In less than two weeks (May 25, 2018), the most significant change in data privacy in 20 years and protection regulation goes into full effect. The EU’s General Data Protection Regulation (GDPR) is aimed at protecting the personal and sensitive information of all EU residents, regardless of where an organization is based. Under GDPR, individuals are allowed greater control over their personal information that is shared with organizations.
GDPR is built around the idea that organizations make good data governance a high priority. While your organization may not be required to comply with the new regulations, ensuring your site and processes embrace the spirit of data protection and privacy will gain and keep the trust of your users. Once your organization has completed a comprehensive data governance review (If you haven’t, check out our blog post on how to do this!), take these five steps to ensure your website matches your organization’s stance on data privacy by design.
1. Make sure your site is secure.
An SSL certificate is a small bit of code on your web server that creates an encrypted connection between a user’s web browser and your website. Having SSL on your website is like sealing your message in an envelope that your recipient will open and read. Having an SSL certificate signals to your users that your organization values the security of any personal information that they share with you.
There are many other benefits to having an SSL certificate installed on your site. In cases where you are collecting payment information, SSL is required to be on your site to meet the security standards set by the Payment Card Industry (PCI). In addition, major browsers like Google Chrome and Mozilla Firefox have started to include a warning for all insecure sites.
2. Review your newsletter, registration, and other email subscription forms.
When it comes to GDPR, one of the major areas of change facing website administrators and digital marketers is how to collect and store email subscription consent. To maintain compliance, organizations must collect affirmative consent that is, “freely given, specific, informed, and unambiguous.”
At a minimum, your email subscription forms must:
- Be separate from other terms and conditions: Signing up to receive marketing communications must not be a requirement for registering for a service.
- Contain a clear affirmative action: For consent to be valid under GDPR, users must actively confirm their consent, such as by checking an empty opt-in checkbox. Pre-checked boxes or inactivity does not constitute consent under GDPR.
- Describe who will be using the information and how: Each form must state the name of your organization and any other third-party services that process the information in the submitted form. You will also need to state why and how the user’s information will be processed.