The General Data Protection Regulation (GDPR) requirements came into force on May 25, 2018. Designed to protect the personal data of EU residents, it gives individuals control over how their personal data is stored and used by your company. It’s vital that you understand GDPR requirements for websites to avoid being in breach of the regulations.
What is GDPR and why is it relevant?
GDPR places strict rules on how businesses acquire, store and use personal data. It applies to business of all sizes, although there are some exceptions for SMEs. GDPR requires businesses to have legitimate grounds to collect personal information and only use it for a specific purpose.
If you have a business website, it’s likely you’re collecting data about the people who visit and interact with your website. Therefore, it’s important to know the GDPR requirements for websites to ensure that yours is GDPR compliant. The penalty for non-compliance is high – it can carry a steep fine of up to 4% of the turnover of your business or €20m – whichever is higher.
What are the GDPR requirements for websites?
Step 1. Review your website
It’s essential to check that your website is GDPR compliant. This involves assessing your website and any third-party tools you use for running your website, such as email list services, cookies that your website uses, and analytics such as Google Analytics.
Start by examining all the ways your website collects data, from online forms and user accounts to email signups. Make a list of what personal data your website asks for, and where and how it is stored. Personal data includes any information that identifies someone such as name, email, postal address or even computer IP address. Check what cookies your website is using.
Ensure your website includes a page listing all the cookies that it uses. These need to include functional cookies – such as account log-in cookies – to tracking cookies from third-parties such as advertising platforms and analytics tools. Free tools such as GDPR Cookies Scan can examine your website and provide a list of all the cookies in use.
As part of GDPR requirements for websites, you will also need to provide a cookie pop-up notification giving visitors a link to the cookie listing page, as well as the option to decline all cookies. You cannot limit access to your website to only those willing to accept cookies.
4. Secure Socket Layer (SSL) certificates
SSL is a vital website component that encrypts information and traffic to-and-from your website. This means personal information, from credit cards to phone numbers, is scrambled. It will also show a padlock symbol in the address bar of a web browser so site visitors can see your website is secure. Free SSL certificates are available from the Let’s Encrypt initiative, which can be installed on your website.
5. Newsletters and contact forms
As part of GDPR requirements for websites, if you invite visitors to sign-up for email newsletters, downloads or fill in a contact form, you must be clear what you will use the information for. You need to provide explicit opt-in permission tick boxes if you plan on sending the visitor marketing information or sharing their details with third-parties. You cannot send any marketing without permission for each channel, such as email, telephone and SMS.
Email service providers such as MailChimp, MizMoz and Communigator should be GDPR compliant, but check your email mailing list provider. Each email must include a clear unsubscribe link.
6. How to make WordPress GDPR compliant
Many websites use the WordPress content management system – it’s free, popular and supported with a range of free plug-ins. While you can buy GDPR plug-ins for WordPress that help ensure compliance, there are plenty of free WordPress plug-ins available to get you started.
- Cookie Notice – With over 1m active users, this free plug-in provides a cookie pop-up that complies with EU cookie law in relation to GDPR.
- WP GDPR Compliance – This free, open source plug-in adds permissions and consent controls for popular online forms including Contact Form 7, WordPress Comments, WooCommerce and Gravity Forms.
- GDPR – Provide a free suite of tools to help a Data Officer manage GDPR compliance for a website, including cookie consent and requests for data deletion.