Now that GDPR is in force, website owners will be obliged to make changes to the way they operate their sites. You may have already beefed up your security and rewritten your privacy policy in order to make your site more compliant but there is a raft of other things you’ll need to do differently. Here’s an overview of some of the important ones.
- Things to do when collecting informationWhen you provide a form for collecting data, for example, when asking for a newsletter subscription or taking a message on a contact form, you’ll need to state the reason you need the information and how it will be used. You can do this in a number of ways: putting the information on the form, having it appear in a popup, redirecting the user to a different page or sending an email.
In addition to explaining why you need the data, you also need to get the explicit consent of the user to use it. When registering subscribers, the easiest way to do this is to use a double opt-in procedure where, after a user has filled in the subscribe box, they are sent an email asking for them to confirm their subscription. The email should explicitly state that, by confirming, the user gives their consent for their data to be handled in the way you describe.
If you are a WordPress user, you may have noticed that version 4.9.6 has now got a comment consent box for users who are not logged in. It gives the option for them to have their name, email address and website URL saved in case they want to make future comments. - Sending emails and newsletters
If you send emails, make sure they explain to the user why they are receiving it and how you got their information. For example, you could add the text below to the bottom of your mail.
Why are you receiving this email?
You are receiving this email because you or someone using your email address has signed up to receive our newsletter.
Unsubscribe links have been a required feature on emails for years, however, under GDPR the user can also ask for their data to be erased. As many email plugins and tools retain user details even after they have unsubscribed from a specific mailing list, you need to provide the user with an option to be forgotten. Anyone who asks for this can then have their data permanently erased. The easiest ways to achieve these things is to use a mailing tool that is already set up to be GDPR compliant. - Sharing data
There are two types of data you can collect on your website, explicit and implicit. Explicit data is that which is directly given to you by the user when filling in forms. Implicit data is collected by the website software when analysing user interactions. Although you probably won’t be sharing explicit data, there is a chance you will be sharing implicit data, even if you aren’t aware.
In many cases, this data is collected by third-party plugins and these will use that data on your behalf. For example, if you use an analytics plugin, you will be collecting and sharing data that can show user behaviour, such as session duration and pages visited, it can record the device being used and the user’s location.
If you share data in any way, you’ll need to get the users consent, such as through a cookie law plugin or user consent form. You must also make sure your privacy policy gives details of the data you process and store, what you do with it and whether you share it. You also need to let them know how to access their data and have it deleted. - Selling online
If you sell things via your website, you’ll be collecting data, such as names, addresses, email addresses and banking details. Obviously, this is information that needs to be handled responsibly and requires you to make some adjustments in how you operate. One way you can make things easier for yourself is to use a payment gateway that processes the payment on its own site, not on yours, such as PayPal.
If you collect customers’ email addresses during the sales process, the only reason for doing so should be to communicate with them regarding the sale, i.e., sending invoices or dispatch notifications. If you want to use those email addresses for marketing purposes, you must first get their specific consent to keep their address and use it in such a way.
For compliance purposes, it is best to use e-commerce software that is itself, GDPR-compliant.
Conclusion
While most people already understand what GDPR is and the protections and rights it gives to EU citizens, it’s only now that website owners are beginning to see the many small but significant changes they need to make to their websites. Hopefully, this post will help you with your compliance.
If you are looking for a web host that can provide you with the security features you need to keep your users’ data secure, visit our homepage to see our range of web hosting packages.
