For a website that is catering to an audience from the European Union, it is necessary to be compliant with their privacy laws. More specifically, the General Data Protection Regulation. Even if your website is not based in any of the states in the European Union, the laws apply to you too if you are getting traffic from the EU.
The GDPR which came into effect on May 25th, 2018 aiming to protect their citizens' data online and to give the absolute control over the data to the users. The laws are to bring a lot of changes and make a huge impact on many aspects of a website - design, marketing, etc. This article will help you review your website for the GDPR compliance and check whether there is something that has been left unnoticed.
Identify Where the Changes are Needed
The first step is identifying the areas in your website that collect personal information or user data. The following are some of the key methods with which websites collect user information.
It is uncommon for a website not to have a contact form. It helps the website to help increase the engagements with the users and help them reach out to you. Some of the data that the users enter while using a contact form is personally identifiable and should be paid attention to when collecting these data.
Email subscriptions are a very effective tool for a website for online marketing. But it requires users email address which comes under the category of personally identifiable user data. Proper care should be taken when it comes to understanding how this data is handled with. The customers should not be getting any unwanted emails in their inbox without their consent.
If your website is an e-commerce website, you will be using an online payment gateway. While making online transactions users are required to enter their personal information which may also include their address to where the product is to be delivered if the website is selling physical products. This information will also be stored on the website for record keeping purposes.
Cookies are small text files that are used to store data. Many a time, users are not even aware of such files being added to their browsers and data being stored. Sometimes websites install cookies that stores information that helps the website or other third-party services about the users' behavior and interests.
If the website uses a third-party for analytics or advertisement purposes, they will be collecting the data required for them by the means of cookies. So, if your website uses third-party services, they will be installing cookies for their functionalities.
What Makes my Website GDPR Compliant?
On the way to GDPR compliance, the first step is to analyze how your website handles data in the first place. Determine the flow of user data in your website. It will be useful to find the answers to the following questions.
- Does the website collect user data via contact forms, cookies, etc?
- Does your website store user information
- What is the purpose of the data?
- What happens to the data collected?
- Is the data collected, stored, and processed in a secure manner?
- To whom are these data shared with?
Now to ensure that your website is compliant, make sure your website follows the requirements below.
Does the Website Inform the Users
It is necessary to write the policies in a way that users are not left scratching their heads and leave without understanding what actually is being done with their data. The whole point in making your website GDPR complaint is to be as transparent as possible to the users.
Take Explicit Consent
Next, wherever your website is collecting data from the users, it should be with consent. The whole point is to take explicit and informed consent from the users. For example, in the case of email subscriptions, the users should only be getting subscriptions newsletters if they have explicitly opted for one by the means of entering their email address and clicking on a button.
It should be easy for the users to withdraw their consent. If they have given their consent once, there should be a way for the users to reverse and to withdraw their consent so that there are no further data collection from the website.
Honor the Rights of the Users
GDPR law aims to give the users complete control over their data. This gives the users a lot of rights over the data that are collected, for example, the right to be forgotten, right to rectification, etc. Be informed of these rights and plan how to implement them in your organization.
Keep a Record of the Consent
You might need to furnish a record of the users' consent as proof. So it is important to keep a log of all the users with relevant information about the consent like the timestamp, or the IP address from which the consent was given, etc.
Secure Storage of Data
Is the data collected from the users stored in a secure manner, both in human and technology perspective? There should be ample security measures in place in order to protect the users' data from breaches. And in case of a breach, the users should be informed of such an event. This will help the users take the necessary steps to secure their data to minimize the damage.
Is there a Data Controller or Data processor in your organization and are the right legal arrangements in place? The best way to go about it if you are having trouble with GDPR compliance is to seek expert legal advice. Many smaller organizations might not have the access to get legal advice instead they can look out for the more reliable sources online.
Disclaimer: Please note that while we make it a point to deliver the most accurate information possible, this article, however, should not be treated as legal advice. The website owners should seek legal advice if needed to know what is best for their website or app depending on which further actions may be required to fully comply with the law.