The new GDPR legislation came into effect in May 2018. It’s designed to ensure that only relevant data is collected, that data is processed fairly and securely, and that data is not kept longer than necessary. GDPR laws cover everyone about whom you keep personal data, including clients, members, customers, donors and staff. Much of the GDPR is the same as the UK’s previous Data Protection Act, however there were some new elements and enhancements so we’re providing this guide to help you make sure your website is GDPR compliant…
What is the GDPR and why is it important?
GDPR stands for General Data Protection Regulation, a European Union-wide law concerning the way data is collected, used and stored. It is applicable to anyone who collects or processes personal data. Breaches of the law not only incur fines of up to €20m but could also seriously damage your company’s reputation.
How can you make your website GDPR compliant?
- Update your privacy notice: Ensure there’s an up-to-date privacy notice on your website that tells people when their data is collected, for what purpose it is collected, who data will be shared with, and how long it will be kept for. You also need to mention that people can contact the Information Commissioners Office if there’s a problem or they have a complaint. Your privacy notice should be concise, transparent and easy to understand.
- Check cookie policies: Under the GDPR, cookies are considered to be personal data. Therefore, if collecting cookies on your website, you need to inform all site visitors, explain how their data is used, and gain and record their consent.
- Be clear on contact forms: Make sure you have a tick box for users to agree to their data being processed, which either includes or links to your privacy notice. The tick box must be unticked by default. You need separate tick boxes if you want users to consent to you sending further marketing communications.
- Enable individual updates and opt-outs: Make sure you have procedures in place to keep data accurate and remove any information when no longer needed. Users need to be able to change their information, withdraw consent, or see their data at any time.
- Maximise security: Encrypt your site by upgrading to HTTPS to ensure data is transported securely. You should also check you have adequate virus protection and other security systems in place to keep data safe.
- Check other systems, platforms and apps: Whether you use email marketing software, databases, Google tools, or have a mobile app, you need to ensure GDPR compliance with these too, as they are also processing your data.
Where can you find more information?
For more information about data protection, visit the Information Commissioner’s Office (ICO) website. Some other useful resources are the ICO’s 12 steps to prepare for the GDPR, the NCVO’s preparation guide for charities and not-for-profits and the main EU GDPR website.