In case you’ve had your head in the sand, you may have missed all of the buzz about Facebook’s breach of customer data by Cambridge Analytica. Because of compromised personal information by Facebook and others, the demand for data privacy protection by governments everywhere is now on the rise.
Make no mistake, things have changed for organizations that have a website. Especially if they’re capturing data on the website such as:
- | an email address
- | visitor information from an embedded form
- | click behavior
- | page tracking
Today, the question that you need to answer is “Do you have a GDPR compliant website?” If not, you’re putting your organization at risk of fines, legal liability and more.
What’s GDRP and why should you care?
The General Data Protection Regulation or GDPR is a recent European Union law that became effective on May 25, 2018.
GDPR requires all website owners who store or use data on website visitors to give the user control of their personal data. This includes whether or not you can save or use their name and email address.
Even if you have very few—or any— European site visitors or users, GRDP has very specific expectations that website managers now have to meet.
How to make a GDPR compliant website
In order to ensure that your website’s GDPR compliant, you need to take the following 6 action steps ASAP.
1 | Publish a Privacy Policy
First, you need to inform website visitors about your intentions to collect their information.
This can be achieved through the addition of a detailed Privacy Policy page which should disclose the type of data that you’ll collect, how you’ll use it, and why you’ll use it. In your disclosure, you’ll also have to share the length of time that data you’re collecting will be held by you or your organization.
2 | Disclose what you’re collecting
Next, you’ll need to list all of the types of data being collected by your website and if you’re allowing third-party access to this data. This includes everything from email address capture forms, social media sharing tools, marketing automation tools, blog commenting tools, and custom form generation tools.
Your disclosure should indicate if you will sell, rent, or otherwise share personal data with anyone outside of your organization. Exceptions can be made to provide a requested service (such as providing a downloadable asset) or to fulfill legal obligations in the interest of the safety of your site visitors.
If you’re collecting technical and navigational information, such as computer browser type, IP address, number of pages visited, and average time spent on a site, you may be using a robust marketing automation platform or Google Analytics to get this data.
Most tools like this capture data and other information through the use of cookies on a website. A cookie is a small data text file that a website server writes to your hard-drive when you visit a website. A cookie assigns a unique identification to your computer and may be used for a number of functions including:
- | Providing security
- | Facilitating transactions
- | Personalizing a site or content
- | Gathering visitor information
Sharing a simplified explanation of cookie collection in your GDRP compliant Privacy Policy is a good idea because it explicitly tells your visitors how you’re collecting their information.
3 | Secure your server with SSL
Data security is a top priority for Google. And it should be for you too. Google now gives an HTTPS/SSL secure website a slight boost for search results page rank. And if you care about getting found in search queries, who doesn’t need that?
Simply implementing security enhancements like HTTPS/SSL will never replace consistent publishing and distribution of great content for improving page rank.
However, Google is encouraging website managers to switch to HTTPS/SSL to keep website visitors—and their data—safe. An SSL certificate is the minimal website requirement needed today to protect the stored data on your website server.
4 | Make consent explicit + consistent
If you use any form generation tool on your site like a marketing automation platform, 3 party site, or CMS plugin like Wufoo, all of the forms on your site now need to include a CHECKBOX that specifically asks your website visitors if they would like to receive relevant updates from you.
By leaving this CHECKBOX unchecked, users must take a recordable action of checking the box to opt-in and thereby confirm that they are permitting capture of their data on your site.
5 | Make it easy to opt-out + delete a data record
GDRP requirements include providing an easy access method so that your website visitors can make inquiries related to their personal data being stored in a database. Today, users all have the right to delete their details from your site. This meets their ‘Right to be Forgotten’ regulation in the GDRP law.
As a result, you’ll have to have both a plan and a mechanism in place to remove those visitors who make this request from you. Whether manual or automated, you need to be able to delete individual site visitors from your data capture methods and database/s.
6 | Have a plan if things go south
GDPR defines a personal data breach as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data”.
The Guidelines include incidents that result in personal data being only temporarily lost or unavailable.
Under GDPR, you are now required to communicate with all individuals that have had their data compromised. This communication should include all of the following:
- Contact details of a Data Protection Officer or primary contact
person - Description of the nature of the breach
- Likely consequences of the breach
- Measures your organization will take to address the breach
- Advice your users/visitors can take to protect themselves
Notifications to individuals whose data has been compromised need to be written in plain language. They also need to be delivered in dedicated messages through a means that maximizes the opportunity for the information to be delivered to all affected parties. This may require several communication methods including both digital and analog.
If a breach of data does occur on your website, you need to take action including:
- Promptly notifying website visitors
- Notification to DPA’s (Data Protection Authorities) within 72 hours of becoming aware of a breach
Failure to notify visitors of a data breach can have severe consequences including monetary damages, reputation loss, and economic disadvantage. In fact, the EU has published specific formulas to assess how much exposure you may incur.
Denial or delay won’t reduce your exposure
If it’s not obvious, one of the most important assets for any organization—their website—just got more complicated with technical and data requirements that simply can’t be avoided.
GDRP has now mandated compliance with regulations that are intended to protect both your organization and its customers. Therefore, it’s now time to recognize that the GDRP compliance deadline has passed and you’re either:
- A | Compliant
- B | At Risk
Simply claiming that you were unaware of this new online requirement is not an option. Your exposure and potential liability will not disappear.
Are you ready to make the necessary upgrades to your site? Let us know when you want to get started.
As president and creative director of TeamworksCom, Paul develops brand strategy, engineers content to express customer value and creates integrated online and content marketing solutions to help businesses succeed. Connect with Paul, send an Email, or just call 415.789.5830.