How to Make Your Website GDPR Compliant

On May 25 this year the General Data Protection Regulations (GDPR) legislation became enforceable in the European Union (EU). GDPR is aimed at protecting the personal data of every EU employee, every EU client, and every potential EU client wherever they live.

This means the personal data of every European Union resident is protected, no matter who collects, processes or uses it. Due to this the odds are very high that every website will need to be GDPR complaint even if the website owner is an EU resident or not.

How Does the GDPR Legislation Affect Websites?

The burning issues facing every website owner are: How does the new GDPR legislation affect my website, and how do I make my website GDPR compliant?

The popularity of Internet and website use has shaken the foundations of the personal data that is collected, processed, used, stored, distributed and erased. Digital platforms such as websites that routinely request information or permission from users for their private data will find collecting, processing using, storing and disposing of personal data not as easy as it used to be with the new GDPR legislation. Website owners and managers must make sure their I’s are dotted and their T’s are crossed.

There is a lot to take in whether you are a business or site owner, but this GDPR compliance checklist should help you. Simply reading about GDPR and how it affects you as a website owner or manager is a mind boggling undertaking. The document is complex and 260 pages long. 

The stiff penalties for non-compliance are crippling. All website owners and managers are struggling to make changes to their websites so that they are GDPR compliant.

What is Data Processing?

A lot of confusion surrounds the term ‘data processing’. GDPR’s goal on this topic is clear: anything you do concerning personal data: collecting, using, storing, retaining, sharing, analyzing, erasing, is considered to be ‘data processing’.

Here are the topics your website manager needs to pay particular attention to:

  • Consent: Every EU citizen from whom you collect personal data must be informed and ensured that they may refuse to have their data collected. They must give written consent to your collecting their data.
  • Processing: Your website manager must clearly spell out how personal data is processed. Refer above to what GDPR means by ‘data processing’.
  • Data Security: Your website manager must guarantee that personal data is secure and that individuals’ privacy is safe. This may mean that you need to reassess your present level of security and make changes if needed.
  • Notification of Breaches: Your website manager or Data Protection Officer must inform individuals about any data breaches. Moreover, if these breaches are sufficiently serious according to GDPR guidelines, you must also inform GDPR’s Supervisory Authorities. There is a specific format to follow when this occurs. We will discuss this later.
  • The Right to Access: GDPR regulations state that any EU citizen from whom you have collected data has the right to request access to his personal data. You must have a person designated to receive and process these requests. If a request is denied, that designated person must provide a legitimate reason and inform the data subject of what steps he can take. Your website manager or whoever has been designated to receive and process these requests must do so in less than thirty days.
  • The Right to Erasure: Also known as The Right to be Forgotten, this right ensures data subjects that they have the right to request that their data be removed from your records. Again, you must have a designated person to receive and process these requests. If a request is denied, that designated person must provide a legitimate reason and inform the data subject of what steps he can take. Your website manager or whoever has been designated to receive and process these requests must do so in under thirty days.
  • The Right to Due Process: Your website manager or whoever has been designated at the Data Protection Officer must ensure data subjects that your website has clearly defined procedures for collecting, storing, using and erasing personal data. This process must be clearly laid out and explained to all EU data subjects.

What can a website owner do?

  • Learn everything you can about GDPR. Read it. Read what experts have to say about it. Talk to other website owners. Be prepared to apply what you have learned to your website.
  • When you are sure you know what you are talking about and what should be done to your website share the information with your staff, your tradespeople and your clients.
  • Examine the information you have stored. Consider what you are doing with it, what can be discarded, how safe is the storage. Consider with whom this data is shared. Then decide what you need to do to increase security.Look at your website’s privacy policy and what you communicate to those who visit your website and from whom you collect personal data.  Make sure your privacy information is clear and GDPR compliant.

Look at how you gain consent from employees, clients, website visitors, tradespeople. Do you have a definite consent form or are you content with an ‘opt in’ agreement? This type of arrangement is no longer acceptable under GDPR guidelines. There must be informed and overt consent.

It was once quite acceptable to get ‘presumed’ or ‘ambiguous’ consent for collecting data. Lots of websites used those pre-ticked boxes. Well, under the GDPR this is not okay. There is no such thing as ‘opting in’ and ‘presumed consent’. The consent of data subjects must be overt, visible, in writing and informed.

As of GDPR your record keeping just got harder. You need accurate and detailed records on data subjects’ consent, data subjects’ requests and how those requests were resolved. Your records need to be organized and dated. Especially where data breaches occur, you need records of the breach details, records of informing data subjects, forms for informing Supervisory Authorities of GDPR and notes about how the data breach was detected and resolved.

Data subjects must be informed of their right to erasure of data. Their request to be ‘forgotten’ must be clearly indicated on your website and the process should be clear and easy.

The way in which your website gains consent to collect, process, store and delete personal data must be reviewed including how data subjects are informed of their rights and how they request reconsideration of those rights.

How breaches are identified and how breaches are reported to data subjects and to HDPR must be reviewed. More about data breaches later.

Your website needs to appoint or share the services of: Data Protection Officer, Data Controller and Data Processor. These tasks might be performed by the website owner or the website manager. However, it is necessary to have people with these responsibilities. The specific responsibilities of each will be discussed later in this article.

To be GDPR Compliant, your Website Owner and/or Manager Must Attend to the following:

  • Create and publish a privacy policy page. This page should inform website visitors that your website will be collecting their personal data. The privacy page should explain the type of data you are collecting, how you intend to use it and why. The page should also explain how long that data will be held and how it will be erased.
  • List personal data that will be collected by your website. Note whether or not you intend to allow third-party access to this personal data.
  • Decide what data you really need to collect. The smaller the amount of data collected, the less your risk of liability if a breach occurs. The best place on your website for this is in a website footer file labeled ‘Cookies’.
  • Review your present security system. GDPR regulations make considering data encryption a central part of your data protection. Go beyond the minimum website requirements to protect personal data stored on your website server.
  • Set ‘consent forms’ to be unchecked by default. This is a change with GDPR. All visitors or users must actively opt-in to data processing. Website visitors must provide confirmation in order for your website to be GDPR compliant.
  • Publish your website’s Data Protection Officer and how data subjects can get in touch with this person. Your site must provide an easy-to-use access to make inquiries or requests. They must know how they can quickly and easily gain access to their personal data.
  • Have a process for executing a request from data subjects who demand the ‘Right to be forgotten’. Completing these legitimate requests manually is time consuming. Have a process in place for doing this automatically. The best place to address this “right to erasure” policy is in a website footer called ‘Terms of Use’.
  • Make sure your data protection policy also covers handhelds like cell phones, tablets, and apps. Half of online use happens on these devices. To be GDPR compliant, you must cover these bases.
  • Review data protection as it relates to data breaches. Make sure policy about informing data subjects in the event of a data breach is in place and clearly spelled out for data subjects.
  • Make sure your Data Protection Officer has a clear understanding of and procedure for reporting data breaches to GDPR Supervisory Authorities.
  • Make sure your Data Protection Officer knows which forms to fill out and how to process a data breach for GDPR compliance.

Other Areas of Concern:

If you read that 260-page GDPR document carefully, you will discover that the area of privacy policy is weak according to GDPR standards. There is an increased emphasis on how to receive and process personal data requests.

What is gathered as personal data must be of “legitimate interest”. What does this mean? More importantly does it mean the same thing to Supervisory Authorities of GDPR as it does to the website manager or owner?

Server logs have now become not just recommended but vital. They are crucial to becoming GDPR compliant. Are you scratching your head and wondering: What is a server log? Ask your website manager. Server logs are best used to analyze website traffic. If you have not been using this tool for technical analysis it’s time you did. More importantly, it will help you keep accurate records — a must for GDPR compliance. Server logs will greatly help with such things as fixing those CMS bugs, doing server optimization. Also make sure your CMS is not creating records via cookies either. Why all the worry about identification? Here’s an important key to confidentiality: If you are collecting data without using IP addresses that is going to go a long way toward avoiding those scary data breaches. More about data breaches later.

Almost every website uses analytics. Most use Google Analytics. If not, they’re likely using PIWIK, now Matomo, or WebTrends. We have already talked about what a good tool technical analytics of your website traffic can be. However, you—or your website manager—need to make sure Google Analytics or whatever analytics tool you are using, is GDPR compliant. I know what you are thinking: Won’t Google look after that? Well you would hope so. But hoping is not good enough for GDPR compliance. Yes what you will discover about Google Analytics it that it does not generally store data about traffic to your website. Make sure your website manager has not added code tracks of individual users and their actions. Google Analytics is fine as long as your website hasn’t somehow customized the original program so that it collects individualized personal data. If you have somehow customized your analytics program to give you information about specific demographics, make sure you get permission from data subjects to do that. That brings us to the topic of notification.

One of GDPR’s key compliance issues for website owners is that you need to let data subjects know what data you are collecting, how you are processing it, why you need it and what you intend to do with it. So first you need to know what data you already have and why you’ve got it. Then create a privacy policy or find one that suits your specific purposes. Make sure it is easy-to-read and simple. Tell your data subjects exactly what you want to collect, why, and how you intend to use this data. Your privacy statement also needs to give the data subjects someone—usually your Data Protection Officer—to contact and how to do so.

If you need to gather such personal data as names, email addresses  and/or telephone numbers. Get their permission and consent to do this. We’ve talked about the fact that this permission must be ‘overt’ or ‘active’ or ‘explicit’ not ‘ambiguous’ or ‘passive’ or ‘implicit’. You now need to keep records of this permission. Document the data subjects’ consent. If you are tracking them so you know where they work or where they live or even where they shop or eat, you need to let them know this too.

Okay. We’ve talked about two things we need to clarify. The first one is data breaches. This sounds scary and it should be.

What are Data Breaches?

If you have been watching the news lately you have heard about personal information that somehow got shared or stolen or made public or not being secured.

Data breaches send website owners screaming into the night. That is because they alarm the data subjects whose information somehow got exposed. Identify theft is one of their biggest fears. But there are lots of other reasons people are worried about data breaches.

GDPR takes data breaches deadly seriously. That is why securing personal data on your website is a big item. You do not want the cost and bad publicity of hefty fines. You do not want the hassle of burning questions about whether this is a breach that should be reported to GDPR or not. You do not want to have to report a data breach to your website visitors from whom you have collected personal data. And you do not want to sacrifice the time and labor involved in making a website data breach report to GDPR Supervisory Authorities. Trust me on this.

So how can you avoid them? You can’t entirely. But you can give it your best try. This will do two things: It will greatly reduce the chances of data breaches. And, it will demonstrate that your website manager has taken every precaution to protect the personal data of visitors to your website.

What is a Data Protection Officer?

Another thing we’ve mentioned and promised to address further is the appointment of a DPO. This person’s job is exactly what it sounds like. He/she has been hired or appointed by you the website owner to protect the rights of the data subjects. To do this the DPO supervises the work of Data Processors. Moreover, he/she is the most likely person to receive requests from data subjects, to process those requests and to take action on them. In short the DPO is your spokesperson. The DPO is the person who decides whether your website is GDPR compliant. If there is a data breach, the DPO decides whether it should be reported to the GDPR. The DPO also informs data subjects of a data breach. In a small website business, the owner might hire services of a website designer, a website manager and/or a webmaster. A DPO might also be hired or shared with other website owners.

Everyone who is running a website or thinking about doing so is running scared when they consider GDPR principles. The document is huge, complex and detailed. The stipulations are intricate. The fines are punitive. When you have a website, the possibility of not needing to be GDPR compliant is almost unheard of. Who can say they have never collected and will never collect personal data of an EU citizen?

It is best to keep things as simple and streamlined as possible. Collect only the data you need. Be explicit about what is collected, why you are collecting it and how it will be erased. Communicate everything to data subjects. Be transparent. Be organized. Keep detailed records and make sure your website is GDPR compliant in every way.

Minimize your risks of data breach. Check out your security and beef it up if it is lacking. If a breach occurs make sure your DPO and the processors know the process for checking, reporting and that this information is given to data subjects within twenty-four hours of detecting the breach and reported to GDPR (if applicable) within seventy-two hours.

When you have done all that? Then you can rest assured that you have understood what is expected of you according to GDPR regulations. You have examined the data you collect and determined it is necessary. You have checked your security and increased it where needed. You have created a privacy policy. You have informed visitors to your website about the information you are collecting, how and why you are collecting it and how you intend to use it.

Your DPO and Data Processors know the rights of data subjects. Your DPO or Data Controller has a process for receiving requests from data subjects and for processing them. Your DPO or Data Controller knows how to deal with data breaches. You’re good to go.

While GDPR compliance is scary and a pain to website owners, it is an excellent opportunity to make sure your security is tight and that you are collecting and using personal data efficiently.