GDPR is getting everyone into something of a frenzy of nerves. We’ve seen Wetherspoons delete their entire mailing list, and the Sun declare, “builders, cleaners and gardeners could face huge fines just for sending an email to drum up business thanks to draconian EU laws on data protection.” However, whilst GDPR can seem a little daunting, and if we are completely honest there is still a lot of uncertainty surrounding this acronym, we at Nimbus have teamed up with one of our fantastic clients, Aubergine, to give agencies the inside scoop on how to best prepare a website for GDPR.
Now agencies are quite possibly one of the businesses most deeply impacted by GDPR, so to help smooth the way into this new utopian era, we have split the blog into two halves – internal and external action points.
So firstly our internal checklist:
- Do a data assessment: If this sounds a little dry, it’s probably because it is. Essentially, you will need to review all the places your organisation captures, handles and processes data.
- Arrange regular GDPR meetings: These should be seen as invaluable opportunities to decide on next steps. To help make them more palatable we recommend tea and biscuits.
- Register with the Information Commissioner’s Office (the ICO).
- You may need to nominate a Data Protection Officer (a DPO).
- Provide training for all your staff.
- Create agreements between yourself and third parties that share data.
Now for our external checklist, given that most agencies run quite a few websites, it is tremendously important that you make sure both your own (should read: …both you and your clients…) and your clients are compliant. So here is our simple roundup on all things websites and GDPR:
- Websites must have SSL certifications (this is something we have writtenalready blogged about, so if you want any further information feel free to check out the link here). Link is broken
- We would recommend that all forms on the website have a Captcha .
- Here’s the biggie –all forms on the website must have a clear opt-in tick box for each different method of possible contact, such as phone, SMS, direct mail or email)
- Any user data gathered through a website form must record data (date), time and the reason for capture.
- An obvious and clear statement that cookies are used on the site along with a table of what cookies are used and their purpose.
- For any sites that have user accounts there needs to be an obvious page that allows a user to request deletion. This is due to a rather exciting clause in GDPR known as ‘The right of Erasure’or the ‘Right to be Forgotten.’ (missing space)
- It’s advisable not store contact form submission data in the admin or backend database; instead they should be sent by email to a secure email address. If you do store it, it much be encrypted and pseudonymised.
- Make sure everything, and yes we mean everything, from newsletter signups to gated content has an opt-in tick box, not an opt-out. We really can’t stress this enough. Even better, use a system that has an opt-in confirmation email once a user has signed up to avoid the user’s addresses being entered without permission.
- Anonymise Google Analytics and analytical programmes.
If you have any further comments regarding GDPR we recommend you speak to a lawyer, because frankly that is about the extent of our knowledge. However, if you have any questions regarding hosting for your site feel free to contact us on [email protected]or give us a call on 0203 005 9181. And, of course, if you would like to take a look at our website feel free to take a look at the link here.