10 steps to making a website GDPR compliant from a web designers point of view
In this post, I want to cover specifically the narrow area of how to make your website GDPR compliant, and make recommendations for the specific changes you will need to be making.
There has been a flurry of activity moving towards 25th May 2018 as businesses interpret their new obligation and it is useful to see how some of the major players have changed their policies recently as they grapple with the concept.
GDPR will have an impact on website design, which will have a ripple effect on how your website integrates with your other digital activity like email marketing, social media, and e-commerce activities.
It's the back-of-house stuff that represents the real challenge – how to keep records of all processing, all consent granted by users, how to enable users to take their data to another provider, and so on. And it is ironic that the GDPR process actually creates cookies which then need to be recorded.
The golden thread that ties together all of these recommendations is that under the GDPR, the concept of consentbeing given freely, specific and informed is being strengthened, with new rules, which means businesses need to provide more transparency.
I'm going to be examining company websites, looking for the following five aspects of consent in the GDPR which the ICO highlights as key changes, and which are pertinent to marketers.
- Unbundled: Consent requests must be separate from other terms and conditions. Consent should not be a precondition of signing up to a service unless necessary for that service.
- Active opt-in: Pre-ticked opt-in boxes are invalid – use unticked opt-in boxes or similar active opt-in methods (e.g. a binary choice given equal prominence).
- Granular: Give granular options to consent separately for different types of processing wherever appropriate.
- Named: Name your organisation and any third parties who will be relying on consent – even precisely defined categories of third-party organisations will not be acceptable under the GDPR.
- Easy to withdraw: Tell people they have the right to withdraw their consent at any time, and how to do this. It must be as easy to withdraw as it was to give consent. This means you will need to have simple and effective withdrawal mechanisms in place.
There is another important change that should be on the marketer's agenda and that's the need for brands to maintain records of the consents they have – i.e. what users were told and how they gave consent.
If a company is asked to show that a certain user on a device clicked a certain way how are they meant to do that. A database, perhaps.
For those who don’t have their website with us, here are 10 steps you will want to review for your website, and discuss necessary changes with your web development team.
Let’s start with the straightforward changes that you will need to be making, and then move on to the more complex areas.
1 Forms: Active Opt-In
Forms that invite users to subscribe to newsletters or indicate contact preferences must default to “no” or be blank. Earlier this year, Boots registration forms had pre-ticked opt-in boxes, forcing the user to actively opt-out. From May 2018 this is a no-no.
The ICO's guidance is pretty clear – "Consent requires a positive opt-in. Don’t use pre-ticked boxes or any other method of default consent."
Having reviewed this, Boots revised their form with a simple change but then added more clarification to really reach out to the viewer.
2 Unbundled Opt-In
Taking a look at Sainsbury’s version they have gone for a very clear and transparent layout.
The consent they are asking for is set out separately for accepting terms and conditions, and acceptance of consent for other ways of using data.
Look how the white content blocks separate the clearly-headlined 'Terms and conditions' and 'Contact permission' sections. The contact permission section requires that users select a radio, either 'yes please' or 'no thanks'. This is clear as day, and what the consumer likes to see when registering for an ecommerce account.
Not everything is hunky dory here, as permission for email, post, SMS and telephone is all lumped together into the same checkbox, but as far as unbundled consent is concerned (separate from T&Cs), Sainsbury's hits the mark.
3 Granular Opt-In
As hinted above, users should be able to provide separate consent for different types of processing or marketing.Age UK splits marketing consent (when filling in an online form to make a donation) into checkboxes for email, telephone, text message and post. What's also good is that each channel (apart from post) requires an active opt-in.
Though arguably consent for direct mail should be opt-in, too.
4 Easy to Withdraw Permission or Opt-Out
It must be just as easy to remove consent as it was to grant it, and individuals always need to know they have the right to withdraw their consent.
In terms of your web user experience, this means unsubscribing could consist of selectively withdrawing consent to specific streams of communication:
The Guardian shows how those that have registered for an account can withdraw permission for marketing in their account settings, as well as withdraw permission for profiling that may impact things such as the adverts a user sees.
It is also possible to change the frequency of communication which may make it more palatable to some people rather than stop all communications entirely
5 Named Parties
Your web forms must clearly identify each party or business for which the consent is being granted. It isn’t enough to say specifically defined categories of third-party organisations. They need to be named. Here's an example which I think is very much in line with the clarity that the GDPR is seeking to provide for users. Age UK sets out clearly in what circumstances users (making a donation) may be contacted, that their data will never be sold, and that users can change their mind about consent.
Crucially, there's also a line that states clearly which organisations "we" refers to.
6 Privacy Notice and Terms and Conditions
The Information Commissioner’s Office (ICO) has very kindly provided a sample privacy notice that you can use on your website. It is concise, transparent, and easily accessible.
You will also need to update your terms and conditions on your website to reference GDPR terminology. In particular, you will need to make it transparent what you will do with the information once you’ve received it, and how long you will retain this information both on your website and also by your office systems.
You will also need to communicate how and why you are collecting data. Your privacy policy will need to detail applications that you are using to track user interaction.
7 Online Payments
If you are an e-commerce business, then you are likely to be using a payment gateway for financial transactions. Your own website may be collecting personal data before passing the details onto the payment gateway.
If this is the case, and your website is storing these personal details after the information has been passed along, then you will need to modify your web processes to remove any personal information after a reasonable period, for example, 60 days. The GDPR legislation is not explicit about the number of days, it is your own judgement as to what can be defended as reasonable and necessary.
8 Third Party Tracking Software
Things now start to get tricky when it comes to third-party tracking software.
Many websites are using third-party marketing automation software solutions on their website. These might be lead tracking applications like Google DoubleClick, Facebook or YouTube. You know this to be true because of the ability to recall a particular YouTube video in your Google history at a later date. Fascinating or scary, YouTube logs that you viewed it through a particular website and has added it to your account history just in case you need to recall it later.
The use of these tracking applications raise some very interesting questions in terms of GDPR compliance, and in my opinion, this remains a grey area. At first glance, these applications track users in ways they would not expect and for which they have not granted consent. For example, it could track your behaviour each time you return to your website, or view a specific page on your site.
Many clients put YouTube videos into their website and this is perfectly normal. But GDPR states that you should flag up that they are crossing over into the YouTube privacy policy as soon as they press play. This should be covered in your own Privacy policy and is part of the consent they give when they click to accept Cookies.
And, the software suppliers argue that the use of cookie tracking technology is in the legitimate interest of your business as a data controller,
The providers of these tools are confident that they are GDPR compliant. But if the software is doing something illegal, then it is your business’ responsibility as the Data Controller. The real question is to identify the GDPR compliance risks in using this kind of software, and to mitigate your risks as a business owner. As a result, you need to review your contract with these software providers carefully.
9 What About Google Analytics and Google Tag Manager?
If you are interested in Google’s commitment to GDPR then a good place to start is this website: How Google complies with data protection laws
Many websites are configured to use Google Analytics to track user behaviour. Google Analytics has always been an anonymous tracking system. There is no “personal data” being collected, so I believe GDPR does not impact on its usage.
With regards to Google Tag Manager; it’s a powerful tool that enables your website to send information to third-party applications by inserting small amounts of code. You can integrate in-house data repositories, as well as external remarketing and retargeting systems, and a host of other services. The issue for businesses with regards to Tag Manager is to ensure you have a contract in place with the individuals that have access to your Tag Manager (which may well be your web designer, or digital marketing agency) to ensure they understand their legal responsibilities as a data processor on your behalf as data controller.
So, the underlying issue with the new GDPR is to identify and have in place contracts with your third-party data processors to protect both your own interests.
10 And Finally… It Isn’t Only Your Website That Needs to Be GDPR Compliant
The changes being introduced with GDPR will permeate your entire business, but in this post we are focusing purely on your digital marketing.
As you start planning the detail of your website, you will uncover an Aladdin’s cave of issues you will need to consider. The Information Commissioner has provided an excellent set of resources for your reference, but here are a few key questions to be considering now as we approach the May deadline:
- You probably have lots of personal data stored in various places around the business. Do you have a good understanding, and documented record of the data you hold?
- Do you need to either gain or refresh consent for the data you hold?
- Do you have a defined policy for how long you retain personal data, so you don’t retain it unnecessarily, and ensure it’s kept up to date?
- Is your data being held securely, keeping in mind both technology and the human factors in data security?
- Whether you are a data controller or data processor (or both), do you have the correct legal arrangements in place?
Summary
Companies should be looking to move towards compliance with the GDPR by 2018, the most visible part of this compliance – the UX of obtaining consent and letting the user know what they're in for – should be a priority soon
Where does the Web designer fit into all this?
A Web designer fulfills a brief of designing an engaging site for a client to their requirements. They are experts in design, technology and User experience. Web companies are not legal experts and do not commit to creating policies for their clients. However, they do know what components go into a website and they should be able to answer some questions to inform these legal experts.
However, it seems that a web designers aren’t usually asked by legal experts what goes on in their websites. And yet Privacy Policies and Cookie Policies seem to be churned out in spite of this. Who does the business turn to when a complaint is made to the ICO; the legal expert who compiled the policy, or the website designer who added the form, YouTube link or Twitter icon? Something to ponder on.
There is a size of company at which, suddenly, everything steps up a notch and matters are dealt with correctly. The % of companies who have this resource are surprisingly few and far between. Most small or medium businesses do not have the ability to reach out to highly paid professionals.