Gone are the days when you were able to access and store user’s information from your websites with no effort and responsibility at all. And if you keep doing so, get ready to be washed away by the GDPR wave. The European Union (EU) enforced the General Data Protection Regulation (GDPR), protecting its people’s data. So, is your business/website ready to be compliant and stand this big wave of GDPR yet?

You better be, for non-compliance will fetch you a fine of a sum of 20 million euro or 4% of the annual global turnover- whichever is greater. Why would you suffer such a huge loss when you can be aware and responsible? This article will shed light on the necessary changes you should make on your website to make it GDPR-compliant.

What is GDPR?

The GDPR is a non-negotiable online data privacy legislation to protect the way any business organization or website collect, store, process, and distribute the EU individual’s personal data. In simple terms, it aims to provide the people with complete control over the data that they provide online and a level playing field for all companies that deal with their data. For more info on what the Regulation is all about, refer to the guide to GDPR.

Definition of Personal Data in GDPR

According to the GDPR, any data that identifies the individual directly or indirectly (information in combination with other information) can be termed as personal data. What identifies an individual could be as simple as a name or a number or could include other identifiers such as an IP address or a cookie identifier, or other factors. Read more about it here.

Requirements of a GDPR Compliant Website

The GDPR law applies to every organization from across the world who has access to the personal data of people living in the European Union. Thus, no matter if you are from a different geographic location or are collecting only basic information, you are under the radar too. That is, if you get any traffic from the EU on your website, the law will affect you.

There are some specific requirements you need to take care of to be compliant. Here is a list of the major components which you need to alter for making your website GDPR compliant.

Data Mapping

You might already be aware of how you collect data, and what you use them for. However, it would not harm if you do a review of your data collection. Analyze how and why the user data is used and where they are stored and for how long. Understanding these details will help you in drawing up a better compliance plan. A lot of times, GDPR compliance depends on these factors.

Privacy Policy

You must include all the details from your data review in the privacy policy of your website. It must be presented in a concise and simple language. If you did not have one, it is high time you do.

The contents of a privacy policy are of utmost importance. This is where users will get to know why and how you handle the data that they willingly submitted. Here is a checklist of things your privacy policy must include: Privacy Policy Checklist in GDPR. Or you can refer to CookieYes’ privacy policy page.

You could also include the details about cookies and what purpose they serve as a separate clause (or it can be a separate page named Cookie Policy).

Create detailed privacy policy page for your website with CookieYes Privacy Policy Generator quickly and free of cost!

Cookie Consent

Nowadays, all websites make use of cookies for various purposes. And cookies store a great deal of information on people who visit those websites. Thus, it is of major concern to ask permission from users for allowing cookies on the websites they visit.

Do an audit of what cookies your site uses and their categories. This will help in deciding whether you need to block them from loading unless you get consent from users. If you use any third-party services like Google Analytics, they place cookies to function. So, you need to be aware of such details. CookieServe is a free online tool that checks cookies on your website in minutes.

Before GDPR, most of the cookie consent forms were of implied nature. They used phrases like “by visiting our site you agree to our use of cookies” or take consent with “I agree” or “ok” buttons.

Here is an example of a non-compliant cookie banner:

These kinds of cookie consent forms are not enough anymore, especially if you use cookies that track users. A GDPR-compliant consent form should include in its banner easy options to either accept or reject consent or choose their preference.

Here is an example of GDPR-compliant cookie banner:

GDPR compliant cookie banner

Recommended reading: Requirements of a GDPR-compliant cookie banner.

Website Forms

If your website asks users to fill out forms for subscribing to newsletters or for some other purposes, you need to make sure it abides by the GDPR standards. Although GDPR doesn’t forbid including such forms on websites, they have given strict instructions on the structure of such forms. They are as given below.

  • Forms on your website must no longer include pre-ticked boxes as it is invalid (read why).
  • Users should be able to provide separate consent for different types of processing, e.g., an option to be contacted by post, email, or telephone as three separate tick boxes.
  • If you are asking for permission to pass details onto a third party – again, you need another tick box.
  • If you are collecting data through one website on behalf of several third parties, then you need to give an opt-in option for each party clearly.

Here is an example of a GDPR- complaint form:

GDPR Compliant website form
The New York Times signup form

Email Marketing/Notifications

You can only send newsletters if you have email addresses of your users. According to the GDPR, there are specific standards you must adhere to for email marketing/notification. For example, obtaining re-permission from existing customers (if the earlier method was not compliant), keeping proof of consent, reviewing old contacts, easily accessible links to unsubscribe, etc. Read this article for more info.

Online Payment

If you are running an eCommerce store, you will definitely have an online payment gateway active on your website for financial transactions. Thus, you need to be very careful and aware of the data your site collects from the users before passing it on to the respective payment gateway. If you are still storing these details after passing it on, then you must have some system settings for the automatic removal of these data after a reasonable period. Although GDPR doesn’t mention the number of days, it could be up to 60 days.

Website Plugins

Plugins are essential for the smooth functioning of the website and better customer experience. But many plugins used for social login, communications, etc. ask for personal details of the users. Therefore, you need to make sure before adding them to your website or when updating that they are GDPR compliant. Else you should take the necessary steps to make them so.

Easy Opt-in and Opt-out

You should make sure that your website provides easy options in plain language for users to opt-in and opt-out of the services or subscription offered by your site. That is, you need to ensure your website has proper and easily noticeable unsubscribe links.

Data Breach

According to the GDPR norms, you must inform your supervisory authority and, if necessary, users about any data breach that happens within 72 hours. The notification must include whatever information you have – the number of users affected and the type of personal data exposed, likely risks to the users, measures taken or to be taken to mitigate it, etc.

Conclusion

Although these are the requirements for making your website GDPR compliant, as the webmaster, you are the only person who is aware and responsible for even the narrow shortcomings that are capable of jeopardizing it. Hence, a thorough examination of each part of your website is necessary to avoid any complications in the future.

Disclaimer: The purpose of this article is to share general information with the readers. It should not be used as a substitute for legal advice. For any legal counsel related to compliance, please contact a lawyer or professional that specializes in this area.