5 Steps to Make Your Website GDPR Friendly

 

In this post, I outline 5 Steps to Make Your Website GDPR Friendly, steps that businesses can take on their website to make the right start to becoming GDPR friendly as they move towards compliance for their business.

I have found that looking at the key areas, in terms of the website only, is a really good place to start and the practical steps I outline below can help business owners who may be able to put into place themselves and if not, then they can ask an expert to help them.

Please do bear in mind that web designers and developers are NOT legal experts and cannot give you GDPR specific advice and legal guidance to become compliant. GDPR should be applied to the whole of a business and the website is only a small part of that. However, a good web designer or developer will have a good grasp on GDPR and the knowledge to support you in implementing the technical aspects you need to bring your own website in line with GDPR. Read More Here

 

*I am NOT providing legal advice and in all cases, proper legal advice should be sought from a lawyer to check that your website is compliant for the purpose of your business.

 

In this blog, I will outline some of the core essentials that websites should have included on a practical level to begin compliance to GDPR.

 

Step 1 – Website Policies

All websites must have the following policies available on their website:

Privacy Policy, Cookies Policy and Website Terms and Conditions.

These policies should be on each website for every business. To read more about what each of the policies are for and what they should contain and where to get help, you can read my blog The Quick and Easy Website Policy Guide to GDPR

 

Step 2 – Website Contact Forms

For prospective clients to get in touch with you, most websites will have a contact form on the website. The act of a prospect completing the fields with their name, email address and message and submitting this information through a submit or send button is, by definition an act of “positive affirmation” that they are happy to provide this information to you.

Within the body of the contact form, there should be a referenced link to your Privacy Policy, that they can click and read, before pressing the send information with their message. You have their implied consent that you can then have a two-way conversation about the query or question they submitted. What it does not mean and what permission it does NOT give you is the right or their permission to add their email to your mailing list and begin marketing to them. See example below – please note that each business needs to apply GDPR to suit their own business, this is my own example.

 

Step 3 – Newsletter Sign Ups and Lead Magnet Opt-Ins

In order to comply with GDPR, there is absolutely no doubt that you need positive and freely given consent through a positive affirmative action for a data subject to agree to receive emails and marketing from you. This means that consent beyond any doubt is required for people opting into your newsletters and your lead magnets.

It is also a GDPR requirement that the consent that is provided is granular in the opt-in process. If someone opts in to receive your lead magnet (freebie download), this does not mean that you can bundle the consent they have given so that all email marketing you do is sent to them. The data subject has to give their consent in a granular way to receive certain types of emails and marketing from you.

For example, I have a free guide download available on this website and this is how people can opt-in just to receive the lead magnet. There is a clear reference to my Privacy Policy for the opt in. In this example, there is no need for a tick box as consent (via a tick box) is not the only way to obtain permission to GDPR standards. In this example, the affirmative act of the data subject completing the data fields and then clicking the submit button to receive the lead magnet, constitutes a “clear affirmative action” and is satisfactory for GDPR purposes.

 

 

 

When web visitors subscribe to this opt-in, all they will receive is the download itself and a series of emails afterwards that only relate to this original download and the content in it. At the end of the email series, they then have the option to opt-in to the regular newsletter where I write about news and promotions that I think will be of interest to them. If they don’t opt-in to the general email marketing, I will not email them again because they have not provided me with the granular consent required to opt-in to emails with a different purpose.

You can have a tick box selection at the very start of the opt-in if you wish so subscribers can choose what they wish to subscribe to, so have multi tick boxes at the point of opt-in. For me personally, I take one focus at a time, deliver that to interested individuals, then give them the option to keep in touch at the end of the sequence. I will be publishing a further and more detailed blog about email marketing and best GDPR practices.

 

 

Step 4 – Other Forms and Blog Comments

When web visitors complete forms on your website, such as questionnaires or other data capture exercises then businesses must ensure that the principle of displaying a Privacy Policy and gaining consent to agree to the data being processed on the website is in place.

Form providers such as Gravity Forms and Contact Forms are well-known examples of data capture by using forms. If you don’t know how to configure the tick box and declaration on these forms yourself then you can take a look at an excellent plugin below that will add these declarations on for you.

The same applies to blog comments, the data is stored on the website and needs to be approved as a comment by the WordPress owner and so details of a name, email and website addressed are stored.

This is how the plugin applies the tickbox and declaration for you.

 

 

 

 

The plugin can be found in the WordPress repository and is free to use WP GDPR Compliance by Van Ons

 

Step 5 – Get Help!

This is a very simple look at some key aspects that need to be addressed by businesses on their websites. Each website is different and has different needs. Each business will implement their requirements in a slightly different way to others but as long as it is GDPR compliant that is what is important. If any business is unsure of what they need to do to be compliant then legal counsel must be sought. In the first instance, contact the ICO to discuss their individual requirements and questions.

The information above is based on my own interpretation and understanding of GDPR and is no way a recommendation for other businesses and their needs.

If you are stuck, then get help. Don’t suffer in silence.

You can join Suzanne Dibble’s excellent GDPR Facebook Group 

Watch her GDPR webinar and buy her legal pack

Get help from a WordPress Consultant, like me, or get in touch with your own web designer or developer and ask them how they can help you.

 

Up Next

In my next blog, I will be delving into more detail about the practicalities of dealing with permissions for your email marketing and solutions to help you set up processes with the technology that you use.

 

Do you have any questions or need any help?

If you have any questions, feel free to get in touch. If you need some technical help to get some of these aspects up and running on your website, then again, do get in touch, I’d love to help!

 

Imogen Allen

Share This