How Do I Make My Site GDPR Compliant?

9th July 2019

What is GDPR?

The General Data Protection Regulation (GDPR) is a new EU regulation aimed at strengthening data protection for EU citizens.

The GDPR extends the powers of the Data Protection Act of 1998 to provide better ownership and control over personal data. It also brings much heavier fines for non-compliance.

The GDPR marks the beginning of the European Union’s General Data Protection Regulation focussing on: businesses accountability and obligations, stronger EU citizen rights and regulatory restrictions relating to all businesses (in or out of the EU) handling EU citizens data, introducing data breach notification within European law, with legal requirement for the provision of evidence showing compliance for the collection, management and protection of personal data.

When will The GDPR come into effect?

The GDPR will come into effect on May 25th 2018 and will remain with us despite Brexit.

Why do I have to follow GDPR?

Apart from the legal requirement for businesses to follow The GDPR, you could face a massive 20,000,000 Euro fine or 4% of your annual turnover (whichever figure is higher), for non-compliance, so it’s definitely in your best interest to comply.

How do I make my site GDPR compliant?

1. Transparency

The GDPR requires websites to be upfront and clear about what data they are collecting, from visitors to their sites to how that data is going to be used, how long the data is going to be kept, and who it is being shared with.

Terms and conditions (T&C’s), use of cookies and privacy pages (The GDPR requires consent and privacy by design), must comply. You must specify details of collection, storage and use of data – GDPR legislation provides European citizens with control over the ownership and use of personal data. It is theirs not yours!

Your privacy policy page is the best place where you should be completely transparent and explain clearly to user's what you intend to do with this information, where it is stored and for how long it is going to be kept. As seen below in our example below.

privacy policy example

2. Cookies

You must provide an option to the user to reject cookies that are not essential (non-essential cookies means that if these cookies were removed the site would still function). And these non-essential cookies must also not be loaded until the user actively gives consent.

An example of a non-essential cookie could be Google Analytics, where it's purpose is for the collection of site tracking information and is not particularity useful for the user and the main important way of defining what an non-essential cookie is, would the site still function without it being there?

An example of an informative cookie banner asking for consent could be as follows:

"We use cookies to enhance your experience on our website. Please click 'Accept' to enable these cookies.

For more information on what cookies are and how we use them on our website, please click 'Read More' to view our Privacy Policy."

cookie banner example

The option to reject non-essential cookies on our website is found on our privacy policy page.

For more information on cookies, the ico.org.uk has put out recent updated guidelines on cookies and compliance for your website. You can view them here.

3. Consent

Provable consent has to be explicitly given by a user to the data processor or controller before the data can be processed about the user, this means that there can be no automatic opt-ins on the submission of forms and alike, additionally only data that has consent can be collected and processed.

Moreover, if you own any data about users that originated before The GDPR was brought into effect, like email addresses as an example used for Email Marketing campaigns in the past, the user has to be re-contacted and consent has to be re-submitted by the user for the continued use of the data.

With these changes the development of forms has been heavily impacted and old forms will most likely need to change to be GDPR compliant.

For activities, such as email marketing, the simplest way to get explicit, record-able consent from user, which provides necessary evidence of compliance, is by adding a checkbox to your form.

You should accompany this with a short sentence explaining what their data is going to be used for, providing a link to your privacy policy and T&C’s page.  The user consent checkbox should have to be actively ticked by the user before submitting the form and cannot be already ticked.

4. Data Breaches

The GDPR makes it mandatory for any data breaches to be reported by the data controller to the relevant supervisory authority such as the ICO (Information Commissioner's Office) within 72 hours of the breach.

Additionally, if the breach is serious enough then the individuals affected by the data breach also need to be informed within the same time limit.

5. User Rights

Under The GDPR users have the right to withdraw consent for the collection and processing of their data at any time, and it has to be just as easy for the user to opt-out of consent as it was to opt-in!

Furthermore, users also have the right to request total removal of all of their data. This means that all data from your systems have to completely remove from any data about the user, including any references and backups.

6. Data Protection Officer (DPO)

Appointing a Data Protection Officer or DPO within your organisation could help to solve your GDPR woes. This is mandatory requirement for organisations responsible for managing large quantities of personal data, such Public or Health authorities.

A DPO is designated by the data controller to be responsible for monitoring the internal compliance of legislation within an organisation.

For smaller organisations the DPO could be a suitably trained in-house employee. Despite the cost, this significantly reduces the risk of non-compliance, and the possibility of potentially disastrous non-compliance GDPR impacts.

7. SSL Certificate

Do I Need an SSL Certificate to Be GDPR Compliant?

The short answer is yes, most websites need an SSL certificate to be GDPR compliant, but it depends on what information your website collects.

Read More on GDPR and SSL Certificates

GDPR Summary

The GDPR may seem overwhelming at first; threatening huge fines for non-compliance and specifying volumes of rules to be followed. But, with the right approach you can take action to ensure that your site gets recorded permission from users to collect and process data, avoiding costly mistakes, such as nasty automatic opt-ins.

Ensure consent, compliance and evidence.  Review internal data security policies, train staff and develop guidance and practice to ensure that people, processes and technologies are ready to meet the new legal challenges presented by The GDPR.

We can help make your site GDPR Compliant:

References:

http://www.gomiedesign.co.uk/2017/10/13/top-ways-to-make-your-website-gdpr-compliant/

https://www.fellowshipproductions.co.uk/make-your-website-gdpr-compliant/

https://premium.wpmudev.org/blog/gdpr-compliance/

https://ico.org.uk/for-organisations/guide-to-pecr/communications-networks-and-services/security-breaches/

Categories