‹ Blog / Legal and Web Standards

How do you make your website GDPR compliant and what is the General Data Protection Act?

Feb 26th 2018

If you take advantage of email marketing to engage with your customers, you need to be aware of the changes coming into place as of the 25th of May 2018 from the GDPR. Don't panic, there's still time to prepare! This blog post has everything you need to be aware of.

Anyone who collects and processes personal data (defined by the GDPR as a Data Controller) will be required to comply with the new regulations to a certain degree.

As well as organisations who run websites or apps, this also includes any organisations who use internal databases, CRMs or even just plain old email.


What’s happening?

In May 2018, the 1995 EU Data Protection Directive will be replaced by the GDPR (General Data Protection Regulation). The new legislation will enable consumers to better control their personal data. It is hoped that these modernized and unified rules will allow businesses to make the most of the opportunities of the Digital Single Market by reducing regulation and benefiting from reinforced consumer trust.

The full GPDR is a massive document but we have outlined some of the most pertinent points in as straightforward a way as we can below.

 Will this affect me?

Whilst the current 1995 EU Data Protection Directive applies to those within the EU the new GDPR scope will also apply to non-EU businesses. This will apply to those who market their products to people in the EU or monitor the behaviour of people in the EU.

It will also affect your business if it:

  • Possesses or processes data pertaining to an identifiable person
  • Contacts those individuals via email, phone, SMS or post
  • Tracks engagement viae-shots, cookies, or landing pages for the purpose of profiling an individual       

Hubspot put together a great checklist that you can read here. See what areas could be applicable to you.

The digital Age Of Consent…

Provable consent must be explicitly given to the data processor by the data subject before their data can be processed. Additionally, the data must only be used for the purposes that consent has been given. EG if someone contacts you through your website with an enquiry of some kind, that does not give you permission to add them to your email marketing list.

Verifiable consent must be given by a minor’s parent or guardian before their data can be used. Consent must be able to be withdrawn by the data subject at any time.

One of the biggest impacts from the GDPR that will be instantly noticeable is that companies won’t be allowed to add pre-ticket boxes, resulting in no unwanted third-party companies getting hold of data.

This also means that if someone on your mailing list unsubscribes, you won’t be allowed to contact them. If you use programmes such as MailChimp or iContact for your email marketing you must ensure that your recipients have opted in!

How can I ensure that my website contact forms will be compliant?

  • Checkboxes need to be defaulted to “no” & users can’t be forced to opt-out with pre-selected tick-boxes.
  • Different options and terms and conditions need to be clear and separated accordingly.
  • Users need to be able to provide separate consent for different methods of communication such as email, post, telephone etc.
  • Make sure it is as easy to withdraw consent as much as it is easy to sign up.

I don’t process any personal data but my Google, MailChimp, Sendgrid etc. System does…

The GDPR would call these systems third party data processors. They are processing the data controller’s data on their behalf. Most (but certainly not all) of these systems are run by US-based companies who should be going through the process of becoming GDPR-compliant at this very moment if they have not already done so.

US companies should also be Privacy Shield compliant. The US Privacy Shield framework has been co-developed by the US Department of Commerce and the European Commission to provide mechanisms to protect the flow of personal data between the EU and the US.

What if I don’t comply?

You could be investigated by the Information Commissioner’s Office (ICO), and if you are found to be in serious breach of the new law you could be fined up to €20 million or 4% of your organization’s global turnover. It is a well-known fact that the ICO is increasing its staff numbers in preparation for the GDPR, so don’t assume they lack the resources. They stand to profit hugely from this.

If you want to know more about GDPR or are concerned about how it may affect your business, contact us today. Our team will be more than happy to help answer any questions that you may have.