GDPR’s arrival stirred quite a storm in the digital world. With its wide-reaching scope, exhaustive details about privacy and data protection guidelines and practices, and consequences of non-compliance, the GDPR has become an important part of privacy regulations in the world. In this post, we will discuss how you can ensure your website is GDPR compliant.
What is GDPR?
The General Data Protection Regulation (GDPR) is a data protection and privacy regulation proposed by the European Union (EU) in April 2016 for protecting EU residents’ data and privacy. It came into effect on 25 May 2018.
The Regulation applies to any entity, regardless of its location, if it has users in the EU. That is, if your website has users (customers and visitors) in the EU, it is subject to the GDPR. You must follow the standards to avoid legal trouble, such as hefty fines and strict actions against you.
To know more about it, please read the ultimate guide to GDPR.
Steps to ensure your website is GDPR compliant
Let us look into some steps you can take to ensure that your website is GDPR compliant.
Before scanning your website for compliance, it would be best to understand the GDPR. It is so much more than just a means to protect people’s personal data. It aims to safeguard their rights and freedom.
To ensure that your website is compliant and your users can trust in you, you must have general GDPR awareness. Get to understand what GDPR is all about, the principles, the guidelines, and even the punishments for violations.
Understanding the GDPR will help you to prepare better for it.
Mapping data flow: collection, handling, and storage
Just like understanding the GDPR, it is crucial to understand how your website handles user data. You must audit the website’s data flow, such as
- What type of personal data does it collect?
Per GDPR, personal data refers to any data that can be used to identify a living person, with or without the help of additional information.
Here is an infographic that lists some of the user information that constitutes personal data:
You have to give special attention to ‘sensitive personal data’ because they are vulnerable. Read more about personal data here.
- Why does it collect personal data?
You must have a clear idea of the purpose of all these data collections. There are many ways a website can store personal data. You must be aware of all of them and the reason behind it.
- How does it collect and use personal data?
It is a misconception that if your website does not directly collect personal data, it is not subject to the GDPR. However, you may be using third-party services like Google Analytics or Facebook pixels that collect user data for analytics purposes. It makes your website subject to the GDPR compliance.
- Where does it store personal data, and for how long?
You have to be well aware of where the website stores the personal data, how long it stores the data, and who has access to them.
- Does it (safely) transfer personal data, and if so, where?
In some cases, websites transfer the collected data to other services for various purposes. It is your responsibility to ensure safe transfer with user consent.
- How does it keep personal data safe?
Even when you have third-party services collecting and processing the personal data through your site, you are responsible for keeping the data safe.
You must ensure that you have enough safety measures to protect your website and its functioning.
Reviewing website forms
Forms on your website also have to be reviewed for GDPR compliance. Forms collect personal data and use them for many things: contact users, payments, surveys, post comments, and subscriptions. You must make sure that the forms have checkboxes to ask for user consent before using their personal data. It is crucial to note that they are not pre-ticked checkboxes as they are longer valid under GDPR.
It would also be best if you use encryption to protect the data users enter in the form field.
Assessing cookies and other tracking technologies
There are manual methods to find out the cookies on your website. However using CookieServe cookie checker, you can scan your website for cookies free of cost. It also gives you detailed information of all the cookies.
Different types of cookies serve different purposes. Cookies are classified as necessary and non-necessary.
Necessary cookies are necessary for a website’s smooth functioning without which it is not easy to run your site. They usually do not collect personal data. Such cookies are exempted from GDPR compliance unless their use violates any of the GDPR principles.
Non-necessary cookies are most often used for analytics, advertisements, or third-party services. They are subject to GDPR compliance since they collect and use personal data. Some non-necessary cookies do not require the processing of personal data. Such cookies can be exempted from the GDPR. But, there is a catch. ePrivacy Directive (ePD) (also known as the EU Cookie Law) in its special clause for cookies stresses websites to ask user consent for using non-necessary cookies.
Hence, GDPR, along with the ePD, makes it mandatory for you to get prior and explicit consent from EU users before loading cookies on their devices.
The GDPR and ePD compliant cookie banners on a website should have the following features:
- A lucid and concise statement about using cookies and requesting consent.
- Opt-in and opt-out options for cookies.
- Option to change cookie preferences.
- Easily accessible for changing consent at any time.
- The purpose of using cookies.
CookieYes is a cloud-based cookie consent solution for websites to comply with the GDPR (and ePD). It supports major content management systems such as WordPress, Magento, SquareSpace, Wix, and Shopify. It logs all the cookie consents and automatically blocks third-party cookie scripts before receiving user consent. All it takes is three simple steps to install the banner on your website!
Cookies may be the most popular tracking technology on the Internet, but it is not the only one. There are techniques like pixel tags and browser fingerprinting that can track user profiles. If you use any of them, the users have the right to know about it before giving their consent.
Revamping email marketing
Mass emailing is no longer possible without proper supervision and permissions. The GDPR requirements for consent also apply to email marketing.
You must ask for the users’ consent before sending mass emails. Even in the case of existing users, you must ask for re-permission to send emails under the GDPR. You should remove anyone who does not revert to your request from the contacts list.
When it comes to subscribing to newsletters, the best option is to enable a double opt-in for users. Another point to note is that users must have an easy option to unsubscribe or revoke their consent. It is usually implemented by adding an unsubscription link in all your emails.
Enabling easy opt-outs
We have already covered this previously. If a website has an easy and straightforward opt-in option for users, the same should be true for the opt-out. Users have the right to withdraw their consent at any time. It is your responsibility to make provisions for it. You should not make it complicated for your users to revoke their consent or opt-out of a service. And as GDPR states, “It shall be as easy to withdraw as to give consent.”
Updating and reviewing the website policies
You must periodically review and update the website policies since laws change or your processing methods and terms and conditions may change. All the changes must be reflected on the website policies.
Being aware of user rights
User rights are probably the cornerstone of the GDPR standards. Your website should take appropriate measures to provide any information on the rights upon users’ request.
The rights give users more control over their data shared online and a sense of security.
Securing the website and the data on it
As a rule of thumb, always be prepared for risks. You cannot run a website without proper security measures. There are many things that could go wrong. The key is in how much you are prepared to tackle them all.
By conducting a risk assessment, you will be able to identify the risk factors and vulnerability in your website. You can then implement appropriate security measures.
You must be familiar with data breaches that have plagued many websites around the world. If you look around the details, you will realize how many of these could have been avoided if they had better security measures.
You must have a proper plan in place to deal with potential data breaches. Secure your website, however way you can. Some of the methods you can implement are SSL certificates, ReCaptcha techniques, data backup, and encryption.
Also, there should be an appropriate system to report if a breach occurs. Hiding the breach or parts of it and failure to report it on time are punishable offenses under the GDPR. As the data protection board says, “Tell it all, tell it fast, tell the truth.”
There are many free (and paid) tools available online to check if your website is GDPR compliant. They can help you to identify the areas you need to modify.
There are other applications and plugins that we have already mentioned previously. All of them assure that your website does not miss out on any GDPR requirements.
In case your website requires to handle a lot of personal data (especially sensitive) and high-risk processing activities, it would be better to seek legal or GDPR expertise’s assistance.
That is a wrap for our GDPR compliance checklist for a website.
Making your website fully GDPR compliant is not going to be a walk in the park. It will take a lot of effort and patience (and some external assistance) to achieve it.
We do not guarantee that all of the things discussed in the post will assure 100% compliance, but it will be a good starting point.
Disclaimer: This article is for information purposes only. It does not intend to be a substitute for legal advice. If you require any legal assistance, you should seek the services of an attorney.