you hold on customers, staff members, vendors and prospects needs to comply with GDPR.
That means performing a data protection assessment.
For more information and official guidance on data protection impact assessments take a look at the ICO’s official page.