With new regulations coming into play, it can be difficult to define the basic steps website owners should take in order to make a website GDPR compliant. Our GDPR Website Checklist can guide you through the process of meeting the GDPR requirements and show what you must look for and have on your website.
The General Data Protection Regulation (GDPR) was enforced on May 25, 2018 by the European Union with the goal to regulate the way personal data is collected. According to the regulation, any website offering services to EU citizens must inform its users (visitors) about personal data that is being collected. Any non-compliance could lead to hefty fines and cause damage to the reputation of your business.
There are many compliance requirements to be met for a website, but first and foremost, prior consent must be given by the user before any tracking technologies (e.g. cookies) are used. The user should have the ability to choose which personal information is gathered, with a simple opt-in function, and have an option to adjust their preferences at any point.
8 practical steps to make sure your website is GDPR compliant
1. Provide the identity and contact details of your data controller.
Inform users about who your data controller is. (If your data controller is a company, provide contact information of the relevant company representative.)
Provide the contact details of your Data Protection Officer (if applicable).
2. State the purposes for collecting personal data and the types of cookies being used.
Make sure you have a legitimate purpose to collect data.
Collect only the data that you need for such purposes.
Inform users about the purposes and the categories of personal data you intend to collect.
For example, when you collect any data for Google Analytics, you need to inform the person that their data is being collected for "statistics", or remarketing pixels for “marketing” purposes, even if it seems obvious. This practice is to prevent companies from collecting any type of personal data without legitimate reasons.
3. Provide the legal bases for collecting personal data.
Contractual obligation - data collected to fulfil a contract, e.g. if you operate a web shop, you need certain information to fulfill the delivery and payment of your goods / services.
Legitimate interests - the data must contribute to a legal interest while respecting the individual’s interests, rights, and freedoms, e.g. marketing communication to your existing customers.
Consent must be freely given, specific, informed and unambiguous. Scrolling or continued browsing, pre-ticked checkboxes and cookies walls (making consent conditional) do not constitute by any means valid consent.
4. State the retention time of personal data.
Do not keep the data for longer than it is necessary for your processing purposes.
Storage times can often be indefinite, or it could be for a fixed amount of time due to legal reasons (e.g. employee data, business transactions for tax purposes), or until the person uses their right to have their data deleted.
5. Inform your users of their legal rights and provide them with the necessary contact details to exercise their rights.
The right to access their data.
The right to have their data corrected.
The right to erasure i.e. have their data deleted.
The right to restrict processing.
The right to have their personal data transmitted directly from one controller to another, where technically feasible.
The right to object to their data being used.
The right to withdraw consent at any time, freely and as easy as given (when consent is the legal basis for the data collection).
The right to make a complaint to a data protection authority.
The right to know if their data is being used for profiling.
6. Data protection by design and by default for websites.
Only collect the data that you need to run your business.
Make sure your website uses a valid SSL certificate (which you can obtain directly from a Certificate Authority) to ensure that all data is transferred in a secure manner.
Find the latest and best tools that can help you implement privacy by design and by default (meaning, organizations should be mindful of data protection whenever personal data is being processed, and that the strictest privacy settings should apply by default), that are within your budget.
7. Transfers to third parties.
Social media embeds or log in options from services such as Google, Facebook, Twitter might lead to information being sent to third party services in order to see the content.
Inform users in case partial or full personal information is being transferred to third parties.
Inform users about the purpose of collecting the specific information and for how long it would be stored.
Make sure to obtain users’ prior consent before placing third-party cookies on your website.
8. Provide easy-to-read information.
Provide all the information and the relevant explanations in a clear, simple and understandable way.
DISCLAIMER: The contents of this website are intended to convey general information only and not to provide legal advice or opinions. The information presented on this website may not reflect the most current legal developments. An attorney should be contacted for advice on specific legal issues. The implementation of a data protection law compliant Consent Management Platform (CMP) is ultimately at the discretion of the respective data protection officer (DPO) or legal department.
Let's get started
Start being GDPR, ePrivacy and CCPA compliant today.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.