Making your website GDPR compliant (7 practical tips)

Ivo Valchev

25 February 2018

What is the GDPR? What about Brexit?

The GDPR (General Data Protection Regulation) is coming into effect on the 25th of May 2018 — in exactly three months time since this article was written, and will be applicable throughout the 28 EU member states — and yes, this includes the UK, at least for the duration of its membership until March 2019 and possibly after that too.

The GDPR strengthens personal data security and protection practices and has impact on many levels— but today I will focus on a few tips to help make your website GDPR compliant.

Making your website compliant tips

1. A contact us enquiry is not mailing list subscription

Consent for data processing in GDPR must be provable and obtained before the data is processed. Furthermore, consent is given for a specific purpose only and may not be used for other purposes. As an example, unless a user has opted in, you cannot add them to your mailing list.

2. Opt in, rather than opt out checkboxes

The user should proactively opt in to give consent, subscribe or agree to terms and conditions. You should replace your opt out checkboxes with unchecked opt ins that the user needs to consent explicitly. While doing so, also make sure to have:

3. Unambiguous, plain wording to obtain consent

In addition to using opt ins rather than opt outs, consent must be freely given, requested using unambiguous, plain language and purpose-specific only. Ironically, this is perhaps the most ambiguous part of the article, but as a rule of thumb I would refrain from using posh words or phrases with too broad of a meaning for the purposes of obtaining consent.

4. Unbundled, granular opt in.

The user should be able to provide separate consent for different types of processing — agreeing to the terms of conditions for registration, for instance, should be separate from a checkbox to “agree to hear about more offers from us” and, by extension, separate from “agree to share your data with third parties”.

5. Easy unsubscription and the right to be forgotten

Furthermore, the data subject must be able to, easily, withdraw consent at any time. This means if someone has agreed to be added to your weekly newsletter, you should provide them with readily accessible service to unsubscribe. But the right to be forgotten goes further: upon request by the relevant user, you must erase any and all data you hold about them permanently. Such request need to be “as easy” as the opt in consent options.

6. You need https!

The GDPR requires personal data to be processed in a manner that ensures its security. This includes protection against unauthorised or unlawful processing and against accidental loss, destruction or damage. It requires that appropriate technical or organisational measures are used.

A measure that facilitates security means, at the very least, having encrypted communication over the web. If you have ANY forms on your website, an SSL certificate is a must. The good news is, they tend to be inexpensive and even free.

As a side note, since Chrome v62 (October 2017) users area notified that websites using HTTP are not secure. Moreover, Google has announced that from July 2018 onwards all websites still using the HTTP protocol will be marked as “not secure”. So this should serve you as further motivation to switch to HTTPS, and probably also force it, if you have not already done so.

7. No, you shouldn’t worry about Google Analytics

Personal data is data which relate to a living individual. Google Analytics, however, provides anonymised information that does not classify as personal data. It is still advisable to read further on this on Google’s compliance page.

Important notice:

Please be advised that I am NOT a lawyer. In researching for this article, I have made the best attempt to cross check information from different and well-regarded sources and the information here is correct to the best of my knowledge. If you would like to suggest corrections or improvements, please let me know by emailing me at me@ivovalchev.com

Till next time. 😉