Here's an email I sent to all our website management clients. I decided to publish it here in the hope that it will be of use and value to a wider audience.

Do comment below if you would like to give feedback, or get in touch directly. I'll continue to add and update as the GDPR compliance journey continues to evolve.

GDPR compliant website and marketing - a useful guide

Dear valued client,

I know, I know, this is probably the umpteenth email you've had about the GDPR in recent months! It's all over the business news and many seminars, trainings, workshops and talks have been happening across the country. You've probably been to at least one.

This isn't another email to add to the confusion, it's a very important update we're sending to our clients, specifically regarding your website and GDPR compliance. Please take the time to read all the way through, as there are actions you need to take soon.

(But be warned - it's a whopping great long email, so you might want to make a cup of coffee first... You can also read the same content here on our blog, where I'll keep adding more useful information and links as the topic evolves.)

I hope you'll find this useful, and if you have any questions just hit reply and I'll be glad to help.

What is the GDPR?

First off, if you don't know what GDPR is, I'd advise reading this first (or the start of it at least) to get up to speed. Then come back to this email and you'll have the background facts to make sense of everything below.

If you don't have time for that, here's the short version:

  • It's a piece of EU law called the General Data Protection Legislation.
  • It comes into full effect in just over 1 month on 25th May 2018.
  • It requires any organisation which handles data which could identify a living human being who lives in any EU country ("personal data") to comply with new rules.
  • It comes into force in the UK regardless of Brexit.
  • The body responsible for making sure the rules are followed in the UK (and handing out fines for non-compliance) is the Information Commissioners Office (the ICO).

It's really important to know that, as a brand new law, the GDPR is yet to be tested in the real world. Lawyers don't yet know what judgement calls will be made when interpreting the legislation. All we can do at this stage is get the core, common sense parts in place. Do the obvious things, and make a good attempt at the less obvious ones.

At the end of the day, this is about protecting people's right to their own personal data and treating it as you would want your own to be treated. If you're already doing that, there are probably just some technical details to sort out and you're all good.

What do I need to do?

Probably several things. But first, a disclaimer:

I'm not a lawyer, and as such I cannot and do not give legal advice. The GDPR is a law, and so all I can do is give you suggestions and information which I believe will be helpful. I can't tell you what to do, you will need to decide that for yourself. The legislation is untested at the moment and there are lots of areas where a judgement call is needed. No-one is yet sure about all the details of how it will be enforced (not even lawyers). If you'd like to be 100% sure you're doing everything to the letter of the law, get some formal legal advice.

Ok, disclaimer over, on with the show!

There is an excellent guidance document available free from the ICO which gives you 12 steps to follow to prepare for the GDPR.

The top highlights are:

  • You need to audit and document what personal data you handle, where it is stored, how it is kept secure, and what the legal basis is for you having and handling it.
  • You need to communicate your privacy policies clearly.
  • You need processes and documentation in place for handling current and future personal data, and for dealing with data breaches, data loss, and requests from people who want to know what data you hold about them.

As a digital marketing company, we aren't involved with much of this. We can however highly recommend Clark Integrated Technologies if you are looking for a thorough GDPR compliance service. They can take you through getting certification to ensure you're up to the right standards and can work with businesses anywhere in the UK.

(They are a client of ours, and also my former employer, but I get nothing from recommending them - I do so simply because I know the honesty and quality of the service they provide).

Having said that, we're figuring all of this out for Groweb as a business, so if you fancy a chat to compare notes and plans I'd love to hear from you. A problem shared is a problem halved and all that!

(A top tip that isn't mentioned very much is to use this tool to check if you need to register with the ICO).

What about my website and digital marketing?

Ah, glad you asked! ;-) This is where we do come in. As you are one of our clients, we have something of a shared duty to ensure the online activities of your business which we are both involved in are compliant with the GDPR.

It's important to note that it's almost certain to be your legal responsibility to ensure this stuff is all sorted, even if we're handling aspects for you. That's not to say we're avoiding our side of the responsibility, just that if the ICO comes knocking because something has gone wrong, you won't be able to ignore it and just pass them on to us - legally the buck would stop with you for anything which is in your name. Groweb will be a data processor in most cases (and therefore still legally responsible for GDPR compliance within the scope of what we're doing for you), but as the website and organisation owner, you are the data controller. We're in this together!

We don't expect or want to get on the wrong side of the ICO, of course, so here's some useful information for how we get everything fully GDPR compliant before 25th May.

First, your website.

A GDPR compliant website

Here's an excerpt from a talk I gave recently on GDPR and marketing (you can see the full slide deck here).

These are the steps you must take to ensure your website is legally compliant before 25th May.

Here's how we can help.

Opt-in forms and contact forms

  • It may be appropriate to simply remove a form from your website to simplify things. If you don't give users the option to submit personal data, you have less concerns when it comes to consent and privacy notices.
  • If you are using forms which collect personal data, you'll need consent in the form of a tick-box and clear statement about what the data is to be used for.
  • We can implement these changes in consultation with you, see details below.

Privacy notice

  • You've got options here. First, the best chance of full compliance, but highest cost: You can pay for a lawyer to draw you up a privacy policy/notice for your website, or you can use a service like LawBite to get a set of documents including a privacy notice for a fixed price, with a bit of legal advice on using them included.
  • A much lower cost option (well under £100) which is also quick is to use the service from TermsFeed to generate a privacy policy specific to your requirements. (That's an affiliate link, but I recommend them as they're the only one I have found which does this well - I've used them for our own policy documents more than once).
  • The lowest cost of all is to write your own policy, which is probably fine for smaller websites - you're still demonstrating that you're aware of the need to take personal data seriously. There's some helpful guidance out there, here's a good starting point.
  • Once you have the notice, you'll need to add it to your website and add a link from the footer on every page. We can implement these changes in consultation with you, see details below.

Tracking software

  • You'll need to include information about any software used on your website which can track and identify an individual in your privacy notice.
  • On every website we build we install Google Analytics as standard (it's also used by over 60% of all websites online right now globally). This allows you to analyse the visitors to your site and where they come from, and determine how effective the website is being, along with spotting new opportunities to make it better. In it's standard form, Google Analytics is GDPR friendly, but there are some finer points that might need to be checked out if you want to be 100% sure your website doesn't need any changes made. We can do this analysis in consultation with you, see details below.
  • If you have any form of paid advertising (e.g. Facebook Ads, Google AdWords) you'll need to be tracking results on your website (e.g. using Facebook Pixels, Google Tag Manager). The way this is being used makes a difference, but you'll almost certainly need to specifically declare it in your privacy notice, and you may need to provide a way for users to opt out. We can do this analysis in consultation with you, see details below.
  • Cookies! The requirement to notify users that a website uses cookies is changing with the new EU ePrivacy Regulation. It was meant to be ready at the same time as GDPR but is now due to come into force probably later this year. The good news is "no consent is needed for non-privacy intrusive cookies improving internet experience (e.g. to remember shopping cart history) or cookies used by a website to count the number of visitors." But the potentially bad news is there will be even more changes to provide more control to website users and make online advertising less straightforward. If your website does more than simply provide information, you will need to analyse what you are currently doing which might be affected by this regulation. A tool which helps with this is Cookiebot, which is free for a single website with less than 100 pages. We can assist with this analysis in consultation with you, see details below.

Any other personal data

  • Finally, your website may store personal data in other places. If users can take an action such as leaving a comment, or logging in to a user account of any kind, then an email address, name or IP address is likely being stored. This will also need to be in your privacy notice and you'll need to think about how you're keeping that information secure, especially anything stored within your website's database. We can do this analysis in consultation with you, see details below.

"Aaargh! This is too much, maybe I'll just get rid of my website..."

That sounds radical, but it highlights a really important point. The good thing about all this new legislation is it forces all of us to decide if what we're doing with websites and digital marketing is really worth it. Is it working?

If not, stopping is probably a good thing.  Not giving up your business or organisation, but just doing less and doing it well when it comes to your website and marketing.

That's the way the digital world is going, and as a fan of the 80/20 principle I think it's a good thing.

More headspace, less risk of things going wrong, and a clearer focus on the right goals are all benefits of just stopping things that aren't working well enough to justify keeping up with legislation requirements as they come along.

So if you'd like to get GDPR compliant by taking away features of your website to streamline it - I'm all for that and will gladly help.

You might also want to take the chance to step back and review what your website is for and what you want it to achieve. And indeed what your organisation as a whole is trying to achieve and how digital marketing fits into that. If you'd like to have a chat about how I can help, just reply and let me know.

What about my email list, social media, pay-per-click campaigns, and all of that?!

When it comes to digital marketing, it's just the same - anywhere you are collecting or processing data which could identify a living human being, you need to be GDPR compliant.

The key action to take is a careful audit of all of your digital marketing activities, looking out for names, email addresses, IP addresses, tracking codes etc. Then review for each activity whether you need to stop, get consent, add to your privacy notice, or make adjustments to your methods.

Digital marketing is too vast a topic to cover in any detail in this email,  but here are some quick pointers on two of the most talked about topics.

Email lists/databases

  • Ensure your email list only contains email addresses from people who specifically asked you to contact them, or where you have another lawful basis for processing their data (use this tool to figure out which are valid for you).
  • If you need to get subscribers to renew consent, take the opportunity to remind them of the value you provide, and encourage them to sign up for it, rather than just click a button to confirm consent. Whatever you do though, make it easy and automated - people are inundated with these sorts of requests and won't respond unless it's very simple and quick.

Social media

  • Be wary of how your social media accounts are connected. If you're not really using one, be on the safe side and close it down.
  • Check for any third party apps which you sign into using a social media account - do they have access to personal data of your followers?
  • Check for any cases where personal information is being transferred, exported or downloaded from a social media platform.
  • In any case where personal data is processed, you will need to identify the lawful basis, check the contract you have with the third party involved, and add it to your privacy notice.

Ok, I know I need to take action. What's the next step?

You can tackle all of this yourself. But you may want help, and as there is a lot of time involved in making sure your individual website and existing marketing is updated and adapted to be GDPR compliant, I can't just do it for you.

I'd love to have a magic bullet to make this easy, but unfortunately it just does involve quite a bit of work.

In order to make things simple, I've put together a package to ensure that if you want help with this, you are covered to the best of my knowledge when it comes to your website and GDPR.

Here are the details.

For monthly website management clients:

Website only

£149+VAT one-off fee, which includes:

  • Removing or adapting contact forms.
  • Implementing privacy notice (either from TermsFeed or your own wording).
  • Checking Google Analytics implementation to ensure no personal data is gathered.
  • Analysing other forms of tracking codes (using Cookiebot and manually) and advising on the steps needed, including implementing Cookiebot if appropriate.
  • An audit of your website and connected digital marketing to list all other areas where personal data is processed, and recommend required actions.
  • BONUS: A free SSL certificate (making your website address https://...) implemented if not already present.
  • BONUS: A website audit covering the essentials such as page speed, mobile friendliness, meta tags, social media preview data, sitemaps, etc - all the things we routinely do when launching a new site, but which need re-checked on older sites as technology moves on. You'll also get a list of recommended actions to improve the website for better user experience and search engine rankings.
  • BONUS: A review of how effective your website is being within your marketing strategy, and advice on improving the results you get from it.

Website plus digital marketing GDPR audit

£249+VAT one-off fee, which includes:

  • Everything in the "Website only" list above.
  • An audit of all your digital marketing, to identify where personal data is gathered or processed, and what actions are needed.
  • Help with implementing these actions, in any marketing which is managed by Groweb.

For clients who are not on monthly website management, the fee is £299+VAT for website only, and £399+VAT for website plus digital marketing audit.

For charities and any cases where less is required, please contact me for a custom price.

Final thoughts

None of us asked for this new regulation (and with ePrivacy on the horizon, this will probably be the first of many). But now we're here, it's a great opportunity to "get our houses in order" and be prepared for whatever comes next.

As users in the general public become more aware, a clearly GDPR compliant website will look more trustworthy and professional than those which haven't kept up. This is a chance to shine.

If this email and the whole GDPR topic have been getting you down and making you a bit stressed, here's an encouraging quote from the Information Commissioner herself:

"Yes budgets can be tight, technology is moving fast and there’s a race to keep up with competitors. But if you can demonstrate that you have the appropriate systems and thinking in place you will find the ICO to be a proactive and pragmatic regulator aware of business needs and the real world."

- from iconewsblog

I find that very encouraging. I think small businesses in particular can take heart. Unless you are doing something really reckless (like leaving a laptop full of personal data on a train with no password...), you just need to be building appropriate systems and demonstrate that you are respecting personal data, and you'll likely be fine.

Finally, if anything in this email strikes you as incorrect or if you have any more information you think I should have included, please reply and let me know, and I'll add it to the version on the blog.

If you made it this far, congratulations on having the patience of a saint! I hope you've found this email to be a useful resource.

I'm looking forward to hearing from you soon. Hit reply or give me a call with any questions or feedback.

All the best,

Geoff

Geoff Todd
Author: Geoff Todd
Founder, Digital Marketing Consultant
Before founding Groweb, Geoff worked in IT for a number of years, though he originally studied Philosophy at Stirling University. Geoff lives in Stirling with his wife and two children, and helped start the new Cornerstone Community Church in Stirling in 2015.