For a website that is catering to an audience from the European Union, it is necessary to be compliant with their privacy laws. More specifically, the General Data Protection Regulation. Even if your website is not based in any of the states in the European Union, the laws apply to you too if you are getting traffic from the EU.

The GDPR which came into effect on  May 25th, 2018 aiming to protect their citizens’ data online and to give absolute control over the data to the users. The laws are to bring a lot of changes and make a huge impact on many aspects of a website – design, marketing, etc. This article will help you review your website for GDPR compliance and check whether there is something that has been left unnoticed.

Identify Where the Changes are Needed

The first step is identifying the areas on your website that collect personal information or user data. The following are some of the key methods with which websites collect user information.

Contact Forms

It is uncommon for a website not to have a contact form. It helps the website to help increase the engagements with the users and help them reach out to you. Some of the data that the users enter while using a contact form is personally identifiable and should be paid attention to when collecting this data.

Email Marketing

Email subscriptions are a very effective tool for a website for online marketing. But it requires users email address which comes under the category of personally identifiable user data. Proper care should be taken when it comes to understanding how this data is handled. The customers should not be getting any unwanted emails in their inboxes without their consent.

Online Payment

If your website is an e-commerce website, you will be using an online payment gateway. While making online transactions users are required to enter their personal information which may also include their address to where the product is to be delivered if the website is selling physical products. This information will also be stored on the website for record-keeping purposes.

Cookies

Cookies are small text files that are used to store data. Many a time, users are not even aware of such files being added to their browsers and data being stored. Sometimes websites install cookies that stores information that helps the website or other third-party services about the users’ behavior and interests.

If the website uses a third party for analytics or advertisement purposes, they will be collecting the data required for them by the means of cookies. So, if your website uses third-party services, they will be installing cookies for their functionalities.

To know what cookies are used by your website, read this article. You can also use this free online tool to scan and list the cookies present in the given URL.

What Makes my Website GDPR Compliant?

On the way to GDPR compliance, the first step is to analyze how your website handles data in the first place. Determine the flow of user data on your website. It will be useful to find the answers to the following questions.

  • Does the website collect user data via contact forms, cookies, etc?
  • Does your website store user information
  • What is the purpose of the data?
  • What happens to the data collected?
  • Is the data collected, stored, and processed in a secure manner?
  • To whom are these data shared with?

Now to ensure that your website is compliant, make sure your website follows the requirements below.

Read 13 Best WordPress GDPR Plugins for a comprehensive list of helpful GDPR plugins.

Does the Website Inform the Users?

It is highly unlikely that your website does not collect any data. It could be for analytics purposes that enables you to see how your website is doing and how you can improve your website’s user experience. Whatever the purpose may be, update your existing privacy and cookie policy or create a new one, where the users can read all about it.

It is necessary to write the policies in a way that users are not left scratching their heads and leave without understanding what actually is being done with their data. The whole point in making your website GDPR complaint is to be as transparent as possible to the users.

So when a user inputs their data using a contact form, when opting for an email subscription, they must be opting to do so with the knowledge of how their data will be stored and used. Also in the case of cookies, the users should be informed of the use of cookies right away when the users visit the website by the means of a cookie banner. This is mainly because the general user might not even be aware of the existence of such cookies on a website. Proper cookie policy and explaining the purpose of the cookies will help them understand about cookies and the data collected by them.

To know the requirements of a GDPR compliant cookie policy, read this article.

Take Explicit Consent

Next, wherever your website is collecting data from the users, it should be with consent. The whole point is to take explicit and informed consent from the users. For example, in the case of email subscriptions, the users should only be getting subscriptions newsletters if they have explicitly opted for one by the means of entering their email address and clicking on a button. 

Taking explicit consent is a bit tricky when it comes to the data collected by the cookies. If your website uses cookies that in any way track the users or user behavior, it is necessary that the users be informed of this. The users should be informed and their consent should be taken right away when they visit the website. The consent should be in the form of an action performed by the user like by clicking a button or ticking a checkbox.

Get explicit cookie consent from your visitors and block third-party cookies prior to consent with CookieYes consent management platform. Try for free and make your website compliant with GDPR and CCPA.

Withdraw Consent

It should be easy for users to withdraw their consent. If they have given their consent once, there should be a way for the users to reverse and to withdraw their consent so that there are no further data collection from the website. 

Honor the Rights of the Users

GDPR law aims to give the users complete control over their data. This gives the users a lot of rights over the data that are collected, for example, the right to be forgotten, right to rectification, etc. Be informed of these rights and plan how to implement them in your organization. 

Keep a Record of the Consent

You might need to furnish a record of the users’ consent as proof. So it is important to keep a log of all the users with relevant information about the consent like the timestamp, or the IP address from which the consent was given, etc.

Secure Storage of Data

Is the data collected from the users stored in a secure manner, both in human and technology perspective? There should be ample security measures in place in order to protect the users’ data from breaches. And in case of a breach, the users should be informed of such an event. This will help the users take the necessary steps to secure their data to minimize the damage.

Legal Arrangements

Is there a Data Controller or Data processor in your organization and are the right legal arrangements in place? The best way to go about it if you are having trouble with GDPR compliance is to seek expert legal advice. Many smaller organizations might not have the access to get legal advice instead they can look out for the more reliable sources online.

Disclaimer: Please note that while we make it a point to deliver the most accurate information possible, this article, however, should not be treated as legal advice. The website owners should seek legal advice if needed to know what is best for their website or app depending on which further actions may be required to fully comply with the law.