How Do You Make Your Website GDPR Compliant?

You’ve probably heard all the talk recently about the GDPR changes which will be coming into place May next year. We ourselves did a blog on this very subject a few months back, which focused on the best practices for businesses in regards to how they store and use personal data. (Have a read if you haven’t done so already!)

Following on from this blog, we thought it would be helpful to highlight the main aspects of the new GDPR regulations (as suggested by the Information Commissioner’s Office), as well as share some examples of businesses who are already making changes to the way they collect data on their websites to comply with GDPR.

So what are the main aspects?

Unbundled consent

When someone is signing up to something on your website, many businesses have a single terms and conditions tick box which covers all areas.

However, once GDPR comes into effect, you may need to include a tick box – separate from the T&Cs tick box – which asks for active and explicitly given consent e.g. so people can opt in to receiving marketing communications. This tick box can’t be a precondition of signing up to a service or part of the standard terms and conditions.

An example of this can be seen below where Sainsbury’s have two separate boxes, one for T&Cs, and the other for contact permissions. This makes it crystal clear for people to understand what they are signing up for, or choosing to decline. In the example below, you can see Sainsbury’s have set all of the tick boxes as unticked by default.

This is another aspect of GDPR to understand

When someone is signing up to a service, you can’t use pre-ticked boxes because that assumes consent. Someone may not read the text properly or may ignore it entirely e.g. if they’re in a hurry and just want to hit the “send” button. They have to actively and knowingly tick the consent box.

One question we have with regard to the way in which Sainsbury’s have implemented their request for consent below is that they are forcing someone to choose yes or no i.e. asking people to actively opt in or out. But this isn’t a requirement under GDPR.

People are not obliged to tell you if they want to opt out before they’ve even opted in. Being opted out is the default. If people don’t actively opt in, then you shouldn’t be forcing them to tell you that they want to opt out as a pre-condition of registration. Not ticking the opt in box is enough.

ainsburys seperate permissions

(Image credit – Andy Favell – https://www.econsultancy.com/blog/69172-10-supermarkets-with-10-very-different-email-opt-in-opt-out-strategies )

  • Key take-away: Have a separate tick box for T&Cs and one for gaining consent (both unticked by default).

 Granular consent

If you’re unsure on what this is (don’t worry, you won’t be alone), it’s providing users with the option to consent to each contact method separately. A good example of what to do, and what not to, can be seen in the graphics above and below.

Sainsbury’s (above) have bundled all their methods of contact together. This means you either accept them all, or none. This isn’t really in the spirit of giving people granular control over how they are contacted. If you do agree to be contacted, you are forced to accept it could be any means listed. Granted, you could simply not tick the box at all.

In contrast, Woolworths have separated the contact methods into three different checkboxes (SMS, email, and post). This is better because it gives people much more control and much more opportunity to express their preferences, and that is in the spirit of the law.

Woolworths Granular consent

(Image credit – Andy Favell – https://www.econsultancy.com/blog/69172-10-supermarkets-with-10-very-different-email-opt-in-opt-out-strategies )

Key take-away: Separate the contact methods on your consent forms and make it clear what they will receive by each method.

Whom you share customer data with

If you share customer data you receive with other organisations, by May next year you will need to make sure you make your users aware of whom you share it with, and why. A good example of an organisation which does this is Age UK.

As you can see from the example below, they clearly state under what circumstances users may be contacted, and which organisations have access to their data.

In preparation for GDPR, this is something which we looked at ourselves when re-evaluating our own privacy policy recently.

We take protecting your personal data seriously. You can find out more about how we protect and process your personal data on our privacy page. Please do have a read and let us know if you have any questions. We want you to be confident we’re doing the right thing.

(Image credit – Ben Revell – https://www.econsultancy.com/blog/69253-gdpr-10-examples-of-best-practice-ux-for-obtaining-marketing-consent)

They also provide the user with an opportunity to change their mind as well. Copy this set up, and you can’t go far wrong.

Granular consent Age UK

(Image credit – Ben Revell – https://www.econsultancy.com/blog/69253-gdpr-10-examples-of-best-practice-ux-for-obtaining-marketing-consent)

Key take-away: Make it clear to your users who you share their data with and why.

 Easy to withdraw

One of the aims of the new GDPR is to make it as easy for people to withdraw their consent as it is to give it. So, it’s vital you make it possible for your users to do this if you don’t already.

If you’re wondering how to go about doing this, The Guardian are a great example (see below). They have made it super easy for their users to change permissions, by making it accessible through their account settings.

Users can see the permissions they originally granted when they signed up, and have the option to untick, or tick any permissions anytime they see fit.

The Guardian (Opting out example)

(Image credit – Ben Revell – https://www.econsultancy.com/blog/69253-gdpr-10-examples-of-best-practice-ux-for-obtaining-marketing-consent)

And as if this wasn’t good enough, they also allow users the ability to fully delete their account, and provide them with lots of clear information as to what will happen if they do; which is something worth considering if you have a subscription based website.

The Guardian opting out

(Image credit – Ben Revell – https://www.econsultancy.com/blog/69253-gdpr-10-examples-of-best-practice-ux-for-obtaining-marketing-consent)

Key take-away: Make it easy for your users to withdraw consent, and delete their email address or account on your website. Although this doesn’t necessarily mean you have to delete all their information from your systems. You may need to keep their email address on record, for instance, to help ensure it isn’t used again in your communications i.e. you use it as a way of screening them out from future communications.

 Other ideas

Speaking of subscription-based websites, a nice idea which Channel 4 have come up with (see below) is to have a short video next to the signup box, which informs users of how the information they give is used.

Channel 4 used Alan Carr as the face for their video, but if you can’t get a hold of him don’t worry, the director or manager of the business will be just as effective. But Alan Carr would be a bonus.

Channel 4 video on how information is used

(Image credit – Ben Revell – https://www.econsultancy.com/blog/69253-gdpr-10-examples-of-best-practice-ux-for-obtaining-marketing-consent)

Key take-away: Why not create a video which explains how you use the information from your users.

Keeping with Channel 4, another thing they do is provide users with the option to see an example of their newsletters, before they choose to sign up to it. This is a simple but effective way of letting users know what they can expect.

Channel 4 example newsletter

(Image credit – Ben Revell – https://www.econsultancy.com/blog/69253-gdpr-10-examples-of-best-practice-ux-for-obtaining-marketing-consent)

Key take-away: Why not give your users an idea of what your newsletter looks like before they sign up to it.

This idea from Channel 4, along with the video above won’t be essential to do under the new GDPR regulations. However, in doing so they establish transparency between the user and business which helps to build up trust; making them well worth considering.

What to do now?

If after reading all this you’re unsure on whether your website is GDPR ready, don’t worry. A good way of finding out is by looking at this marketing checklist created by the ICO, which lists a series of tick box criteria which your business will need to meet in order to abide by the law. Or alternatively, if you’re simply looking for more information on GDPR, this useful guide from the Data Protection Network is well worth a read.

If you’d like some help with getting your website ready for the GDPR regulations, get in touch with us today. We’ll be more than happy to help.

Some examples of how we could help you:

  1. Review your current website forms and permission-based offers and suggest amendments;
  2. Review your current terms and conditions or cookies and privacy policy and suggest amendments;
  3. Something else? You tell us!

Email Marketing After GDPR – Will It Still Be Possible?

If you work in marketing, or do the marketing for any sort of business for that matter even as a sideline, then it's more than likely that you will have ...

Read more

Want to know more about out how we can help you to achieve successful, tangible results through our strategic, digital and creative approach to marketing? Send us a message via the form, or give us a call on 01603 964564.

Alternatively, drop in for a coffee and a chat at our office in The Union Building, 51-59 Rose Lane, Norwich, NR1 1BY.

Yes! Please contact me in relation to my enquiry by phone or email.