What's the General Data Protection Regulation and how do I make my website GDPR compliant?

By Andrew Swindell
20 December 2017 - Last Updated 31 January 2018

Tags: compliant web forms  GDPR  GDPR Audit  GDPR Consent  GDPR Privacy Policy  General Data Protection Regula  opt-in vs opt-out  website GDPR compliance 

Photo looking down the middle of a busy train with people sitting on both sides of aisle, some looking at their smartphones.

On 25th May 2018 the UK's data protection laws will be updated and the GDPR will take effect. If you collect personal information through your website, these changes apply to you.

Here's exactly what you need to know to ensure your website is playing ball.

The GDPR. What is it?

The General Data Protection Regulation (GDPR) is an EU regulation that will supersede the Data Protection Directive (aka Data Protection Act) in regulating how personal data can be obtained, stored and used. 

The purpose of the GDPR - An end to smoke and mirrors

Its purpose is to strengthen the position of the public in protecting their privacy online. It does so by ensuring information is secure, and only used for purposes agreed to.

It clamps down on questionable marketing practices and puts control back in the hands of the data owners.

Who must comply with the GDPR?

Anyone (worldwide) who collects personal data from EU citizens and residents is a 'Data Controller' and must comply.

It also applies to anyone who processes data on behalf of a data controller ('Data Processors') e.g. Software providers like MailChimp, SalesForce, Xero and in some cases your website designers.

As a UK business it's mandatory (Brexit doesn't excuse you), and although this article focuses on just website compliance, GDPR extends to other areas of your business too.  Any personal data you collect, irrelevant of how you collect it, needs to be handled in compliance with the GDPR.

From comments in a blog post, to names and contact details from a restaurant feedback card, the Data Controller shall be accountable for obtaining, securing and using it appropriately.

We're just covering compliance of your website, but the full documentation for the GDPR, provides information on the wider policy landscape.

Image of ED209, the out of control police robot from the film Robocop. It's famous voiceline 'you have 20 seconds to comply' being used as a reference to the following section about GDPR compliance.

Web GDPR compliance - Key things you need to know

Be Transparent to Get Consent

It's simple. Clearly explain why you're collecting personal information and what you will do with it. Detail why it's necessary or beneficial in a way that's easy to understand, and there is more chance people will agree to it.

Ambiguity (deliberate or accidental) is bad for business. It will turn people away and it could land you in the mix with the 'GDPR rozzers'. Be open, be honest and be relevant.

If your audience is young, you'll need the consent of a parent or guardian.

And you have to make it simple for people to revoke their consent. It's got to be just as easy as giving it.

'Legitimate Interest pursued by a controller'

There may be circumstances where it's just not possible to obtain consent but the data you hold is essential to your business.

Maybe your website uses personal data to deliver a personalised experience to customers.

Maybe it relies on using data in a way that is expected.

If so, you can claim to have a 'Legitimate Interest pursued by a controller'.

There's such huge scope for interpretation, it isn't something we can cover now.  We simply advise seeking legal advice if you think 'legitimate interest' fits your type of usage.

Black background with face of the Guy Fawkes masks associated with the hacker group Anonynous. On close inspection the face itself is made up of lots of tiny words - peoples' names. Heads up the section on data security.

Securing the Data with SSL and Pseudonymisation

Applying an SSL certificate to encrypt your website traffic is a first step to protecting the data you collect. If you don't have one already, you should get one. It's already best practice and they are readily available, so speak to your web developer about it.

If you collect and hold personal information in volume, or for any length of time, it's also worth considering 'pseudonymisation'.

In simple terms, it's a process of splitting the data to make it less meaningful. Instead of storing everything in one location, you store the contact names separately from the rest.

It adds a layer of protection where, in the event of a security breech, the data obtained would no longer be personalised.

Making the data available

It's important to remember that as a Data Controller, you never own the data you hold. You're a custodian trusted to use it properly and keep it safe.

In the event of an investigation, GDPR will require proof of consent. That means proving something that is particularly hard to prove.

For example, an export from your customer database showing a tick in a 'GDPR Consent' column, doesn't prove how consent was obtained. A snapshot of your Privacy Policy at the time of consent, timestamped and saved to the user profile, would be more credible.

Like it or not, your business procedures need to change to protect yourself, and to service the requests of your data subjects when they exercise their GDPR rights. They can ask to:

  • review the data you hold
  • obtain a copy of it
  • transfer it to another provider

And you get just one month to comply.

What can I no longer do under the GDPR?

I'll try to summarise in broad terms what the GDPR changes will mean to marketers:

  • You can't force people into sharing their data if they don't want to.
  • You can't use personal data for any type of marketing you wish - only for what you've clearly explained and agreed.
  • You can't trick people into consenting to marketing with confusing logic in your signup forms.
  • You can't use data you already have for marketing, unless you can prove the owner of the data has consented to that usage.
  • You can't get away with using personal data without legally 'covering your ass'.

No more using 'Opt-Out' - putting an end to confusion

'Opt-Out' clauses can sometimes lead to consent being granted accidentally, or without any meaningful or informed action taking place.

So requesting people 'opt-out' of marketing will be illegal under the GDPR - plain and simple. 

According to GDPR Conditions of Consent (Art.7), using an 'opt-in' tick box is the only compliant option for obtaining consent. It states;

'the [data] controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data',

and 'Recital 32 - Conditions for Consent', which states;

'Silence, pre-ticked boxes or inactivity should not therefore constitute consent'.

The message is pretty clear. Compliance means switching from opt-out to opt-in, for all applicable web forms.

A photo of some UK policemen lined up in the standard uniform and helmets. Heads up the section about non-compliance penalties.

What happens if I don't comply

GDPR infringements carry a penalty of up to 20 million EUROs or 4% of total worldwide annual turnover (from the previous years trading) whichever is larger.

Protect yourself at all times

Public authorities and large organisational bodies must appoint a Data Protection Officer (DPO) to oversee all aspects of data protection and act as a contact point for the authorities.

It's an independent position which cannot be influenced by the data controller or data processor.

For smaller organisations, we think it's wise to appoint someone with GDPR knowledge to ensure you always remain compliant in the future.

Don't underestimate the power of the people!

The GDPR gives 'data subjects' the right to manage their data in various ways.

They can request corrections, a breakdown of their data profile and its use, request a copy of their data in a transferrable file format (like a .CSV file) and exercise their 'right to be forgotten' which means data controllers must erase EVERYTHING, in full, without question, as if they never existed.

A step-by-step process to making your website GDPR compliant.

Photo of a book store where shelves and stacks of books are piled up everywhere. Heads up the section about auditing your data.

Step 1 - Start with an audit

Becoming compliant depends entirely on what your website does, because that in turn will influence the data you collect. The more you collect or the more ways you want/need to use personal data, the more explaining you'll need to do.

Auditing your website can give you a detailed picture of the data you manage. It's something you can do yourself, or there are resources available that can help you.

In all cases, the key to it is transparency and a 'personal data audit' will give you a baseline position to work from.  

The audit should detail:

  • What data you collect
  • How and where you collect it
  • What happens to the data once you have it (e.g. Store it, Use it for monthly newsletters)
    • Who stores it  (You or a 3rd party?)
  • How long you keep it for

Check that the information is accurate and complete. Then you can analyse where there are weaknesses in GDPR terms, that need addressing. We suggest the following:

Review your 3rd Party Data

Ensure that any 3rd party 'data processors' are GDPR compliant. If not, find out if they will be by the deadline (25th May 2018).  Compliant providers will have all the necessary information about their GDPR compliance in their Privacy Policy, so you can reference their information from yours.

Remember: The data you collect is still YOUR liability, so it’s essential your 3rd parties are fully compliant.

If they have no intention of doing so (as ridiculous as that sounds), you'll need to:

  • Find a compliant provider to switch to
  • Obtain YOUR data from the old supplier
  • Request they permanently delete your data from their systems

Step 2 - Delete old data & plan a GDPR consent request campaign

If your audit uncovers old data that you no longer use or need, get rid of it permanently.

Any data you still want to use should be included in a 'consent request' campaign, to be run before the deadline.

Step 3 - Update your privacy page

Once you have completed the audit, share it on your website Privacy Policy page. Be transparent and clear about how people can request their personal data from you, or invoke their 'right to erasure'. 

We suggest setting up a mailbox or email forwarder specifically for GDPR enquiries. Something like '[email protected]' that your Data Protection Officer can manage.

Step 4 - Check self-management processes are compliant

If your website enables customers to manage their own preferences for marketing contact, ensure the interface adheres to GDPR regulations for obtaining consent via web forms, and that applicable privacy statements are clear and obvious.

Step 5 - Modify your front-end web forms for GDPR compliance

A graphic example comparing a non-compliant webform on the left, and a GDPR compliant version on the right.The ICO's downloadable document 'GDPR Consent Guidance' details 5 rules that compliant webforms must adhere to. They are:

  • Unbundled: Consent requests must be separate from other terms & conditions. Consent should not be a precondition of signing up to a service unless necessary for that service.
  • Active opt-in: Pre-ticked opt-in boxes are invalid – use unticked opt-in boxes or similar active opt-in methods (e.g. a binary choice given equal prominence).
  • Granular: Give granular options to consent separately to different types of processing wherever appropriate.  
  • Named: Name your organisation and any third parties who will be relying on consent – even precisely defined categories of third-party organisations will not be acceptable under the GDPR.
  • Documented: Keep records to demonstrate what the individual has consented to, including what they were told, and when and how they consented.

There's also one more form related no-no.

  • No Logic Reversal: Don't ask people to tick a box to opt-out. It's the same as asking them to untick a box.

Step 6 - Optional

In larger websites, the GDPR can affect many areas of your website in different ways. If that applies to you, we suggest that each data collection point (web form) also contains an excerpt from your audit that relates directly to it.

Placing the relevant information 'front-and-centre' sends a clear statement that you take GDPR compliance seriously and that you're trustworthy.

Accompany it with a link to the Privacy Policy for more information.

Step 7 - Get it checked over by a GDPR specialist

Every business is different and there may be extra considerations applicable to yours, that go deeper than the points covered here. Even if this covers your needs entirely, I still recommend getting your audit and GDPR-ready website reviewed by a GDPR specialist.

Embracing the positives.

While the GDPR is an EU regulation, it's also a major contributor to online safety and security on a global scale.  It enforces a positive change for the good of the entire online landscape. The benefits to you and I as individuals are clear.

Even despite the upheaval involved in preparing and implementing it, over time GDPR stands to benefit businesses too.

How will the pain ever be worth the gain?

It may be away in the distance, but when the law changes many businesses will be forced into adopting a more ethical approach to personal data.

Many will see their marketing database shrink significantly as people exercise their right to withhold consent in the lead up to May 25th, and must be permanently deleted. 

But this is really just an enforced spring clean!

Clearing out dead wood to make room for new prospects of a higher value will, over time, see the asset value of your marketing database increase, and so will the level of trust your customers place in you.  

The opt-in approach to consent will mean you only gain genuine prospects from now on. Anyone who might otherwise have consented mistakenly will be gone. Your marketing campaigns can be better targeted and you can expect your email open rates and click-thrus' to improve, as you deliver more relevant material to a genuinely interested audience.

Your marketing database may grow more slowly, but filling it up with wastrels was never benefiting you anyway, so while there's no gain without pain, once it's done you'll end up better for it.


Comments: