We've all got forms on our websites which invite our visitors to subscribe to newsletters or indicate their contact preferences. Now, the check-boxes attached to these invitations will need to be defaulted to "no" or be blank. You can't force your user to actively opt-out with pre-selected tick-boxes any more; that's classed as bad user experience, and definitely needs to be changed by May.
In addition to the above, you need to clearly set out the options separately and in plain English. For example, the acceptance of your terms and conditions needs to be clearly separated from your contact permissions. It needs to be totally unambiguous what action they're taking by selecting these options.
Your users need to be able to provide separate consent for different types of communication (post, email, SMS, telephone etc.) For example, they need to be able to tick email communications, but not post, if they want to.
It needs to be as easy to withdraw permissions as it was to grant them. Simple. So make sure your contact preferences page is really, really easy to find.
What exactly are they agreeing to? Your web forms must clearly identify each party for which the consent is being granted. It isn’t enough to say specifically defined categories of third-party organisations, they now need to be named.
For example, John Lewis' forms ask for permissions for updates each from Waitrose, John Lewis, and John Lewis Financial Services.
You'll also need to update your terms and conditions on your website to reference GDPR terminology. You'll particularly need to make it clear what you intend to do with the information once you’ve received it, and how long you'll retain this information both on your website and elsewhere. You'll also need to communicate how and why you're collecting data, so you should transparently detail any software or applications you're using to help facilitate that.
If you're an e-commerce businesses using a payment gateway for financial transactions, you need to also be aware of your own website collecting any personal data before passing the details onto the payment gateway.
If your website's storing these personal details after the information has been passed on, then you'll need to modify your web processes to remove any personal information after a reasonable period. The GDPR legislation is not actually explicit about the number of days, apparently, but it could be, say, 60 days after.
Now, here's where it gets a little tricky. A lot of businesses now use a third-party marketing automation software solution these days. These might be lead-tracking or call-tracking applications.
The use of these kinds of tracking applications is a bit of a grey area when it comes to GDPR, but it does raise some interesting questions. They seem to track users in ways they wouldn't expect, and as such, users have not granted consent.
For example, are you tracking your visitors each time they return to your website or view a specific page on your site?
Luckily, a lot of the suppliers of these applications assure us they're GDPR-compliant. CANNDi, for example, have a whole section on GDPR compliance, and advise their clients to display banners which state clearly and unambiguously that cookies are being used. However, it's always good to double check your supplier has got your back when it comes to GDPR, so make sure you review your contract with your software providers very carefully.
Loads of websites these days are configured to use Google Analytics to track user behaviour. Luckily, it's always been an anonymous tracking system — there's no "personal data" being collected. So it seems that GDPR might not have much of an impact on it's usage.
Nevertheless, Google has stated their commitment to complying with applicable data protection laws. They said they're working hard to prepare for the new changes and have placed keeping user information safe as one of their highest priorities. You can read all about it here.
You'll also need to check the data you have stored in various places around your business. Make sure you have a good understanding and documented record of the data you hold. Who has agreed to you storing their info? How have they consented? And when did they consent? All the answers to these questions need to be readily available. Essentially, unless you need to keep certain data, it could be a liability for your business and should probably be deleted.
Websites that use HTTPS send data over an encrypted connection, so you need to make sure your website has an SSL certificate. Your CMS provider should also address this, because if your database itself is unencrypted, your contacts will be left exposed in a breach.