What you need to do to make sure your website is GDPR compliant

Lately, you've probably noticed that you're getting a lot of emails about updated privacy policies. That's because the EU passed a law called General Data Protection Regulation (GDPR) that goes into effect on May 25th.

Your website is affected by this new law if it:

  • offers products or services to citizens of the EU
  • collects personal information from citizens of the EU

Even if you don't have EU connections, we still recommend a Privacy Statement (all good websites should have one—see #1 below). If "yes," you are dealing with the EU, then you need to make sure you're GDPR compliant. So what do you need to do?

A clear and accessible privacy policy

Your privacy policy should use everyday language to describe what you plan to do with the data you collect. You need to tell your customers how they can access the personal information you've collected from them and how they can ask for that data to be erased. Check out our privacy policy for an example.

Active consent

When you collect personal information in an online form, you need to get consent for the ways that you plan to use that information. Consent can't be required and must be active, so silence, inactivity, and pre-checked boxes don't count. Consent also has to be granular, so you can't bundle consent in a single, vague statement.

Guidelines for Consent (pdf)

Conscientious data management

You need to periodically and automatically delete any records of personal data that your business doesn't use. In case of an audit, your company should appoint a Data Protection Officer who understands GDPR guidelines. You'll also need lists of all the kinds of personal information you collect, who you share that information with, and what you do with it.

Take a look at this helpful checklist for more details: gdprchecklist.io

If you have questions or need help making sure that you're GDPR compliant, we'd be happy to help!

Further Reading: GDPR: What you need to know