Post Creative Blog

Articles and tutorials to help you use your website to do great things.

Introduction

If your website has a contact form, email marketing signup, membership or e-commerce functionality, or if it just uses tools to track website visitors, then there is a change in the law that you need to pay close attention to. Some of the ways you are collecting and storing personal data will no longer be allowed.

From 25th May 2018, General Data Protection Regulation – or GDPR comes into force. The new law is complex and extensive. It isn’t limited to the information you gather from your website but covers all the personal data (meaning any information relating to an identifiable person who can be directly or indirectly identified.) your business stores. This guide only covers your website. We’d recommend you visit the ICO website to read their guide to GDPR so that you can understand your wider responsibilities.

Here are some of the basic principles and responsibilities you have:

Transparency

People have a right to know what information is being collected and stored about them and what that information will be used for. There are a number of ways we can do this. The first place to start is an up-to-date Privacy Policy.

Your privacy policy should be in easy to read, non technical language and it should cover the following:

  • What information is being collected?
  • Who is collecting it?
  • How is it collected?
  • Why is it being collected?
  • How will it be used?
  • Who will it be shared with?
  • The steps you are taking to keep their info secure
  • How the can contact you if they have an information request
  • A promise to inform them if their info is ever breached

The ICO have a document providing examples of good and bad policies to help guide you in the right direction. Check it out.

An additional way to provide transparency is by adding a small intro to the forms you use on your site to collect information. Tell your visitors why you need to ask the questions on the form and detail how they will be used and shared.

In addition all website will need to have a cookie notice to tell visitors about thewhat is necessary and no more

It’s time to go back to your forms and any tracking software you use and detail exactly what you are collecting and ask yourself if there is any information that isn’t helping you do what you need to do.

One of the ways you might give your visitors more control over the information they share is to reduce the number of required fields on your forms.

Have a think about the obvious ways you are gathering information like contact forms, registration forms etc and the less obvious ways tracking visitors on your site. If there is any info you don’t need it’s time to cut that out of the process.

Get consent

Up until GDPR it was acceptable to use soft or passive optins but that won’t fly under GDPR. For example you may have pre-checked the newsletter optin during your checkout or registration process, or you may have employed a cookie notice or a Privacy policy that said something along the lines of “By continuing to use our site you agree to our policy”.

GDPR requires active agreement. How do we put this into practice?  Well, when it comes to forms like email signup, registration, checkout  and contact forms we can provide a check box asking people to confirm that they understand what you are collecting and why. In addition we should provide a process by which people can opt out again at any point, can they unsubscribe from a newsletter, delete their account etc.

When it comes to observed information collected via cookies (such as Google Analytics) we should also give people an explicit choice to opt in to being tracked or if they prefer to opt out. Opting out would stop cookies being collected during their time on the website allowing them to use your site without being tracked.

Security

So, we’ve asked our website visitors to share some information with us about themselves, information we can use to better understand our customers and provide better, more profitable products and services. The least we can do is make sure that information is secure.

In 2017 Google changed it’s algorithm to favour sites that have a SSL security certificate. This certificate encrypts your website data. In addition you might have noticed if you use the Chrome browser, that Google has labelled all sites without an SSL certificate ‘Insecure’ you can see this in the website address bar. It’s time for all sites to have have an SSL certificate and offer their visitors the added peace that they are taking the necessary steps to secure their information.

There are two main types of SSL certificates, simple SSL and SSL with a warranty which pays out should your information be hacked. Unless you are storing confidential information such as credit card details or medical information, a simple SSL will sufficiently provide the additional security you need to give your visitors peace of mind.

Storing information

If you are sending the information to collect to any other services you have to check if those services are complying with GDPR… Examples of these might be:

  • A website backup service
  • An email marketing provider like Mailchimp
  • Visitor stats provider like Google Analytics
  • A CRM which links to your contact form or online shop

Look out for our follow up posts on Google Analytics and Mailchimp.

Final thoughts

GDPR covers all the information you gather and keep about individuals, it includes paper records and digital records. If you haven’t already done so I recommend visiting the ICO website to understand how it affects your business as a whole.

We have a few months before the new laws come into force so there is not need to panic. If you are unsure about how you can make your website GDPR compliant we’d be happy to have a chat with you and help you identify the changes you need to make.