Is Your Website GDPR Ready? Follow this 7-step Checklist


– In this video I’m gonna show you how to get your website GDPR ready in just seven simple steps. (upbeat digital music) (dings) Hi, I’m Ed Leake from AdEvolver and today I don’t want to talk to you about the 100 page guide to the General Data Protection Regulations. No, instead, I wanna boil it down to seven simple steps for you so you can avoid that
potential 20 million euro fine. Quick disclaimer, I’m
not a legal professional so if you’re unsure about GDPR, please seek professional legal advice. The GDPR regulations come in
this year on the 25th of May and if you think it only
applies to EU businesses, then think again, if
you serve your website to anyone in the EU, including UK, then you are fallible
to the GDPR regulations. So, I’m afraid, unless you intend on denying access to
all EU and UK citizens, then it does apply to you. Before we get into the seven steps to make your website
ready and if you aren’t a 100% sure what GDPR is, I just wanna run through in
a nutshell the key points and because I wanna make
sure that this is accurate, I have brought notes here. So this GDPR is written
to protect EU citizens from privacy and data
breaches, which is fair enough. The legislation specifies
what personal data is, regulates what can be
done with personal data, i.e. your email, your name, phone number, that sort of thing. Defines the role and responsibilities of controllers and processors, AKA the businesses that have the data. It answers the question of
what is considered consent, i.e. have you got someone’s
data and do they know about it? And, finally, a cookie should
be treated as personal data. Now, there’s a bit of a grey area, that not every cookie is, however, to be safe let’s assume that
cookies are personal data. With all that said, the golden rule when it comes to your website is; think opt-in not opt-out. To get people to opt-in
to your privacy policy, not opt themselves out. Okay, so let’s go through
the seven point checklist to get your website GDPR ready. Number one is your cookie
notification and opt-in. You may have these on the internet that slide up or a bar at the
top or base of the website. The change here is though that before you could imply that people were opted in if they just ignored it
or closed it, however, any new person that
visits your website now should click to opt-in so they acknowledge that you have a cookie policy and they are happy with that, you know, “Okay, I accept, no problem.” Whatever that button may say. But also on that notification make sure that you do
link to your cookie policy and that’s point number two. Have a specific cookie
policy on your website. So that should specify
what you collect and why but also if you use
third party applications such as Google Analytics, that has a cookie policy of its own so you should either at the very least link to Analytics’ policy or take the specifics from their policy and say these are the
cookies that Analytics uses, so you’ve got a fully
fledged cookie policy. And number three’s to ensure
that your privacy policy’s up to date and more filled
out than the cookie policy. So the privacy policy will
expand on the cookie policy, easy for me to say, by
explaining to people what you do with data, how
you collect it, store it, also how someone can
get in touch with you, which is really important if they want to know what data you have on file and, perhaps, just as important they must be able to contact you to be able to delete all that
information, free of charge, so an email address, someone’s name, or specific phone number to call. Number four, SSL, secure socket layer. So essentially the green padlock in the top of your
browser, or some browsers. If you use Firefox now or someone visiting your
website uses Firefox, if you don’t have an SSL that actually tells them now
that your website is unsecure. I put it in air quotes but
to be fair that is true. So essentially SSL’s good
practise, Google likes them, for organic rankings,
and it secures, encrypts, the data that goes from your website to the end user’s computer and back again, even if you don’t take payments, it’s still best practise
to have an SSL certificate. And number five is going to
impact pretty much everyone, if you’ve got an inquiry or contact form, there are a few key points here, the SSL supports this by the way, don’t store the data
unless you really have to and if you do store the data, encrypt it. You also need to make sure
your email service provider also has a GDPR policy. So if you use Gmail, Outlook
365, so on and so forth. You’ve gotta make sure
they’re covering you as well because your website’s gonna get covered by your policies and work but then someone sends you an email and you’ve gotta be covered there too. Now if you print out your
inquiries and your leads like their information’s
on a bit of paper, then you need to make sure
that you shred that information as quickly as possible and don’t store it and certainly don’t just
chuck it in the bin. If you’ve got any forms,
no pre-ticked boxes. So if you’ve got Ts and Cs,
don’t automatically tick it. The person on your website
who submits the form has to tick the box, they have to opt in to whatever it is, and don’t bundle, which is a term for having
multiple boxes ticked at once. You have enable or allow the user to tick individual boxes, so for example, one might be accept these Ts and Cs, the other one might say,
“I opt into marketing.” You cannot have these
ticked by default now and if you break down your marketing into telephone, email, whatever, break those down too so they
have to opt in each one, not opt out, that’s really critical. So that was number five. Number six is payment gateways. If you take any kind of
payment on your website, be it Stripe, PayPal, whatever it may be, one of the major payment gateways, again, make sure that their
privacy policy covers GDPR and in your privacy policy
you link through to theirs to reference how they’ve covered you in their obligation. And finally number seven is chat. Now chat’s major, big adoption of chat which is on websites now and, again, these systems often store the data and people put their names in there, their email addresses, so on and so forth, so you’ve got to be sure
that your chat provider also has coverage of GDPR in their policy and in your policy, you
reference it, again, it’s just, it’s covering all bases. So it’s just dotting your
Is and crossing the Ts. And, finally, that was the seven points but there is a little bit of a bonus here. If you’re not sure at any point, just delete the data. If you’ve got an old email list or whatever it might
be, if you’re not sure and you’re not using it, you don’t think you’re gonna use it, delete it, it’s the safest
option, and that’s it. Seven steps to get your
website GDPR ready. I hope you found this useful. If you did, please, stick a like on it or if you didn’t, thumb it down. Any questions in the comments below and, yeah, if you enjoyed
it, maybe subscribe. (upbeat digital music)

, , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

Post navigation

19 thoughts on “Is Your Website GDPR Ready? Follow this 7-step Checklist

  1. I believe people don't necessarily need to tick a box for cookie consent. The regulator states that implied consent is also possible, as long as the individual has taken an action. For example, you could say in the cookie banner that if people keep browsing they consent to the use of cookies. If not, they can change the setting. There is a great option for webmasters called OneTrust. I think it's the best scrip to use for cookies. It will block all cookies and accept them if people scroll down to a certain percentage of the page. It also allows people to change cookie settings, activate or delete cookies. If people need to click a button so that websites use cookies, then the internet will never be the same.

  2. Can these checkboxes be required? So that if you don't allow us to email you, you can't complete the registration? Also how about backups? If someone wants to be forgotten, it's very hard to erase his data from the aggregated backups

  3. Also, without this explicit consent, we can't send him any email? Not even if he forgot the password and wants to restore it?

  4. A last question, since it seems you know a lot 🙂 What if I issued invoices to him? I must delete the invoices? I think that's against the law… 🙂

  5. So do we not need to be "GDPR" compliant if we are just gathering info from local customers (in texas)???

  6. It seems people in EU who made GDPR didn't think another legal aspect of this however: If you DON'T keep past communications, or if someone asks to Remove his/her data (which may be an email correspondence), then how can you PROVE in writing, that something did or did not take place with this person?

  7. If we cover these 7 steps correctly then are we all good & legal? Theres so many snake oil salesmen out there asking for £250 to be GDRP compliant and filling out 100 page forms etc!!?

  8. As an American, I will not recognize gdpr or European law as my servers are not located outside the EU. But I do find some of the ideas nice.

  9. All I want to know is do I click yes or no! I’m very very new to this and I’m signing up with jvzoo and don’t know whether to say yes or no. Is your use of the JVZoo service regulated by GDPR?

  10. The EU should just stop using the internet for ultimate privacy. The people will need to search your bins to get your personal data, how safe would that be?

Leave a Reply

Your email address will not be published. Required fields are marked *