In today’s digital world, websites are the primary channels through which we collect personal data and build relationships with customers. Therefore, the deadline for companies to comply with General Data Protection Regulation (GDPR) is fast approaching. Among many other measures you should take, it is important to ensure your website is GDPR-compliant.
By now, I am assuming you already know about GDPR if you offer services within the EU and/or EEA. If not, Start by getting to know the legislation and how it affects your business.
General Data Protection Regulation (‘GDPR’), regulates the processing by an individual, a company or an organisation of personal data relating to individuals in the EU.
It means whatever personal data you handle via your website, you must do so in alignment with the following principles.
- fair and lawful processing;
- purpose limitation;
- data minimisation, data retention and data security
This is applicable to you as the controller and processor of data (1st party), as well as 3rd parties that process data on your behalf.
Your website and the web: Personal data, controller and the processor
Let’s take a look at the relationship between your website and some of the other players of the web. People come to your website for certain benefits. Whether you own an ecommerce store, a blog, a bank or a technology company, you are a publisher of value.
In the above illustration, you are a publisher of information. However, before customers arrive to your website, there’s a high chance they came from a search engine such as Google or a social networking platform such as Facebook.
If you would like to know which of these channels work best at bringing customers to your website, you would install Facebook pixel or Google analytics to keep an eye on events. And since good business is built on good relationships, you want to keep users coming back with a good user experience each time they visit.
This is where tools like Mailchimp – for getting users’ emails and addresses or Hotjar for getting users’ feedback come into the picture. These forms and tracking tools require you to install cookies in the form of code snippet on users’ browsers. These are then stored temporarily or permanently on their local hard drive.
There are 1st party data which you collect and process without transferring to 3rd parties. And there are data you need to send to 3rd party tools such as the ones mentioned above. This is very similar to giving a professional accounting firm access to your financial data.
In today’s digital world, collecting data is inevitable. So is GDPR and all other data privacy policies that accompany it. Therefore, the repercussion of violating GDPR – 20M € or 4% of your revenue, whichever is higher – will be unbearable for most businesses. In essence, most companies that can’t find a way out of a potential lawsuit will close shop. So get ready for action.
So how should you rethink your website redesign for GDPR?
While you need to consult your lawyers for the most accurate interpretation of the legislation, you equally need to do business and technology assessments. This will not only help you make the best of the consultation with your legal adviser but also help identify business opportunities that GDPR may present.
Here are some practical steps we are taking to ensure websites are GDPR compliant at The F Company:
1) Start with the mindset
Ensure your company and everyone working with your website understand GDPR, the implications of not doing things right, and the opportunities it presents for your business. Why everyone? In a digital world, customer data is most likely spread across your organization. You want to ensure everyone understands how to use it and keep it secure
2) Analyse what kind of data you collect via your website
Gather a cross-functional team – from product to support, and including IT – from your company and map out the tools and software that are associated with your website. Then categorize the personal data you collect via each tool. Below is a 5-column template we are using at The F Company to conduct similar mapping:
3) Cluster your users by similarities: Whose data are you collecting
Some users will be visiting your website for the first time while some will be returning visitors whom you have already built relationships with. Cluster them by such similarities in order to identify how to use their data. Baekdal in this article, offered a brilliant approach to how publishers can categorise their website users by the level of relationship. Any brand with a website will find it useful.
4) Get the right consent and declare how you use personal data
This is one of the most critical steps in making your website compliant. GDPR wants you to have a purpose for collecting data, state clearly what data you collect, and obtain consent from a customer visiting your website.
There are many ways you collect data from visitors to your website. Let’s discuss the most common ones.
Going forward, no one is allowed to do this anymore from the 25th May. For each category of data you collect, you are obliged to inform and let users tell what data they will like to share. There are a couple of leading brands who have already implemented this. Let’s look at how IBM’s approach.
In the image below, IBM grouped cookies into 3 different categories: Required, functional and advertising. Note that they have opted for a slider rather than check boxes. Whatever approach you choose, give users the freedom to choose what they want to share.
In the following image, I limit the power of cookies to required and functional only.
Whereas in the image below, I am stating that IBM can share my data with 3rd party partners and even show me personalised advertising based on my browsing history.
Show users what you do and let them decide if they allow you to collect tracking data.
The standard today is to embed 3rd party forms to collect data from users on your website. Let’s say you run an ecommerce business built with Shopify. By default, your user account and order details are supplied and stored in Shopify. On a different note, if you send marketing updates to your customers using Hubspot or Mailchimp, you most likely use embedded forms from these providers to collect data on your website. Make sure you include consent boxes alongside your website forms. Most of the popular 3rd party services have created the tools needed to obtain the right consent for each category of data you collect.
For example, Mailchimp has created a guideline for obtaining consent when you use their forms on your website. Head over to the website of your 3rd party tools and implement their GDPR compliant forms.
5) Handle data you collect and process via your website appropriately
If a user is visiting your website for the first time, or returning to your website after requesting deletion of her personal data, be sure to request consent before loading your cookies. On another hand, if a user has subscribed only to a certain part of your marketing updates and not all, don’t enrol them in all your marketing lists. The bottom line is to ensure you get the consent for every category of data we spoke about in point 3 above.
Obviously when a user has given you the full permission to her data, you are free to use them to the serve the user and capture value in return as long as it is within the scope of the purpose which you initially stated to the user.
Sign Data Processing Agreement (DPA) with 3rd parties
Remember in the illustration we started with above, you are not the only player on the web. There are other organisations who would have access to your customers’ data. In most cases, they will be processors while you remain the controller of that data. Therefore, ensure you have a data processing agreement in place with each of the service providers.
Once gain, most of these providers have already taken steps to be GDPR-compliant. Thus making it easier for you to act. For instance, Mailchimp has an online Data Processing Agreement (DPA) that you can sign digitally. Hotjar, the website that monitors what section of your website is interesting for users, also has a public DPA form you can fill and sign online. Whatever tool you use with your website, ensure you sign a DPA with each of them.
Finally, remember to sign Data Processing Agreement with subcontractors such as your website partner. Request that your lawyer drafts a simple Data Processing Agreement for you. The purpose is to obtain the commitment of subcontractors to appropriate use and security of your customer data. This way, when shit happens, you won’t be liable for violations from 3rd parties.
Ensure security of collected data
By default, if you use 3rd party forms from reliable providers for payment processing or for processing your contact lists, they must have taken their data security measures such as encryption etc. Nevertheless, remember to review their security measures when you sign a DPA. This is especially important if they have servers outside the EU or the EEA.
Website data can also be intercepted in between browsers and destination servers. Make sure you have SSL in place to initiate secure user sessions with visitor browsers.
6) Make personal data accessible to users
Even though users had given you their consent to collect personal data when visiting your website, GDPR expects they maintain rights over such data. Therefore, ensure that
1) you and 3rd parties have stored data such that it could be made accessible to the user
2) when a user wishes to see all the data she has consented to, you can easily provide access in a human readable format.
An example of access measure by a 3rd party is Hotjar, which has implemented Visitor Lookup (see image below) allowing visitors to see what data is associated with them.
Therefore for data you collect and process internally, and for all the data you collect on behalf of 3rd party processors: ensure you make it easy for subject rights to access, modify, request deletion or even send them to other 3rd party tools where technologically possible.
GDPR is an opportunity to redesign your website
GDPR seems like a bunch of dos and don’ts right? But if you think deeply, it’s an opportunity to build meaningful relationships with customers who want to engage or keep hearing from you. GDPR enables open conversations with customers by telling them records of them you wish to collect. It is also an opportunity to improve the quality of your business data. When trust precedes persuasion, we can get better results.
Though GDPR affects your entire organization, your website is the gateway to data collection. Therefore, GDPR is an opportunity to redesign your website for growth.