The GDPR hangover: tips for making a website GDPR compliant

So, 25th May has been and gone, and we are now officially living in the age of GDPR.

While businesses have scrambled to meet GDPR demands by the deadline, it’s likely that not everyone will have managed to achieve full compliance in time. 

Indeed, the Federation of Small Businesses (FSB) recently raised its concerns that many of the UK’s 5.7 million SMEs are still unlikely to be fully GDPR-ready. This in turn has led to panicked questions from businesses, asking when, and how, they are likely to feel the consequences of this. 

Because GDPR has no legal precedent, it’s difficult to predict how regulators will enforce the law over the coming weeks. However, it's far more effort for the Information Commissioners Office (ICO) to fine a business than to help them become compliant, so organisations that can demonstrate that they are taking accountability for the personal data they hold, and making GDPR-readiness a business priority, will have far less to worry about. 

With this in mind, let’s take a closer look at some quick-fire tips businesses can employ to demonstrate to the ICO that they’re making every effort to be GDPR-ready.

Design for trust

Informed consent is a key tenet of both GDPR and overall customer trust. In particular, trust is now more important than ever considering the need for customers to opt into businesses using their data for commercial purposes.

Businesses should make clear to their users exactly why they are asking for any of their personal data, as well as what this data will be used for. For instance, when asking for an email address on signup, any micro copy should include the purpose for the data in brackets next to it – e.g. “Email address (So we can send through your confirmation email)”.

Design for transparency

To process and use data post-GDPR, user consent must be explicit, informed and freely given. Businesses must therefore ensure that no areas on their site assume customer consent in any way. To achieve this, brands should remove any pre-ticked opt-in boxes across the site, or any other areas which assume consent through inactivity. 

Arguably as important as explicit opt-ins are clear opt-outs – i.e. never hidden on a separate screen - for any users who may wish to exercise their “right to be forgotten” and have their personal data removed. An added benefit of this is providing further assurances to customers who may be on the fence about sharing their information. If consumers see that they can easily withdraw their data whenever they like, they are likely to feel more secure in sharing this information with businesses in the first place. 

Finally, organisations should ensure their online privacy policy and associated notices are up to date and fully transparent. For businesses that struggle with this, the ICO has published some useful guidelines.  

Take a full data audit

Businesses should take stock of all personal data currently held – meaning any information that could be used to personally identify users – and ensure none of this data is unnecessary, or being used in a non-compliant way. 

This should not be viewed as an obstacle, but rather a chance for brands to streamline the data they currently hold, and thus review which data can be used to inform future marketing strategies.

Of course, it’s once again imperative for organisations to ensure that consent is obtained for all marketing activity carried out where personal data is concerned. This does not just apply to email marketing – the obvious candidate - but also any paid search and paid social retargeting. 

It's a marathon, not a sprint

Overall, compliance with GDPR should be an ongoing process, and the priority now is showing proactivity. 

To ensure accountability, businesses should create an action plan to address the compliance areas which still require attention post-GDPR, and document the steps taken to get there with a full timeline detailing past and future actions.  

Simply put, 25th May was by no means the end of GDPR compliance, but rather the beginning of a much longer journey. 

Lindsey Roberts is GDPR project manager at e-commerce digital marketing agency, Visualsoft.

Lindsey Robert is the digital operations manager at Visualsoft. 

He is an experienced leader & consultant, currently working as Head of Email Marketing at Visualsoft, an award-winning digital agency specialising in the design, development, and marketing of eCommerce websites. IDM certified in Email Marketing.