GDPR has been around now since 2018, yet it is still a hot topic for website owners who risk massive fines for not being GDPR compliant in handling their customer's and website visitors' data. Much of the GDPR is the same as the UK's predecessor, the Data Protection Act; however, there are some new rules and information that you need to be aware of, so we're providing this guide to help you make sure your website is GDPR compliant.
GDPR stands for General Data Protection Regulation and was introduced and adopted by EU members in 2018. The UK still has this regulation in place post-Brexit. It applies to anyone who collects or processes personal data and governs how it is collected, processed and stored.
Compliance with GDRP is paramount for all website owners. The fines that can be dished out can be catastrophic, not to mention a PR disaster.
Ignorance is not a defence when it comes to GDPR and being compliant. Some small business owners have fallen foul of the regulations by not realising what data is collected on their websites. Three examples of this can be:
Website Analytics: Google Analytics is a free tool used by website owners worldwide. Did you know if you know website visitors have to opt-in to data being collected? And no data can be collected before getting their express permission?
Contact Forms: Contact forms must have a tickbox or way of the sender agreeing that their data can be used according to a privacy policy. The policy must clarify how their data will be stored and used for the user to agree to it.
Facebook & Instagram eCommerce: If you own an eCommerce store and sync your store with Facebook and Instagram, you could inadvertently disclose customer data without knowing. This is more an issue if you use WooCommerce and the Facebook plugin for WordPress. It automatically adds a tracking cookie to your website. If you do not have a system to allow website visitors to opt-in and out of this cookie data collection, you are breaching GDPR.
Those are just three simple ways a website can fall short of the GDPR regulations without realising it. There are many more ways besides these examples.
Every website is different and will need different systems and processes to comply with GDPR regulations. However, you need to implement a few fundamental aspects of your website to ensure that the basics are covered.
Ensure that your website has up to date policies for both Privacy and Cookies. These policies should contain how data is collected and processed and how long it is stored. It should also outline why it is collected, such as to be able to provide goods and services or just for marketing and website analytics.
Cookie policies need to outline every cookie used on your website and the why, how long and how they are stored. You also, for both policies, need to make it clear where the data is stored, as GDPR dictates that the information, unless you have prior permission, cannot be stored or transported in any format outside the EU. This includes servers and data storage for all aspects of your website. Which is a big problem for the users of Google Analytics as all data is stored in the USA.
A tick box or dropdown needs to be added to allow users to agree to their data being processed according to your website's privacy policy. Ideally, the contact form should link to your policies so that the user can find them and read them with ease.
Your website should not collect any data in any shape or form until a user has opted in. This falls under PECR, which is part of GDPR. If your website has a simple "we collect data" pop up linking to a Privacy Policy - it is not GDPR compliant. There are many off-the-shelf solutions to this, such as CookieBot and CookieYes , which can help your website comply with GDPR, but they are costly in most cases. You also need to provide an option for users to opt out even after they have opted in.
Ensuring that your website is as secure as possible and that your entire website is protected with an SSL certificate is paramount. You could still be held responsible if data being transferred between your site and the customers' device is intercepted if you are not taking adequate steps to prevent it.
Most small business owners will use third-party apps such as email marketing tools, payment providers etc. As the website owner, it is your responsibility to ensure that the apps you use are also GDPR compliant and their details form part of your privacy policy.
GDPR is such a complex issue for business owners that it is too big to fit into a tiny blog post. You can do many things to help ensure compliance with the regulations. For instance, here at E2E Studios, we have a self-hosted version of Matomo Analytics hosted on our private servers. It is fully GDPR compliant and replaces Google Analytics; we use it both for our own website and for clients who wish to use it for theirs.
The critical thing to remember is not to be an ostrich and burying your head in the sand. GDPR is here to stay. You need to ensure your website and business comply with it to avoid fines and bad publicity!
There are lots of resources for website owners and website designers/developers alike from websites like:
If you need any assistance in ensuring that your website is GDPR compliant or interested in discussing our in house website analytics system for your site, get in touch, and we can help you out!
352A Buxton Road Stockport SK2 7BY