For most businesses websites are critical for lead generation and data capture of potential customers. The data is typically collected through a variety of form based methods; newsletter subscription, content download, online payment, competition, book an appointment etc.
Under the new GDPR rules, coming into law in May 2018, collecting this data is going to become challenging. With the new rules how do you maintain the usability of the website for users who frankly will not know anything about GDPR, they will be presented with a plethora of new consent policies and tick boxes that could easily become unusable – what will the impact on conversion rates be?
Every time you ask a user any personal details you will have to do much more than before to ensure that users have provided explicit consent for each piece of data and HOW you are going to use that data, you will also have to show sufficient evidence on how that data is going to be protected.
How many digital teams, agencies and ecomms businesses are ready for this massive change in how we work and have worked for years now?
1. Are your consent requests clear enough
The Guardian has an interesting take on how they display their data usage procedures, will this still be acceptable under GDPR
2. No more pre-ticked boxes!
Do you rely on pre-ticked consent boxes, or the ubiquitous “accept cookies” declaration on your website, the notion of implied consent from a user who uses the website? Under GDPR this is no longer allowed with the regulation stating “silence, pre-ticked boxes or inactivity should not constitute consent”, this means users on your website MUST take an action that is clear and concise and shows consent has been given, you will also need to prove this if requested.
You need to consider how an initial site visit is going to be met by the user – what consent is needed, how are you going to display that consent, is it going to impact on how quickly the user gets to the information they wanted?
3. Data access for users – empowerment?
A key change under the new GDPR rules is that users have the right to get a Subject Access Requests – they can ask to see all the data you hold about them and what you do with it. There are strict time limits on how long you must comply with these requests.
To reduce day to day impact on business there are options to provide users with “self-service dashboards”; these will need to be carefully thought through to ensure they cover the correct legal areas of GDPR and allow users to “easily” administer their preferences and data, they must also be allowed to have their data completely removed – deleted not archived.
4. Do you know how your website is processing the user data?
If you are storing unnecessary data about a user without consent will be classed as non-compliant. All data collected must have consent for collection and alto the purpose for collection. It’s a good time to review how your databases are storing user data and what steps you now need to take to become GDPR compliant. Storing users mobile number following a one-time password unlock will be non-compliant unless the user has agreed for you to store that data.
Whilst GDPR sound and looks like a logistical nightmare, if it is approached correctly and in a structured way it will benefit your organisation giving the user a level of trust in your business – you are being very clear what data you are collecting, why and how you are storing it – are your competitors going to be that transparent?
The key to all the points and to becoming GDPR compliant is to keep a very firm eye on usability, if users find your website too onerous to enter and interact with well they are only going to go to one place – your competitors!!