Practical Steps for GDPR Compliance

Even if your business isn’t located in Europe, your website users might be. Therefore, all businesses, no matter their location, need to be GDPR-compliant websites. So whether you collect email addresses to generate leads or credit card information to process sales, your website should be compliant.

What is General Data Protection Regulation (GDPR)?

GDPR-compliant websites will follow the GDPR framework to protect European citizen data, with the rules going into effect in 2018. Basic guidelines of GDPR require that websites store data in protected documents and software and that data must be given to the business by customers with expressed permission. Additionally, companies must provide a description of how their information will be used and give customers a way to unsubscribe or change their consent to have all data associated with them permanently erased.

U.S.-based businesses must have GDPR-compliant websites if they collect any information from EU citizens, including for newsletter signups, phone calls, or to sign up for email marketing for deals. So even if your business doesn’t target European customers, your website must be compliant if there’s the opportunity for them to sign up for something or send you their data. There are eight consumer rights of General Data Protection Compliance, including:

1. Access: The right to access requires businesses to allow individuals to request access to their data, including information about how that data is used and stored. Businesses must provide a free copy of the data upon request and give customers an easy way to request the data.
2. Be informed: Website users must be informed about what their data will be used for and how you collect data. They must give consent before you can gather their data. Consent cannot be implied. Therefore, if your business is at a tradeshow collecting email addresses, you must state the purpose of the email address collection, how the data will be used, and keep the original forms in case consent is ever called into question.
3. Data portability: Customers may choose to transfer data from one place to another, depending on the nature of the business. If there is a transfer, it must be processed in a readable format.
4. Be forgotten: Website users may choose to ask businesses to delete their data by withdrawing consent. Once consent is withdrawn, businesses can no longer use the customer’s data for anything, including marketing.
5. Objection: Website visitors can object to the use of their data and request you to stop. For example, they can unsubscribe from email lists or call your business to object to further communications. As soon as a user objects to your use of their data, you must stop using it.
6. Restrict processing: Visitors can ask you to stop processing their data, allowing you to use existing data but not tracking the user across your website.
7. Notification: Customers who have given you their information have the right to be notified of data breaches within 72 hours. Customers should be informed of these breaches even if they don’t involve their credit card numbers because they may need to change passwords or be aware of criminal activity on any of their accounts.
8. Rectification: Customers can ask your business to update or correct personal data.

Learn more about GDPR.

GDPR might sound like a headache for small-to-medium-sized businesses, but it comes with many benefits. GDPR forces businesses of all kinds to consider the ways in which they store and use customer data, leading to increased trust and credibility. Since trust is so important among consumers, you want to ensure the people you’re doing business with can trust you and feel like your business will deliver on its promises. Unfortunately, even though GDPR compliance is the law, far too many businesses aren’t compliant, leading to distrust among customers, no matter where they are in the world.

At the very least, GDPR forces businesses to practice better data management to protect their customers, which may lead them to better business strategies. For example, your small business might be researching how to make your website GDPR compliant, leading you to find CRMs that show you different ways to use customer data for better marketing strategies.

How to make my website GDPR compliant

Now that you understand that GDPR website compliance is a necessity for every business, you might wonder how you can make your website GDPR compliant. Luckily, the process is quite simple, and anyone, no matter their technical skills, can take steps to improve their compliance and manage customer data better. Here are GDPR-compliant website examples you can use today.

Cookie policies

You must always have consent when tracking your customers online, even when you’re not collecting their personal data through forms. If you track customer behavior on your website, you must ask for consent to be a GDPR-compliant website. Every website should have a popup that allows visitors to accept or decline consent of being tracked by third-party cookies upon their first visit to the website. This popup should also include a link to the privacy policy that details how cookies are used and what your website tracks.

Secure data storage

GDPR requires businesses to protect their customer data by keeping it secure through encryption. Encryption will ensure the data can’t be read by hackers, ultimately reducing your risk exposure if your company is hacked.

Comply with data requests

According to the GDPR framework, businesses must give users access to their information upon request. To be compliant, you must offer a process of how your users can request their saved data and how you’ll provide that data. If your business process for providing data takes too long or frustrates customers, they can report you, leading to a review of your compliance.

Penetration testing

Penetration testing is another important aspect of GDPR compliance for websites that require businesses to secure IT systems. Businesses can ensure the security of their systems by performing a penetration test to determine their level of risk and find ways to improve their security. Then, if there’s a breach, it can be reported to authorities and customers, informing them of the types of data that have been compromised and allowing them to take action before cyber criminals.

Privacy policy

Every website should have a privacy policy that notifies website users about why and how you use their data. It’s an important feature for any website. However, it should be updated to include critical information about the different ways your website collects and uses information. Your new policy should detail the types of ways you’ll use your customer’s data. For example, if you collect email addresses for marketing purposes, your privacy policy should state the types of correspondence users can expect from your business, whether it’s through email or phone.

What types of personal data need to be compliant with GDPR policies?

All types of personal data should be compliant with GDPR policies, as these requirements govern every piece of information your business can collect online, including email addresses, device information, user behavior, IP address, credit card information, and contact details. In addition, every piece of data you can have on customers should be compliant.

Ensure your website complies with GDPR with Mailchimp

Protecting your customer’s data is not only important for them, but it’s essential for your business. Not only can taking the right steps to ensure GDPR compliance help you build trust with consumers, but it can also improve your brand reputation by showing the world that you care about your customer and have done everything you can to protect them. All businesses should aim for GDPR website compliance to protect themselves and their customers, whether or not they operate in Europe.

Mailchimp makes it easy to ensure GDPR compliance when requesting data from customers. With our marketing tools, you can start a GDPR-compliant email list for email campaigns and create forms that are GDPR-compliant, covering everything from consent to how you’ll use their information. We also add the option to unsubscribe from email marketing communications, automatically removing customers from email lists when they withdraw consent.

With Mailchimp, you can clean up your existing mailing list to ensure your marketing efforts are GDPR compliant, offering you the opportunity to use double opt-in to validate consent when you collect emails offline.