Chances are you’ve heard of General Data Protection Regulation (GDPR), even if you don’t know the details yet. It’s a set of regulations enforced by the European Union, with the aim of protecting European citizens’ data online. Consequently, every organization that has operations relevant for audiences from European Region must make its digital information management systems as robust and transparent as GDPR requires.
GDPR, which has gone live on 25 May 2018, is arguably the most momentous regulation in the Internet universe until date. Also, it’s the starting point for all major regulatory bodies in the world to devise and implement similar regulation. In fact, parts of the United States have followed suit, most notably California’s Consumer Privacy Act. Whether you’re a webmaster or e-commerce store owner, GDPR has an impact on your web operations. Even if you don’t have any European user base, it makes sense to start adapting your data management practices as per the GDPR framework. Here’s a guide to help.
The Key Responsibilities of Webmasters to Ensure GDPR Compliance
Under GDPR, the key responsibilities of a webmaster are centered on:
- Explaining your identity
- Declaring which data you store and the duration for which you store it
- Getting explicit consent from users before recording and storing their data
- Providing mechanism for users to access and download their data
- Allowing users to request deletion of their data
- Communicating news of data privacy breaches within a maximum of 72 hours of breach detection
Actions Items For Webmasters to Make websites GDPR Compliant.
Now that you understand the core responsibilities of a webmaster in the GDPR context, let us cover the major actions items for you.
Complying With GDPR’s The Opt-In Clause
GDPR requires websites to let users explicitly say ‘yes’ to letting you collect and store their data. Don’t confuse it with an ‘opt-out’. In more specific terms, this means that users should get an option to specifically say yes, and not merely have an option to say no.
A very basic example of this is how several ecommerce websites automatically subscribe users to partner offers and promotional updates. That’s non-compliant from GDPR’s perspective. Instead of keeping the subscribe check-box ticked by default, you need to let the user explicitly tick mark it, to be GDPR compliant.
The same rule applies to all kinds of user contacts that were traditionally auto initiated (such as auto subscription to new offers, auto updates for new comments on their visited posts, etc.).
Making Opt-In Unbundled and Granular
GDPR’s guidelines are very clear an unambiguous. Don’t take anything by default. Seek explicit permission. As a webmaster, you’d do well not to look for sneaky workarounds for this.
For starters, GDPR calls for unbundled opt-ins, which essentially means that you need explicit consent for general agreement of the user to your terms and conditions, and separately for using their data for promotional contact.
Next, GDPR requires webmasters to seek explicit permission for different types of data processing in a granular manner. This essentially means you cannot seek a blanket acceptance for all the data processing activities you intend to carry out on the user’s information. So, you ask for a newsletter subscription separately, and tele-marketing permission separately.
Ask For Only The Absolutely Essential Information
Thriftiness with information is a massive component of GDPR compliance for websites. Traditionally, users are required to provide a lot of personal information during sign up to a website, or while signing up for premium memberships within a website. The general marketing view is – get the info even if you don’t need it for a specific purpose, just in case. This approach doesn’t work with GDPR in action.
GDPR requires webmasters to explainclearly:
- Why a specific piece of information is being asked for?
- For how long will it be stored?
- Who receives and is authorized to use the information?
Webmasters can achieve this by:
- Explaining the purpose of the information they are seeking, via notes on contact forms.
- Citing examples; such as ‘we ask for your birthday to credit 250 points in your account as birthday bonus on that date’
- Using disclaimers on all pages where a user has to enter any information (sign up forms, checkout pages, contact forms, comment sections, etc.)
- Developing a specific explanatory webpage hosted on the website, and planting it’s URL as an ‘additional reading’ or ‘more info’ hyperlink within all your disclaimers
Enable Easy Opt-Out
Just as GDPR requires webmasters to provide explicit, granular, and unbundled opt-ins, it also requires you to provide easy opt-out facility to users. Each user must have known and easy to use mechanisms to ask the website/web business to:
- Unsubscribe them from all communications
- Reduce the frequency of communications, for example, from daily to weekly
- Prune the communication stream to specific channels, such as only email and not telephone
- Reduce the scope of communication to specific areas of interest from the larger scope initially agreed to
To achieve this, webmasters need to deliberate and decide on mechanisms to:
- Give users the opportunity to unsubscribe or reduce the scope of communication
- Immediately act on such requests, when received from users
- Clearly communicate that the opt-out requests have been served, highlighting the paths the user can take to opt back in
Name All Parties
Using ambiguous and blanket terms like ‘our third party vendors’ and ‘our promotional partners’ could get you in trouble with GDPR in action. The regulations call for websites to explicitly name all the parties on contact forms, when consent is being sought for any data processing request, or when the user needs to opt out of specific channels. This ties closely to the idea of ‘granular’ control in the user’s hands, helping them decide how often they want to be contacted and by which media, by whom.
Allow Users to Access, Download, and Delete The Data You Collect About Them
With the utmost focus on transparency, GDPR requires webmasters to ensure that website users can access all the data they’ve explicitly shared with you, and the data they created in due course of using the website.
For example, if a new subscriber to your online magazine visits all relationship articles, you need to let them access the history of their website use. However, if you use analytics to predict the next articles you will suggest them to read, you are not bound to share that data, because it is not something that the user shared or generated.
Apart from the option to access this data, your website also needs to allow users to download this data, and to delete it if needed. Most website-development platforms, such as WordPress, have already upgraded their backend to support all these functions.
Here are some best practices to follow:
- How a user can access and download any of their data records that you possess
- How a user can delete their entire data from your database (excepting the records you’re legally required to keep, such as recent invoices)
- How you will inform the users about any data breaches that impact them
- Details of your identity, the need for the data you want from the user, how long you’ll store it, and how it will be used
- Details of the third party tools you use to manage business functions such as email marketing, cyber security, etc.
- Details of the kind of analytics carried out on collected data
- Contact information of the Data Protection Officer of your company/web business
Apart from all the action points covered above, you will also need to make sure that all the third party tools, themes, and plugins that you use with your website must also be GDPR compliant. This helps prevent your website’s exposure to the risk of GDPR noncompliance related penalties.
We are officially in the post GDPR era now. However, websites are still finding their feet and trying to cover all bases in terms of GDPR compliance. Webmasters need to be at the top of their game, in order to ensure that they make their websites fully compliant to the GDPR framework.