Once a relatively emerging concept for businesses, we all are, or should be, very familiar with the term ‘GDPR’ now, but is your organisation’s website GDPR compliant?
To make it easier to ensure that your website is fully GDPR compliant, this article outlines some of the things you should be looking out for so that you can perform your own website compliance audit.
GDPR & Your Website
The General Data Protection Regulation (GDPR) is a comprehensive data protection law which came into effect in 2018. This law applies to every company that processes the personal data of citizens of the European Union (EU).
Failure to comply with GDPR can result in heavy fines as well as legal consequences. With this in mind, ensuring compliance with GDPR regulations from your website is essential.
How can I make sure my website is GDPR compliant?
In today’s digital world, almost all organisations have an online presence and website. Many of them collect personal data from their website visitors using tools such as Google Analytics.
However, GDPR stipulates that individuals must have more control over their personal data. This article explains this further and also provides a checklist to ensure your website is GDPR compliant.
If your website collects user data in any way, which it probably does, the below are just some of the ways in which this data is collected, though there are likely to be more:
- User registration
- Comments/feedback forms
- Contact form storage
- Analytics and traffic logging
- Other logging utilities/plugins
- Security plugins
Under GDPR, users have several rights regarding their personal data, but here are the three main ones:
1. Right to Access
You must provide full transparency in how you’re capturing and collecting data. What data are you capturing? Why are you capturing it? Where are you storing and processing this data?
You will also need to be able to provide users with a copy of their data, free of charge and within one month.
2. Right to Rectification
Users have the right to request that their personal data is corrected if inaccurate or incomplete. You must respond to these requests within one month, taking the appropriate steps to rectify the data.
3. Right to Erasure
You must give users an option to erase all personal data and withdraw their consent for you to collect further data – this is known as the ‘right to be forgotten’.
GDPR Website Checklist
To help you to ensure that your website is GDPR-compliant, we have compiled a list of things worth actioning:
1. Conduct a Data Audit
It is worth electing someone within your organisation to periodically perform a data audit for the purpose of identifying what data is being collected, why it is being collected, and how it is being processed.
This process should be documented, and updated at regular intervals.
2. Implement Cookie Consent
It is worth noting that some cookies are known as ‘necessary cookies’ and are always enabled so that basic site features can run. Beyond this, users must provide their consent.
4. Obtain Consent
Your website must obtain clear, specific consent from users before collecting and processing their personal data. with a clear and concise explanation of why their data is being collected and processed.
If you wish to also have it that the user signs up for a marketing newsletter from said form, you must specifically state this and provide the option for the user to opt-in or to not opt-in for this communication.
5. Implement Data Protection Measures
You should ensure that appropriate technical and organisational measures are implemented to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access.
This includes measures such as data encryption, the use of access controls, and regular data back-ups to prevent the loss or corruption of user data.
6. Appoint a Data Protection Officer
Organisations that collect and process large amounts of personal data must appoint a Data Protection Officer (or DPO). This individual is responsible for ensuring the organisation complies with GDPR and that personal data processed is lawful, fair and transparent.
7. Implement Data Breach Procedures
Your organisation must implement data breach procedures so that you can detect, report and investigate and data breaches that may occur, including a procedure to notify users and data protection authorities if a breach occurs.
Above are a number of measures to take to ensure that your website is GDPR compliant, but for further reading we suggest visiting the official EUGDPR website.
Then decide, do you really need to collect and store data? If so:
- Find out the ways in which your site collects user data
- Put in place ways for users to control their data as above
How you go about doing this will vary hugely depending on the setup of your website. Start by talking to your developer – they should be able to assist you in getting ready for GDPR. If you have a popular open source-driven website like WordPress, the process is likely to be a lot less mind-melting.