How to make your website GDPR compliant
GDPR is an acronym for General Data Protection Regulation which is the new European Internet privacy regulation. On May 25, 2018, GDPR will come into effect, and that brings a dramatic change in how we do business online.
The internet has a significant impact on our day-to-day life. We all surf the web but more importantly we share emails, essential documents, pay bills, buy things online and we disclose our details without giving much thought to it.
Everything we do on the World Wide Web leaves a digital mark. Companies use this digital trace to help improve their services and to provide a better customer experience. But data breaches do happen. Information is lost, stolen or released for profit and used with malicious intent. And this includes addresses, banking info, ID numbers, your IP and other data stored online.
Here is where the issue of privacy comes about. This has been taken into account and regulated by the EU, and in May 2018, the way organizations collect, store and use online data will permanently change.
The GDPR was designed to protect all EU citizens data privacy and to coordinate data privacy laws across Europe. GDPR ensures EU citizens they have the power over their data, who can use it and for what purpose.
The implications of GDPR for your business
GDPR applies to any company that stores or processes personal information about EU citizens even if it doesn’t have a business presence within the EU.
Any organization that sells goods, offers services or monitors the online behavior of EU residents, must comply with GDPR requirements. And fines for noncompliance are as high as €20 million euros or 4% of a company’s total global revenue, whichever is larger.
This is the maximum fine imposed for the most severe violations, e.g., for not complying with Privacy by Design concepts or for not having sufficient user consent to process data.
In the following paragraphs, we will highlight the necessary changes to make so that your website is GDPR compliant. Please keep in mind that to ensure full compliance, we would advise that you take the time to make more in-depth research on this matter and to seek legal advice.
What are the data protection rights according to GDPR?
The protected data includes web data you are collecting via your website without intent such as location, IP address, cookie data and RFID tags. Online companies will need now to offer the same level of protection for this information as they do for the name, address and Social Security number.
The data you collect for business purposes through contact forms, newsletter sign-ups and e-commerce transactions such as necessary identity information (name, address and ID numbers) will also be secured. GDPR imposes protection on further personal data such as health, genetic, biometric, ethnic or racial info, sexual orientation, and even political opinion.
As a website owner, you need first to acknowledge the way your company gathers personal data. Under GDPR, organizations must also inform customers of their new rights. The interaction between users and your website must be as transparent as possible.
Websites now must show what information they are collecting, offering options for consent. Furthermore, you should enable users to view the information gathered about them and should give them the possibility to remove that information from your systems.
This regulation gives individuals, customers, contractors, and employees more power over their data and less power to the companies that gather and use data for monetary gain.
Under GDPR, website users will have eight new rights: the right to access, the right to be forgotten, the right to data portability, the right to be informed, the right to have information corrected, the right to restrict processing, the right to object and the right to be notified.
Furthermore, the policy should include instructions on how users can view the information you have stored and about how they can remove their data from your systems. This would comply with the user right to be forgotten.
Our WordPress themes come with a ‘Terms & Conditions’ page template and we offer demo content that you only have to update it with your own privacy terms.
2. Get an SSL certificate
An SSL certificate (an acronym for Single Socket Layer) is a small file that establishes an encrypted connection between your website and a user computer. It is a cryptographic key to an organization’s details ensuring that all data passed between the two remains private and secure.
The certificate is not included in the website theme and it is the owner’s sole responsibility to add it to his website. When implemented on of your website, it activates the ‘padlock’ symbol that you see in web browsers and it provides you with that https:// in your address bar.
For e-commerce websites, this is a good business strategy as it improves your SERP rankings and builds customer trust. People will know that their information is safe with you and they will want to make business with you. (aka better conversion rates)
3. Add distinct website forms
This step means making a few changes in your website design. Forms must not include pre-ticked boxes as this is considered implied consent that was not freely given and is passable for a large fine.
As pointed above users will soon have the right to be asked for consent for every type of processing. Under GDPR you should create separate options for your website users, for example: to be contacted by email or by telephone with two distinct tick boxes.
The permission to pass data onto the third party must be clearly formulated and you need to add a tick box for it. This is also valid if you are collecting data through your website on behalf of third-parties.
Our real estate site themes meet the new requirements and we have developed forms that do not include pre-ticked boxes.
4. Add opt-out solutions
Individuals need to know from the start of any communication they have the right to withdraw their consent and can opt-out from any interaction they gave prior permission to. It should also be a simple process to do so.
GDPR ensures the right to restrict processing meaning the user data can remain in place, but it should not be used. Also, the right to object establishes that users are able to stop the processing of their data for direct marketing and there are no exemptions to this rule.
Opt-out options are not included in our WordPress themes and it is the site owner’s responsibility to create them and notify users.
5. Online Payments
As a real estate business, you are likely to be using an online payment system for financial transactions such as PayPal or Stripe. Before passing onto the payment gateway your website might collect personal data and in this case, you will need that SSL certificate to make sure this information is secured.
The GDPR legislation states that all the personal data stored after the payment process is completed must be deleted within a number of days. The exact number is not stated but you should consider a reasonable period of 90 days. Until then you should be able to provide and to remove the data it if the user asks you to.
With our real estate themes, the requirements are fulfilled as we do not store personal data for monetary transactions.
6. Cookies and re-marketing
Even if you are using third-party plugins such as Google Analytics to capture data you still need to let your users know about this.
7. IP Tracking
This technology uses a tracking code to embed on the website that will provide you with identifiable details of your visitors and learn about their location.
Every interaction between your website and its visitors gives a good chance to store their IP address in your database. When they subscribe to your newsletter or leave comments on your website this action tracks their IP address so it is important to let them know about this.
You need not worry when using our real estate themes as they do not include any IP detection tool.
8. Data Breaches
The user has the right to know about everything that happens with its personal information. So, if there has been a data breach which compromises an individual’s personal data, the website owner must inform the individual within 72 hours of first having become aware of the breach.
The GDPR also introduces requirements on all companies to report a high-risk data breach to the Information Commissioner’s Office website (ICO). This is primarily for cases in which the breach could result in risk to the rights and freedoms of individuals. A serious data breach could lead to damage to reputation, financial waste, loss of confidentiality or any other significant problems.
The requirement to inform about an eventual data breach is the site owner’s sole responsibility.
In this new world information is the most valuable asset. The GDPR rules might seem a difficult task for online business but it also creates new opportunities. What is required now is that companies value their customer data and be transparent about how they use it. Yes, you will be soon asked to implement these secure ways of managing your visitor data and the great news is this will only build a trusting relationship with your customers.