Gone are the days when you were able to access and store user’s information from your websites with no effort and responsibility at all. And if you keep doing so, get ready to be washed away by the GDPR wave. The European Union (EU) enforced the General Data Protection Regulation (GDPR), protecting its people’s data. So, is your business/website ready to be compliant and stand this big wave of GDPR yet?
You better be, for non-compliance will fetch you a fine of a sum of 20 million euro or 4% of the annual global turnover- whichever is greater. Why would you suffer such a huge loss when you can be aware and responsible? This article will shed light on the necessary changes you should make on your website to make it GDPR-compliant.
What is GDPR?
The GDPR is a non-negotiable online data privacy legislation to protect the way any business organization or website collect, store, process, and distribute the EU individual’s personal data. In simple terms, it aims to provide the people with complete control over the data that they provide online and a level playing field for all companies that deal with their data. For more info on what the Regulation is all about, refer to the guide to GDPR.
Definition of Personal Data in GDPR
According to the GDPR, any data that identifies the individual directly or indirectly (information in combination with other information) can be termed as personal data. What identifies an individual could be as simple as a name or a number or could include other identifiers such as an IP address or a cookie identifier, or other factors. Read more about it here.
Requirements of a GDPR Compliant Website
The GDPR law applies to every organization from across the world who has access to the personal data of people living in the European Union. Thus, no matter if you are from a different geographic location or are collecting only basic information, you are under the radar too. That is, if you get any traffic from the EU on your website, the law will affect you.
There are some specific requirements you need to take care of to be compliant. Here is a list of the major components which you need to alter for making your website GDPR compliant.
You might already be aware of how you collect data, and what you use them for. However, it would not harm if you do a review of your data collection. Analyze how and why the user data is used and where they are stored and for how long. Understanding these details will help you in drawing up a better compliance plan. A lot of times, GDPR compliance depends on these factors.
Do an audit of what cookies your site uses and their categories. This will help in deciding whether you need to block them from loading unless you get consent from users. If you use any third-party services like Google Analytics, they place cookies to function. So, you need to be aware of such details. CookieServe is a free online tool that checks cookies on your website in minutes.
Here is an example of a non-compliant cookie banner:
Here is an example of GDPR-compliant cookie banner:
Recommended reading: Requirements of a GDPR-compliant cookie banner.
If your website asks users to fill out forms for subscribing to newsletters or for some other purposes, you need to make sure it abides by the GDPR standards. Although GDPR doesn’t forbid including such forms on websites, they have given strict instructions on the structure of such forms. They are as given below.
- Forms on your website must no longer include pre-ticked boxes as it is invalid (read why).
- Users should be able to provide separate consent for different types of processing, e.g., an option to be contacted by post, email, or telephone as three separate tick boxes.
- If you are asking for permission to pass details onto a third party – again, you need another tick box.
- If you are collecting data through one website on behalf of several third parties, then you need to give an opt-in option for each party clearly.
Here is an example of a GDPR- complaint form:
You can only send newsletters if you have email addresses of your users. According to the GDPR, there are specific standards you must adhere to for email marketing/notification. For example, obtaining re-permission from existing customers (if the earlier method was not compliant), keeping proof of consent, reviewing old contacts, easily accessible links to unsubscribe, etc. Read this article for more info.
If you are running an eCommerce store, you will definitely have an online payment gateway active on your website for financial transactions. Thus, you need to be very careful and aware of the data your site collects from the users before passing it on to the respective payment gateway. If you are still storing these details after passing it on, then you must have some system settings for the automatic removal of these data after a reasonable period. Although GDPR doesn’t mention the number of days, it could be up to 60 days.
Plugins are essential for the smooth functioning of the website and better customer experience. But many plugins used for social login, communications, etc. ask for personal details of the users. Therefore, you need to make sure before adding them to your website or when updating that they are GDPR compliant. Else you should take the necessary steps to make them so.
Easy Opt-in and Opt-out
You should make sure that your website provides easy options in plain language for users to opt-in and opt-out of the services or subscription offered by your site. That is, you need to ensure your website has proper and easily noticeable unsubscribe links.
According to the GDPR norms, you must inform your supervisory authority and, if necessary, users about any data breach that happens within 72 hours. The notification must include whatever information you have – the number of users affected and the type of personal data exposed, likely risks to the users, measures taken or to be taken to mitigate it, etc.
Although these are the requirements for making your website GDPR compliant, as the webmaster, you are the only person who is aware and responsible for even the narrow shortcomings that are capable of jeopardizing it. Hence, a thorough examination of each part of your website is necessary to avoid any complications in the future.
Disclaimer: The purpose of this article is to share general information with the readers. It should not be used as a substitute for legal advice. For any legal counsel related to compliance, please contact a lawyer or professional that specializes in this area.