In my previous post, Are You GDPR Ready?, I suggested seven steps you should take to get ready for GDPR. In this post I’ll address numbers two and three:
How to Publish a Privacy Policy on your site to gain your user’s consent and Implement an Opt-In policy.
Publish Your Privacy Policy
Step 1: Write Your Privacy Policy
Yes, the first thing to do, if you don’t already have one, is to write the policy. The new regulations advise businesses to use ordinary language so the best way to do this is to write it yourself. Take a look at the one on this site and also take a look at others, ideally for businesses similar to your own. Assuming you’ve done your audit already, you should understand exactly what data you have, how and why you use it, and where and how it is stored. All of that information needs to go into your policy document.
Step 2: Publish the Privacy Policy
To publish this to your site, create a new page for your website or blog and copy the policy text there.
It’s good practice to make this easy to find, so add a link to it from your website’s menu or somewhere out of the way but not hidden, like the page footer.
Step 3: Share Your Privacy Policy with Visitors to Your Site
If you have a website built around one of the many CRM platforms – Joomla, WordPress, SquareSpace, or Wix – the developers are ahead of the game, and there are a number of plugins that will make your work easier.
This site, based on WordPress, uses the plugin called GDPR by TrewKnowledge. It’s easy to set up and requires linking to your privacy policy page and some text added for the cookie consent popups. It has a bunch of other advanced features that you can use, if you need to.
Search Google and you can easily find similar tools for the other platforms listed above. If you’re not sure what any of this means, ask your web developer for help but don’t ignore the issue! It’s a necessary step in ensuring your site (and therefore your business) is compliant.
If you’ve got a static website, the simplest way to do this is make your new privacy policy page the landing page for your site. That way you know anyone who visits your site will have read it. Create a link to your main site, hidden behind the policy page, and require them to click link text that makes it clear that by clicking on the link to accept the site they accept the policy.
The downside of this approach is that it’s fairly unsophisticated: anyone visiting the site again will again be taken to the same policy page and will be required to consent on each repeat visit.
Implement an Opt-In Policy
If you collect email addresses for a mailing list or use forms, you need to ensure that users opt-in to any use of or storage of their data.
Opt-In to Mailing Lists
Most mailing list forms require the user to enter their name and email address before clicking a button to submit the form. Make sure that your text explicitly states how this information will be used (e.g., “in order to send you the weekly newsletter”, or whatever) whether or not it will be shared with or used by third parties, and anything else relevant to the person signing up in order that they can consent to it. You then need to ensure that any emails that are sent to the list, including any welcome message, makes it clear how the person who has signed up unsubscribes. That’s pretty standard stuff these days, but it’s worth checking that you have your house in order.
Opt-In for Forms
For contact forms, you must add a check box alongside a statement requiring consent for the data you provide to be used and stored. It’s also worth putting a link to your privacy policy but that alone is not good enough: you need to spell it out to the user there and then, in order that they can consent. An example of this is to say: “By submitting this form you consent to [company name] using and storing my information in order to respond to my inquiry.”
As with anything, there is more you can do but for small business and organisations it’s unlikely they will be necessary.
Disclaimer: This information is intended as guidance only. It is not a substitute for legal advice and is based on personal research conducted by the of the author. Ensuring your business is GDPR compliant is the responsibility of your Data Controller.
Now read part 3 in this series.
In the next post find out how to makes sure files you create and store, on your laptop or other device, are secure.
Image credit: iStock.com/oatawa
Do you need help? Contact me now to arrange a personalised tech support or training session.