Is Your Website GDPR Compliant?

Once a relatively emerging concept for businesses, we all are, or should be, very familiar with the term ‘GDPR’ now, but is your organisation’s website GDPR compliant?

To make it easier to ensure that your website is fully GDPR compliant, this article outlines some of the things you should be looking out for so that you can perform your own website compliance audit.


GDPR & Your Website

GDPR Compliance

The General Data Protection Regulation (GDPR) is a comprehensive data protection law which came into effect in 2018. This law applies to every company that processes the personal data of citizens of the European Union (EU).

Failure to comply with GDPR can result in heavy fines as well as legal consequences. With this in mind, ensuring compliance with GDPR regulations from your website is essential.


How can I make sure my website is GDPR compliant?

In today’s digital world, almost all organisations have an online presence and website. Many of them collect personal data from their website visitors using tools such as Google Analytics.

However, GDPR stipulates that individuals must have more control over their personal data. This article explains this further and also provides a checklist to ensure your website is GDPR compliant.

If your website collects user data in any way, which it probably does, the below are just some of the ways in which this data is collected, though there are likely to be more:

  • User registration
  • Comments/feedback forms
  • Contact form storage
  • Analytics and traffic logging
  • Other logging utilities/plugins
  • Security plugins

Under GDPR, users have several rights regarding their personal data, but here are the three main ones:


1. Right to Access

You must provide full transparency in how you’re capturing and collecting data. What data are you capturing? Why are you capturing it? Where are you storing and processing this data?

You will also need to be able to provide users with a copy of their data, free of charge and within one month.

2. Right to Rectification

Users have the right to request that their personal data is corrected if inaccurate or incomplete. You must respond to these requests within one month, taking the appropriate steps to rectify the data.

3. Right to Erasure

You must give users an option to erase all personal data and withdraw their consent for you to collect further data – this is known as the ‘right to be forgotten’.


GDPR Website Checklist

GDPR Compliance

To help you to ensure that your website is GDPR-compliant, we have compiled a list of things worth actioning:


1. Conduct a Data Audit

It is worth electing someone within your organisation to periodically perform a data audit for the purpose of identifying what data is being collected, why it is being collected, and how it is being processed.

This process should be documented, and updated at regular intervals.


2. Implement Cookie Consent

Most websites use cookies to collect data from their visitors. These are small text files which are stored on a user’s device. Your website must specifically obtain consent before collecting any personal data through cookies.

This means that websites must have a cookie banner or pop-up which informs users about the use of cookies, giving them an option to accept or reject them.

It is worth noting that some cookies are known as ‘necessary cookies’ and are always enabled so that basic site features can run. Beyond this, users must provide their consent.


3. Update Your Privacy Policy

Organisations must have a clear and concise privacy policy, informing users about the personal data that is being collected, the purpose of this data collection as well as how it is being processed.

The privacy policy should also include information that tells users how they can exercise their rights under GDPR (e.g. the right to access, the right of treasure, the right to the processing of their data).

There are a range of privacy policy templates in existence that can be altered for the purpose of your website, however we always recommend you seek the assistance of a legal professional in drafting one.


4. Obtain Consent

Your website must obtain clear, specific consent from users before collecting and processing their personal data. with a clear and concise explanation of why their data is being collected and processed.

Consent must be freely given, specific, informed and unambiguous. For example, if a user is filling out a contact form, they must be clearly prompted to accept the privacy policy with no ambiguity.

If you wish to also have it that the user signs up for a marketing newsletter from said form, you must specifically state this and provide the option for the user to opt-in or to not opt-in for this communication.


5. Implement Data Protection Measures

You should ensure that appropriate technical and organisational measures are implemented to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access.

This includes measures such as data encryption, the use of access controls, and regular data back-ups to prevent the loss or corruption of user data.


6. Appoint a Data Protection Officer

Organisations that collect and process large amounts of personal data must appoint a Data Protection Officer (or DPO). This individual is responsible for ensuring the organisation complies with GDPR and that personal data processed is lawful, fair and transparent.


7. Implement Data Breach Procedures

Your organisation must implement data breach procedures so that you can detect, report and investigate and data breaches that may occur, including a procedure to notify users and data protection authorities if a breach occurs.


Parting Thoughts

Above are a number of measures to take to ensure that your website is GDPR compliant, but for further reading we suggest visiting the official EUGDPR website.

For a more accessible read of the pertinent facts, our friends at the Contract Company have also published an excellent article on GDRP from an outside-the EU perspective.

Then decide, do you really need to collect and store data? If so:

  1. Find out the ways in which your site collects user data
  2. Put in place ways for users to control their data as above

How you go about doing this will vary hugely depending on the setup of your website. Start by talking to your developer – they should be able to assist you in getting ready for GDPR. If you have a popular open source-driven website like WordPress, the process is likely to be a lot less mind-melting.

You should also review your privacy policy and cookie notices to make sure they include and address concerns related to GDPR. We assist with incorporating a privacy policy on all new websites we build, and can assist in retrofitting your existing website with one, however:

A legal professional is always highly recommended to ensure your privacy policy is adequate. For legal advice, we recommend our friends at MW Keller & Son Solicitors LLP in Waterford. 

Find out more information about our Web Development solutions. Alternatively, If you need help with your website, please don’t hesitate to contact us