The General Data Protection Regulation came into effect on May 25th, 2018. It is known to be one of the toughest privacy and security laws in the world. Cookie banners, privacy policies, third-party apps, plugins — you need to take all of these (and more) into consideration when you make your website GDPR-compliant.
We’ve compiled a list of 10 things you should take into account to help your website comply with GDPR.
1. Display a Cookie Banner
Cookies are small text files that are stored on your computer every time you visit a website. They collect both standard Internet log information as well as visitor behavior information. Since the implementation of the GDPR, websites must gain users’ approval in order to store cookies on their computers. To be GDPR-compliant, your cookie banner should include
- an explanation of why cookies are necessary on your website
- a consent button to allow all cookies
- a button to disable all cookies
- a button to customize which cookies can be stored on your computer (those deemed strictly necessary or all of them)
Users should be able to change their consent easily.
2. Pay Attention to Each Form on Your Website
Each existing form on your website (contact forms as well) should include a checkbox with a similar sentence as the following:
“By checking this box and validating this form, I give my consent to the processing of my personal data by (your company’s name).”
If you need the user’s consent for any additional reason on the same form, a second checkbox should be added to give consent. In addition to that, write a small paragraph under each form to explain who will keep and process the user’s data, what the user’s rights are regarding their data, and how long their data will be kept.
3. Write a Unique Privacy Policy
A privacy policy page is now a must-have for any website. You can download templates on various websites as well as on GDPR.eu to know how to properly write it. It should include
- all the types of data your website collects and the legal reasons behind it
- how you use and store the data
- if the data is going to be shared to subsidiaries or third-party companies
- the user’s data protection rights
- how users can ask for any data related to them
4. Third-Party Plugins and Apps
If you’re using a CMS such as WordPress, make sure that every plugin installed on your website is GDPR-compliant as they may collect user data as well. Visit the plugin’s official webpage and check if they have GDPR compliance approval.
Get rid of any plugin that isn’t GDPR-compliant and find substitutes for them. Don’t forget to update your CMS on a regular basis as well as your software and custom code, if you have any.
5. Google Analytics
Did you know that your use of Google Analytics may not be GDPR-compliant? Google has implemented a data deletion mechanism in Analytics that helps you delete data related to a specific user easily. When properly set up, it can also delete all data coming from your website after a specific amount of time.
Google has also come up with a Data Processing agreement that you should sign with every party that has access to your website’s data. Think about updating your privacy policy when there are updates regarding Analytics.
6. Install a Firewall and Get an SSL Certificate
Some CMSs, such as WordPress, are known for not being as safe as Drupal, for example. Your website should be properly protected against cyber attacks so that the data you collect is in a safe environment. To achieve this, contact your web hosting service and ask for an SSL certificate if you don’t have one yet. Furthermore, don’t forget to install a firewall plugin, like All In One WP Security & Firewall.
7. Data Access Request Processes
You should be able to comply with any data access requests that are sent to you in a short amount of time. If that isn’t the case, you should think about implementing a thorough process in your company that will enable you to do it in a timely fashion.
Be prepared in case of a data breach. Implementing a process to alert the authorities as well as your data subjects is a top priority in order to be GDPR-compliant.
8. Appoint a Data Protection Officer
There are three specific cases in which organizations need to have an appointed Data Protection Officer (DPO):
- The processing of personal data is done by a public body or public authorities.
- The organization does large-scale and regular monitoring as a core activity.
- The processing includes large-scale, special data categories.
This person needs to be an expert on all things GDPR and should monitor GDPR compliance criteria on a regular basis. Appointing a DPO outside of these cases isn’t mandatory, but it could still be useful for any company.
9. Encrypt or Anonymize Data Whenever Possible
Many third-party tools used by businesses now involve complete data encryption, whether it’s emails, messages, cloud storage, or even notes. The best case scenario would be to also find a way to do it directly on your website, but this method doesn’t come cheap. Regardless, make sure to encrypt or anonymize all data as much as possible.
10. Don’t Forget About Social Networks and Newsletters!
If your website comes with built-in social media sharing buttons, chances are that they will leave a few cookies on your users’ computers. You should mention this in your privacy policy as these third-party websites could potentially collect data. Furthermore, when you send out a newsletter to your customers, check if your mailing platform as well as your signup form are GDPR-compliant.
For further information, the official GDPR website has compiled a complete GDPR Compliance checklist. Make sure to check it out!
Was this article helpful? What kind of experience have you had with GDPR? Let us know in the comments below!
