10 Steps to GDPR Compliant Web Design
If you are marketing to countries in the European Union (EU), your website must be GDPR compliant. Now, everyone has heard of GDPR (General Data Protection Regulation). But do you understand what it means for your website?
Table of Contents
- What is GDPR?
- Does GDPR Apply to Sites Outside the EU?
- What Are the Penalties for Non-Compliance?
- How do You make a Website GPR Compliant?
What is GDPR?
GDPR is a set of data privacy laws that apply to collecting personal data of people who live in the EU. The GPR mandates that visitors to a site must give explicit consent to their personal data being collected. However, the scope of GDPR is broader than most people realize. GDPR is not limited to information like IP address and location. The law also applies to things like racial or ethnic data, political opinions, and sexual orientation.
Does GDPR Apply to Sites Outside the EU?
Any website that collects the personal data of European Union citizens is required to comply with GDPR. So, in theory, even a personal blog maintained in the US must explicitly ask visitors’ permission before collecting any personal data. Indeed, the first company fined under GDPR was a Canadian company. And the Washington Post also received a warning about cookie consent.
What Are the Penalties for Non-Compliance?
The penalties for failing to comply with GPR can be considerable. Indeed, the size of the fines has led some big US-based websites to prohibit EU visitors from using their sites. The fines levied for non-compliance can be 20 million euros or 4% of a company’s total annual turnover.
How do You make a Website GPR Compliant?
Full GDPR compliance means more than adding a cookie consent pop-up to a website. To be 100% sure that a site complies with the regulations, several steps must be taken. Here’s a rundown of the steps to take to ensure that site does not fall foul of GDPR.
The first step to GDPR compliance is to identify the relevant data you will be collecting. And then, you need to develop and publish a privacy statement that lists that data. The privacy statement needs to be clear about the information stored and how long it will be held. And who can view the data must also be clarified. How people can ask for information about them to be removed must also be explained.
2. Active Opt-Ins Only
Any forms that invite users to share information must actively require opt-in. In other words, users must tick the boxes; the options must not be preselected. This active opt-in rule applies to cookie consent and subscriptions to mailing lists or notifications.
3. Unbundled Opt-Ins
Consent to store personal information must not be bundled with other options. So, you cannot bundle together a user’s acceptance of your terms and conditions with their consent for you to hold their data. This provision relates to the need for a user’s freedom to consent. Because if a user cannot accept your terms without agreeing to their data being held, they are not free to choose.
4. Granular Opt-Ins
Separate tick boxes must be provided for different types of consent as well. So, suppose you want permission to contact a user by phone and or email. In that case, each communication method requires a separate confirmation. And, if you will be passing data to third parties, each of those parties must be listed for separate consent.
5. Easy to Opt-Out
6. Cookie Consent
7. IP Tracking
8. SSL Certificate
GDPR does not explicitly require an SSL (Secure Sockets Layer) certificate. However, GDPR does state that websites should take appropriate technical measures to ensure the security of personal data. So, the broader security requirements of the legislation will be met by implementing an SSL certificate.
9. Data Recorded for Online Payments
10. Named Parties
To sum up, GDPR is all about transparency, security, and choice. Users must know what their personal data is being stored, what it is used for, and how long the information will be held. And they must be allowed to explicitly allow or deny the collection and use of that data. These steps might sound like a big ask for a relatively small site that may or may not be visited by EU citizens. But GDPR compliance is not as onerous as it may first appear if designed into the website from the outset. And GDPR compliance is a good practice that will help to inspire trust in a site.