Protecting data: How to be GDPR compliant

By Hannah Moss

How to be GDPR compliant

There's been much debate since GDPR came into force almost 5 years ago and best practices continue to emerge. Discover the latest guidance and how to be GDPR compliant with your website and business.  

Disclaimer: The information in this article does not constitute legal advice in any form. These are our recommendations based on our understanding of GDPR principles. You should seek legal advice for accurate compliance in respect of your own business.

A lot has happened in 5 years

Since the introduction of the General Data Protection Regulations (GDPR) in May 2018, there’s been a great deal of debate, plenty of hefty fines issued and standard best practices gradually emerging. So, where do businesses stand on GDPR almost 5 years on and, more importantly, how do you know if your website is still compliant? By the end of this post you’ll have all the tools you need for how to be GDPR compliant.

What is GDPR?

As we explained in our original post GDPR and email marketing: What you need to know, GDPR was a new law that aimed to standardise privacy rules across the EU, giving individuals more control over how their data is used. It was the biggest change to privacy law in 20 years and continues to be a source of confusion for many businesses.

Does GDPR affect you?

GDPR affects every company that processes personal data from EU citizens. This can range from very basic information, such as a name and email address in an email signup form, to more detailed personal profile and payment information, such as for booking or membership purposes.

Basically, if you collect ANY personal data via your website (e.g. from an email signup form, contact form, booking form, etc.) – and some of this data is likely to come from EU citizens – you’ll need to comply with GDPR, no matter where you’re based. Seeing as most businesses are looking to attract a wider audience, particularly post-pandemic, and seeing as you can’t control where in the world your website users come from, you should assume that GDPR applies to your website and business.

The consequences of non-compliance

The consequences of not complying with GDPR can be pretty serious. Obviously, by not protecting data, you could be compromising your website users’ privacy by putting them at risk of third parties and their data gatherers. But you could face a large fine too.

You might have heard about huge conglomerates being fined astronomical amounts, e.g. Google were fined €50 million in France, H&M were fined €35.2 million in Germany and British Airways were fined €22 million in the UK. However, as Cookiebot warns:

“These largest GDPR fines might end up giving smaller businesses and websites a false sense of security, thinking that the data protection authorities are only looking to catch the biggest fish in the data ocean. In fact, GDPR fines are levied across the EU on an almost daily basis, and the majority of GDPR fines are not large sums against large companies, but sums between €4,000 and €50,000 against smaller businesses, city municipals, web shops and more.”

We don’t want to fearmonger, but it’s clear that enforcement is becoming a reality, even for smaller companies.

Protecting data: what’s changed?

So, what exactly has changed in the regulations and why are we even writing this post? Well, the regulations themselves haven’t changed, but interpretations and best practices certainly have.

In particular, there’s been a big debate about implied vs. explicit consent on websites. Implied consent is where you assume the user has given consent, e.g. by scrolling, closing a banner or continuing to use the site. Explicit consent – when it comes to website cookies – means not storing any data until the user has specifically given their consent to do so.

When the regulations first came out, and everyone started adding cookie banners to their websites, a simple notice informing users that data would be collected was thought to be sufficient. Most of these banners and notices either had an ‘Accept’ button, or a close icon, or stated that by continuing to use the site you agreed to the use of cookies. However, this all counts as implied consent, which is no longer considered acceptable under GDPR.

As you’ve probably noticed more recently, most websites you visit these days feature more complicated cookie notices which allow you to accept, reject or customise your consent choices, as well as revoking consent at any time. These options are all considered explicit consent and are now best practice under GDPR.

What constitutes valid consent?

So, what exactly does constitute valid consent when it comes to website cookies and processing personal data?

In May 2020, the European Data Protection Board (EDPB), which is the highest supervisory body responsible for enforcing GDPR across the EU, adopted guidelines to clarify exactly this. Their guidelines state that scrolling or continued browsing on a website (implied consent) is not valid consent, and that cookie banners are not allowed to have pre-ticked checkboxes. Cookie walls (forced consent) have also been ruled a non-compliant way of obtaining user consent for processing of personal data.

Cookiebot provides this useful checklist of what constitutes valid consent according to the GDPR:

  • Prior to processing: The consent must be given before the initial data processing takes place. In the case of cookies, this means that they have to already be paused when a user lands on your website and stay that way until proper consent has been obtained.
  • Transparent and legible: Users must give their consent in response to accurate and specific information about how, why and where the data processing is taking place. This information must be intelligible and accessible using plain language.
  • Freely given: Users must give their consent freely. True consent can never be as a condition for the use of a service or the fulfilment of a contract (for which the processed data is not necessary for the performance of that specific service or contract).
  • Documented: Every given consent shall be kept and securely stored as proof that the consent was received in the case of a control.
  • Reversible: Users must be able to withdraw their consent at any time and as easily as it was given.
  • Renewed: Consent must be renewed annually. However, some national data protection guidelines recommend more frequent renewal, e.g. 6 months. Check your local data protection guidelines for compliance.

How to be GDPR compliant

So, what does all this mean for your own website and how can you make sure you’re fully compliant?

As you’d expect, there are now hundreds of software and consulting companies offering cookie plugins, compliance testing and consent management platforms to help you achieve compliance. But, the chances are, if you run a small business using simple signup, contact, booking and membership forms on your website, you probably don’t need lots of expensive or complicated software to ensure you’re compliant with GDPR.

At a very basic level, these are the key processes you should have in place:

  • Never add anyone to your email list without their explicit consent. The best way of doing this is to always send people to an online form to sign up themselves, rather than you adding them manually.
  • Your website should have a clearly accessible privacy policy, which outlines how you handle your visitors’ personal data.
  • Your website should have a clearly accessible cookies policy, which outlines what kind of cookies your website collects and for what purpose.
  • It’s best practice to include a required checkbox (which isn’t pre-ticked) on every form, so your visitors can confirm they’ve read and agree to the privacy policy.
  • Your website should feature a cookie notice or banner that complies with the explicit consent guidelines outlined above – see below for more on this.

Adding a GDPR-compliant cookie notice to your WordPress website

We’ve done quite a bit of research into the various cookie plugins available for WordPress websites and our preferred free plugin is CookieYes. This has cookie auto-blocking built in (until explicit consent is provided) and stores all the consent logs. Their cookie notice includes Accept, Reject and Customise options and if you click Customise you can actually click into the cookie categories to see the exact cookies currently running on the site.

Whichever option you choose, a small cookie icon will remain on the bottom left of the screen, so you can re-access the options and revoke consent at any time. The plugin also has its own privacy and cookie policy generator, based on a series of questions about your website.

The plugin is free as long as you have fewer than 100 pages on your site and fewer than 25,000 page views per month (not unique visits), otherwise there are various pricing plans available. We found the plugin fairly easy to set up and customise, although it can be a bit fiddly in places and you do need to set up an account. You also need to remember to scan your website so the plugin can list the specific cookies running on the site within the cookie notice itself.

Here’s an example of what the cookie notice looks like on our own website:

How to be GDPR compliant

Cookie notice when you first land on the site

How to be GDPR compliant

Options available after clicking Customise

How to be GDPR compliant

Example of specific cookie information listed in the notice

How to be GDPR compliant

Icon that remains after confirming your choices

Conclusion

We hope this post has given you clear and simple guidance for ensuring your website and business continue to be compliant with GDPR, amidst changing best practices. If you have a WordPress website and need some help installing and configuring a compliant cookie plugin, as well as other GDPR best practices, get in touch:

Never miss a blog post!

Join our email list for tips on how to grow your ethical business

Read more blog posts