GDPR Laws can feel like a lot to deal with especially when you do not know what the law actually is and the technical aspects of it. This makes it hard to understand what all goes in to make the website comply. You have to be aware of every part of it that concerns you as a business owner that serve in the European Union.
Even if your company is not based in the European Union, you are required to comply with the law if you serve the citizen in the EU. And if you are a company that serves the citizens of the EU, and if found not compliant with the law, you are looking at hefty fines. We are talking up to €2o million or 4% of your annual worldwide turnover or whichever is greater.
Complying with the law is not hard when there are many services online that will help you to make your website comply with the law. Some other online services check whether you are compliant with the laws. Many of the online solutions provide their basic services for free. Which is adequate for most small-scale businesses. And additional services are charged at very reasonable prices. Considering the fines that you may have to pay, it is not worth the risk of not having to go through the effort to make your website comply with the law.
So if you implement the measures to make your website comply with the law or you take help of any of the online services, You should always be vigilant here is a list of things that you need to ensure are included on your website to make sure that your website abides by the law.
1 - Inform the users clearly
Inform your users about the cookies and the tracking that are used by your website. Make sure that it is done in a plain language that is understandable to users. People will lose their interest in reading such texts that include technical language and jargons that cannot be understood by everyone. This will ensure that the consent given is explicit and informed. This is not required for cookies that are not strictly necessary.
2 - Provide means to reverse the consent
Once the users have given their consent, the website should provide a way with which they can change their consent or withdraw it. It could be, for example, a reject button that the users can access after giving their consent after they have given it.
3 - Log Consent
The website owners should be able to furnish records or proof of the user's consent. So, there should be a mechanism in place to log the users' consents and be able to prove it when required.
4 - Awareness of the data and its processing
The owner of the website should know what the data being collected is used for and how they are processed. This should be documented as well.
5 - Explicit Consent
The websites should make sure that the consent to process the sensitive personal data be explicit.
Informing the users in a clear manner helps in taking an explicit consent. But it is not adequate to just inform the users of the data being collected, but the consent has to be by an affirmative action. The personal data should only be collected if the user has, for example, clicking on an accept button.
Taking implicit consent from users over certain actions like, for example, assuming the user's consent if the users scroll down the website or navigate through, will not be in compliance with the GDPR law.
6 - Details of the Data Controller
The website should provide the who the data controller of your website is and how the users can contact them.
A data controller is a person or a group in an organization that determines the purpose of the data and how the data that are collected from a website are processed. A data controller is responsible for the implementation of the data protection policies and makes sure that the organization adheres to the code of conduct and the certification processes defined by the GDPR.
7 - Inform the users of their rights
The GDPR laws give multiple rights to the users of which the users might not be aware of. The website should clearly state of the rights that the users have when it comes to the personal data that are being collected by the website.
The user should be made aware that it's their data that are being collected and they have rights over that data. This includes the users right to be informed, to access, rectify, delete, and move the data and limit the processing and object to the processing of the data.
These rights are explained briefly below.
- The right to information ensures that there is absolute transparency when it comes to the user's data that are collected.
- When the data are collected, the user has the right to access their data by submitting an access request.
- If the data collected are incomplete or inaccurate, the user has the right to rectify them.
- The user can always ask to have their personal data deleted because of their right to erasure. And their personal data will be erased in the applicable circumstances.
- A user can request to restrict the use of their personal data.
- The user has also the right to data portability using which they can move their data from one server to another in a secure manner.
- The user also has the right to object to the use of their personal in certain circumstances.
Lodge Complaint to a Supervisory Authority
The websites should inform that if the user has any complaint, they have the right to lodge their complaint to a supervisory authority. The supervisory committee then has to investigate the complaint and the user should be informed of the progress and the outcome of the investigation.
Transparency to the users about their personal data that are collected is the key aspect of the GDPR laws. It ultimately puts the users and their privacy first by giving enforcing their rights over ther personal data and thus their privacy in any online platform.