The General Data Protection Regulation (GDPR) was introduced across the EU, coming into effect on May 25th. The purpose of GDPR is to ensure that European citizens have greater control over the way that their personal data is used. It also aims to prevent a repeat of the recent Facebook – Cambridge Analytica scandal.
All websites who want to operate in the EU must now make sure that they are compliant with these new regulations. Already, they have had a significant impact on how businesses approach website design.
Here’s a check-list of the most important elements of a GDPR-compliant website.
Most of us have had a flurry of e-mails recently, all from concerned websites wanting to inform us of updates to their privacy policies. You will need to update your own terms and conditions to reflect GDPR compliance. In particular, you must be completely transparent about how you intend to use any information you collect.
Active Opt-In Forms
Under GDPR, any forms on your website that subscribe visitors to newsletters or other content, must use an active opt-in system. This means that you cannot assume consent, nor can you have the relevant checkboxes automatically ticked on any forms. Instead, the user must freely and explicitly give their consent for any data collection.
Don’t Bundle Your Opt-Ins
From now on, when you ask for the user’s consent, you must separate out the consent for your business’s terms and conditions, from the consent to use their data. This is important, because your own terms and conditions will be decided by and enforced by you. By contrast, the GDPR, is a piece of international legislation which sets out the legal obligations faced by organizations that collect personal data.
It is also important that you obtain clear consent from your customers for each way in which you wish to use their data. You should not try and obtain several consent agreements at once. We refer to this approach, where you seek agreements one by one, as being granular.
Easy to Withdraw
As well as setting out a list of requirements for businesses to follow prior to gathering any data, it also sets out the requirements for making it easy for customers to withdraw their consent. Customers must be able to easily opt out of any data collecting schemes you have, and it must be easy for them to find out how to do so.
Any web forms on your website must now clearly identify each party to whom the consent pertains. Each party must be listed clearly and individually. You cannot list a group as a party, no matter how well defined that group is. You can list organizations, but you should treat these as individuals.
Ensuring compliance with GDPR is very important. Many webmasters have been worrying recently about what they will need to do to ensure compliance. As long as you are being transparent about how you use data, and obtaining clear consent to collect it, you should be fine with GDPR.