How Do I Make My Site GDPR Compliant?

July 09 18:52 2019 Print This Article

What is GDPR?

The General Data Protection Regulation (GDPR) is a new EU regulation aimed at strengthening data protection for EU citizens. The GDPR extends the powers of the Data Protection Act of 1998 to provide better ownership and control over personal data. It also brings much heavier fines for non-compliance.

The GDPR marks the beginning of the European Union’s General Data Protection Regulation focussing on: businesses accountability and obligations, stronger EU citizen rights and regulatory restrictions relating to all businesses (in or out of the EU) handling EU citizens data, introducing data breach notification within European law, with legal requirement for the provision of evidence showing compliance for the collection, management and protection of personal data.

When will The GDPR come into effect?

The GDPR will come into effect on May 25th 2018 and will remain with us despite Brexit!

Why do I have to follow GDPR?

Apart from the legal requirement for businesses to follow The GDPR, you could face a massive 20,000,000 Euro fine or 4% of your annual turnover (whichever figure is higher), for non-compliance, so it’s definitely in your best interest to comply.

How do I make my site GDPR compliant?

1. Transparency

The GDPR requires websites to be upfront and clear about what data they are collecting, from visitors to their sites to how that data is going to be used, how long the data is going to be kept, and who it is being shared with.

Terms and conditions (T&C’s), use of cookies and privacy pages (The GDPR requires consent and privacy by design), must comply. You must specify details of collection, storage and use of data – GDPR legislation provides European citizens with control over the ownership and use of personal data. It is theirs not yours!

An example of transparency, could be if your site is using cookies for measuring activities, such as Google Analytics tracking. You need to ensure you are up-front and explicit about the information that you are collecting and its use.

This means letting visitors to your site know that you are using cookies by displaying a cookie banner on your site to inform your audience, providing an option to accept use of cookies, providing consent to collect personal data, as well as being clear about who it is being shared with, and how it is stored. You must also provide an option to the user to reject cookies that are not essential (non-essential cookies means that if these cookies were removed the site would still function).

An example of an informative cookie banner asking for consent could be as follows:

“We use cookies to enhance your experience on this site. You have the option to reject non-functional cookies.”

You should also have a “Read more” button which links users to your privacy policy page so that users can have easy access to your privacy policy information.

Again, on your privacy policy page you should be completely transparent and explain clearly to user’s what you intend to do with this information, where it is stored and for how long it is going to be kept. As seen below.

For more information on cookies, the has put out recent updated guidelines on cookies and compliance for your website. You can view them here.

2. Consent

Provable consent has to be explicitly given by a user to the data processor or controller before the data can be processed about the user, this means that there can be no automatic opt-ins on the submission of forms and alike, additionally only data that has consent can be collected and processed.

Moreover, if you own any data about users that originated before The GDPR was brought into effect, like email addresses as an example used for Email Marketing campaigns in the past, the user has to be re-contacted and consent has to be re-submitted by the user for the continued use of the data.

With these changes the development of forms has been heavily impacted and old forms will most likely need to change to be GDPR compliant.

For activities, such as email marketing, the simplest way to get explicit, record-able consent from user, which provides necessary evidence of compliance, is by adding a checkbox to your form. You should accompany this with a short sentence explaining what their data is going to be used for, providing a link to your privacy policy and T&C’s page.  The user consent checkbox should have to be actively ticked by the user before submitting the form and cannot be already ticked.

3. Data Breaches

The GDPR makes it mandatory for any data breaches to be reported by the data controller to the relevant supervisory authority such as the ICO (Information Commissioner’s Office) within 72 hours of the breach. Additionally, if the breach is serious enough then the individuals affected by the data breach also need to be informed within the same time limit.

4. User Rights

Under The GDPR users have the right to withdraw consent for the collection and processing of their data at any time, and it has to be just as easy for the user to opt-out of consent as it was to opt-in!

Furthermore, users also have the right to request total removal of all of their data. This means that all data from your systems have to completely remove from any data about the user, including any references and backups.

5. Data Protection Officer (DPO)

Appointing a Data Protection Officer or DPO within your organisation could help to solve your GDPR woes. This is mandatory requirement for organisations responsible for managing large quantities of personal data, such Public or Health authorities.

A DPO is designated by the data controller to be responsible for monitoring the internal compliance of legislation within an organisation. For smaller organisations the DPO could be a suitably trained in-house employee. Despite the cost, this significantly reduces the risk of non-compliance, and the possibility of potentially disastrous non-compliance GDPR impacts.

6. Do I Need an SSL Certificate to Be GDPR Compliant?

The short answer is yes, most websites need an SSL certificate to be GDPR compliant, but it depends on what information your website collects.

Read More on GDPR and SSL Certificates

GDPR Summary

The GDPR may seem overwhelming at first; threatening huge fines for non-compliance and specifying volumes of rules to be followed. But, with the right approach you can take action to ensure that your site gets recorded permission from users to collect and process data, avoiding costly mistakes, such as nasty automatic opt-ins.

Ensure consent, compliance and evidence.  Review internal data security policies, train staff and develop guidance and practice to ensure that people, processes and technologies are ready to meet the new legal challenges presented by The GDPR.

This article was originally posted here:

  Article "tagged" as:
view more articles

About Article Author

GDPR Associates
GDPR Associates

View More Articles
write a comment


No Comments Yet!

You can be the one to start a conversation.

Add a Comment