Your website must comply with the new GDPR legislation which takes effect from 25th May 2018.
You need to be transparent about how you collect data, how you store it, what it is used for and how long you will keep it on file. You have a responsibility to ensure you protect the privacy of your website users. If you are found to be non-compliant, you could be fined up to 4% of your annual turnover, so it is strongly advised that you take action now to ensure your website complies with the new legislation.
• If you have data forms on your website, these must show a clear Opt-In consent option for use and storage of this data, along with a declaration that the user can unsubscribe at any time. If you use Mailchimp there are GDPR compliant forms now available.
• You must have a Website User T&Cs policy that complies with the new GDPR.
If you do not think you can write your own policies, there are templates you can customise available through the Legal Hub at The Federation of Small Businesses, but you need to be a member to access these.
You must check your Google Analytics Data Retention Settings. These will be changed by Google automatically on 25th May 2018 to only hold user data for 26 months. You have the option to modify these settings to 14 months, 38 months, 50 months or have no expiry date (not recommended for UK companies who need to comply with GDPR). Shortening the length of time you hold data may be necessary depending on how ‘high risk’ your business is. You will also find that as from 25th May, some data will no longer be available, such as user location and other demographics.
You won’t need to gain consent from users to use Google Analytics tracking if you are only collecting data to analyse the performance of your website. If you share your data with other third party analytic platforms such as Ad Tech or Mar Tech, use remarketing pixels, tracking codes and customise the website content based on user behaviour, then you will need to gain consent.
Cookie Opt-In Boxes
You need to remove your current Cookie opt-in box if it doesn’t give the user the option of selecting the types of data they are happy to share. If you are not just using cookies for Google Analytics to track the performance of your website, then you will need a have a GDPR Cookie Opt In Consent Box and display it to every user who visits your site for the first time. Simply showing a banner that states ‘by using this site you accept Cookies’ will no longer be compliant.
Guide to GDPR from ICO
How to Comply Checklist from ICO
GDPR and Marketing
Registration Self – Assessment – Check if you need to register with ICO
Privacy Notices from ICO
Personal Information Online Checklist for SMES