GDPR Process for UXi Sites

The overall process for updating your business practices and website to become GDPR-compliant looks like this:

1. Sign the Data Processing Agreement via RightSignature. 

We'll send you a document via RightSignature, a secure document signing platform. Signing this form states that you understand your responsibilities as a GDPR-compliant business or organization. Once it's been signed and returned, we can disable the redirect. At this point, traffic from within the EU will be allowed on your site.



2. Research your GDPR responsibilities, updating practices where needed in regards to data storage, data removal, 'right to be forgotten' requests, etc.

Businesses that want to be fully compliant are subject to a different set of guidelines on how user data can be stored, what kind of consent is needed to collect new leads, and what kind of consent is needed to contact users already in their contact lists, to name a few.

For example, how, why, and for how long their data is stored? This includes form entries, CRM accounts, etc. For example, if you're using a form to collect leads and a CRM to manage active clients, you may need to adopt new practices of removing form entries from the site on a regular basis to remove user info for dead leads, etc. 

Here are a few links that provide some good info about GDPR-compliance.

  1. Sanity.io A Rough Guide to Running a GDPR Compliant SaaS Business
  2. StartUp Resources' Quick & Dirty Guide to Getting Compliant for Startups and Small Businesses
  3. Varonis' GDPR Requirements in Plain English




3. Provide us with an updated privacy / cookie policy to inform users about how, why, and for how long their data is stored.

The policies listed on the site should outline the practices described above. This informs users about how, why, and for how long their data is stored, as well as how they con request to have it deleted.

Here are a few links that can help you with GDPR-compliant policies.

Once a new policy has been created, send it our way and we'll add it to the site's Privacy Policy page.



4. Add consent fields to all forms where user data is processed, with a link to the newly updated privacy policy page

One of the most significant changes associated with the new law is that it is now mandatory to get consumer consent on your forms.

Consent must be obtained before asking for an email, a name, or any other personal information. This rule also applies to collect any tracking information such as location or cookies.

Here are a few things to remember:

  • Each form field should only exist if it is clearly necessary. If this is not the case, explain the necessity or remove unnecessary fields. Take a minimalist approach and collect only what is absolutely necessary.
  • The user must be able to find out what happens to his or her data before submitting the form, including why, where and for how long the data is stored.
  • Do not use any pre-selected checkboxes (especially for newsletter subscriptions, as explicit consent is required).
  • Forms containing personal information may only be transmitted with an SSL encrypted form.
  • The information collected by means of a form may only be used for the purpose agreed to by the user when filling in the form.
    For example
    - You may not automatically use the e-mail address for e-mail marketing if it was included in an order form.
    - If the user's info will be used for further marketing, etc, an opt-in option must be included.
  • Alternatively, you can also completely remove the form and replace it with an e-mail link and/or a telephone number.


We'll add a link to the policy mentioned above. This allows users to see what data is collected, and why.

Add a privacy policy confirmation field any time personal data is collected so consent can be tracked.

Add an additional opt-in option any time additional data processing happens, like sending a form entry to a CRM.



5. Add new code to the site to display a consent notice banner when the user lands on the site.

When users land on the site, they'll see a notice message stating that cookies are used, and how. 

At this point, some businesses are still simply showing users a notice and allow them to accept, or suggest leaving the site and/or clearing browser data to avoid cookie-based tracking.

The other, more fully-compliant option is to pause all data tracking until the user opts-in, and allow them to opt-out at any time. This makes all tracking / marketing like Tag Manager work on an opt-in basis.

Again, these decisions are up to the client. They should base their decision on how much of a presence in the EU they plan to have, how much tracking they plan to do using cookies, and how much user data they collect and store.

One of the most helpful resources for generating notice / consent banners we've found is CookieBot.

 

CookieBot

  • Can be configured for full GDPR compliance.
  • Requires account set-up.
  • Can display in EU countries only.
  • Scans the website for cookies, automatically assigns them to different cookie categories in the preference center.
  • Fully customizable cookie notification banner.
  • A Preference Center and the ability to opt-out/in to separate categories of cookies.
  • Pushes consent data and events to the Data Layer. Also requires additional set-up in Google Tag Manager.
View Site


With log-in credentials to the CookieBot account, we can configure the pop-up notice to work with any tracking currently used on the site. 


Here are some other helpful links

Facebook: What is the General Data Protection Regulation (GDPR)?

European Commission: 2018 Reform of EU Data Protection Rules

European Commission: What information must be given to individuals whose data is collected?