There are three steps you need to take to make sure your website is GDPR compliant:
1) Review your website
2) Inform people about what you are doing and get consent
3) Create separate cookies and privacy policies
GDPR has been around since 2018 but you might be surprised at how many businesses still don’t have a compliant website. It is the legal responsibility of website owners and operators to make sure any personal data collected on their website is collected and processed lawfully.
Here are some more details around what you need to do to make sure your website is GDPR compliant.
1) Review your website
a) Review your website for personal data collection
Take a look through all the pages on your website and make a list of the places you collect personal data e.g. names, addresses, email address, date of birth. This could be newsletter sign up forms, contact us forms, checkout, sign-up areas.
b) Review the analytics tools you use on the website
Make a list of all the tools and integrations you are using for analytics and to track user behaviour on the site. Make sure each of the companies you use are GDPR compliant- you will find their policies on their websites.
c) Review the cookies you have on your website
Cookies are little bits of code inserted on a website to track what users do and where they go online. Cookies do useful things like remember what language a user has chosen for your site, whether or not they have consented to cookies, These are called necessary cookies.
Cookies are also used for marketing purposes such as showing relevant ads to website visitors or analytical purposes so businesses can build a picture of who their customers are. Sometimes this data is anonymised but sometimes if can be traced back to a users’ IP address. These types of cookies are not necessary.
You can see what cookies are being used on a site by clicking on the padlock in the url bar and selecting cookies. Or you can run a cookies scan using a free tool such as Legal Monster Cookie Yes or Termly
2) Inform people about what you are doing on your website and get consent
a) Cookie consent
Most websites have a cookie consent banner or pop-up to let users know what cookies are being used on the website and let them choose if they would like to accept them.
To be fully GDPR compliant, your cookie pop-up needs to gain explicit consent from the user. Pop-ups that say things like ‘if you click yes, we’ll assume you’re ok with this’ or ‘by using our website you consent to cookies,’ are not GDPR compliant.
You need to allow users to choose which cookies they want to allow and give them a choice to reject all but necessary cookies.
Some European countries have their own specifications, such as Ireland who require a Reject All button.
Cookie consent must be renewed at least once each year, although some countries require it to be more often than that.
b) Keep a consent log
You must also keep a consent log that is securely stored and treated as a legal document. A lot of cookie consent providers offer this as part of their package.
c) Block cookies scripts from running before consent is given
Some cookies consent tools do this automatically, but many don’t. Before a user gives their consent, you must not let the cookies run on your site.
3) Create separate cookies and privacy policies
American based website builders often only have a privacy policy included in their set-up. Unfortunately for businesses in Europe, the privacy and cookies policies need to be separate.
There are lots of free and low-cost options online to create cookies and privacy policies for your website. You may want to seek legal guidance through, to make sure your site is compliant.
a) Privacy Policy
To make sure you are accessing the most up-to-date information, you should visit the Information Commissioner’s Office website, or the equivalent for the country your business operates in.
Check out this easy reference guide to privacy policies on the ICO website.
b) Cookies Policy
Unfortunately there isn’t an easy reference guide for cookies policies from the ICO. Here’s their guide to using cookies and how to stay compliant.
Other things to consider
✔ Only collect information that is absolutely necessary.
✔ Have a plan/policy on how long you store data for and a process for deleting data that is no longer required.
✔ Store data securely. Keeping a list of your customers on a spreadsheet that has no encryption is not safe or compliant with GDPR.
✔ Do not send marketing emails/messages without consent. When someone gives you their email address at the checkout, you are only allowed to send transactional emails unless they explicitly give their consent otherwise.
✔ Do not pre-check consent boxes on your website.
✔ Always have an unsubscribe option in your communications.
Disclaimer: These steps are not legal advice, they are suggestions based on the information provided on reputable websites like the ICO. GDPR compliance is the responsibility of each business owner and Iyvhill Digital takes no responsibility for GDPR compliance for any other business.
Comments