GDPR has changed the way businesses deal with their users’ personal data. It has paved the way for safe and secure handling of people’s data on the Internet.
Imposed for the data protection of people in the European Union (EU), the Regulation affects everyone worldwide.
The effect of the GDPR is evident from how many websites have started to ask their visitors permission for policies or cookies.
Let’s see what the GDPR is all about and how you can make your website comply with it.
What is GDPR?
The EU introduced the General Data Protection Regulation (GDPR) in April 2016 for protecting EU residents’ data and privacy. It came into effect on 25 May 2018.
It aims to safeguard the rights and freedom of people by giving them more control over their data. No matter where your business is located, you must comply with the GDPR if you have customers from the EU. That is, regardless of where your website is based, you must comply with the GDPR if you have traffic from the EU.
Read more about the GDPR here.
Risk of non-compliance
If your website is non-compliant, you will have to pay a fine or face strict action.
The fine for severe violation is 4% of annual global turnover or €20 million (about $24 million) – whichever is higher. The fine for less severe violation is 2% of annual global turnover or €10 million (about $12 million) – whichever is higher.
Other punishments include temporary or permanent banning of the site, data removal, and data transfer restrictions.
However, the extent of the fines and punishments depends on the nature and severity of the violation.
How to make your website GDPR compliant?
Here are four ways you can make your website GDPR compliant.
#1 Data mapping
Before discussing data mapping, it will be worthwhile to know what constitutes personal data.
According to Art. 4 of the GDPR, personal data is any information that can be used to identify a person, with or without any additional information. E.g., name, age, phone number, email address, IP address, location, and identification number.
There are special categories, also known as ‘sensitive personal data,’ that can only be collected and used under special circumstances (I will get into that later). Racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health, sex life, or sexual orientation come under special categories.
Information relating to a deceased person does not represent personal data. Hence, it is not subject to GDPR.
Now that you know what defines personal data, it is time for data mapping.
Data mapping is the documentation of the data your website collects. You should document the following information:
- What data do you collect?
- How do you collect data?
- Who collects data?
- Why do you collect data?
- How do you use data?
- Where do you store data?
- How long do you store data?
- Where do you transfer data?
- How do you safeguard data?
A comprehensive study of these questions can help you decide the next course of action, i.e., how the GDPR applies to your website. The result of your data mapping is your website’s foundation to comply with the GDPR. You will understand that in the coming sections.
It is a misconception that if your website does not directly collect personal data, it is not subject to the GDPR. However, you may be using third-party services like Google Analytics or Facebook pixels that collect user data for analytics purposes. It makes your website subject to the GDPR compliance.
The finding of data mapping should reveal a list of such third-party tools (if you have installed any) that collects user data on your behalf.
Processing personal data
Art. 5 of GDPR states various principles one must follow for complying with the Regulation as shown:
You have to make sure that you incorporate all these principles while handling user data.
Art. 6 of the GDPR lists out some lawful basis for processing personal data. They are:
- explicit consent from the data subject;
- contractual obligation;
- legal obligation;
- vital interest of the user or another person;
- a public task or you are a public authority;
- your legitimate interest.
Your processing activity is only lawful if it constitutes or satisfies one of them.
It is the responsibility of a website owner to ensure that the website has appropriate measures to let its users exercise their rights under the GDPR (as listed in the infographic below).
Handling data breach
Another finding from data mapping that will help you is how to handle a data breach.
Per the GDPR, a data breach is an intentional or unintentional breach of security resulting in loss, theft, or damage to personal data.
Understanding your website’s data flow will help you identify the possible threats to personal data and prepare in advance with suitable solutions.
You have to be ready with all the measures to tackle such breaches and report them to the respective authorities and the affected users without any delay.
If you fail to report the breach on time, you will be imposed a fine.
Learn more about data breaches here.
#2 Obtaining consent
Consent is one of the six lawful bases of the processing. You cannot process the personal data without your users’ consent (if other lawful bases do not apply).
Consent gives users to control if they want their personal data to be used by the website. The GDPR says a valid consent must be:
- Freely given – users must give their consent without being compelled to do so.
- Specific – you must specify the reason for the consent. The consent should be granular, i.e., each activity should have a separate consent request.
- Informed – when asking for consent, inform users why and how you will use their data.
- Unambiguous – consent is only valid if it’s explicit and expressed by affirmative action, like checkboxes, yes/no button, and technical setting preferences. Implied consent, i.e., assuming consent if users do not respond or using pre-ticked checkboxes, is illegal.
- Revocable – users must be easily able to change their consent at any time. An active opt-in and opt-out option should be available.
You must be able to show proof of consent obtained, if necessary. Hence, it is advised to keep a log of all the consents you receive.
Some cookies (necessary) are required for the functioning of your website and some cookies (unnecessary) to analyze the user behavior. Unlike necessary cookies, unnecessary cookies track users. Read more about cookies here.
Such tracking cookies that collect personal data are subject to the GDPR.
To get detailed information about the cookies used by your website, you can scan it using a free cookie checker tool.
A GDPR cookie banner must have the following features:
- A clear statement about using cookies and requesting consent.
- Opt-in and opt-out settings for cookies.
- Granular preferences for different types of cookies.
- Easily accessible to modify consent status at any time.
Most websites have forms integrated into the pages. They are often used for recording user comments, contacts, payments, newsletters, and sign-ups. Websites collect personal data like name, address, email address, and phone number through such forms. Therefore, the use of website forms must be GDPR compliant.
You must include a section, likely a checkbox, to request user consent to use their personal data. Always keep in mind that using a pre-checked box is a violation of the GDPR.
As already mentioned, websites do not have to directly collect personal data to come under the GDPR radar. When third-party applications collect and use personal data for a website, it must comply with the law.
Such tools also require consent since they process user data for their services.
For example, Google Analytics may require specific user data to track website traffic.
Social media is also a third-party application that some websites use to collect user data, often for profiling and advertising purposes. Such usage of social media should also be subject to the GDPR.
You must inform users about it and give them a choice to accept or reject.
GDPR requires you to obtain prior consent from your users before sending them emails connected to your website.
You can no longer use old contact details to send emails without user consent (unless it falls within the legal basis of processing). If you already have their consent to send emails and it is in line with the GDPR standards, you need not ask for re-permission.
Since consent must be revocable, you can provide a link or option for users to withdraw their consent if they wish to stop receiving emails.
#4 Securing the website
Securing your is a vital task to avoid or be better prepared for any potential data breach. Using methods such as SSL certificate, encryption, and reCaptcha techniques ensure a safe and secure browsing experience for your users.
You must also have an effective system in place to notify authorities and affected users in case of a data breach.
A safe approach
GDPR is not just about penalizing businesses; instead, it is designed to protect people’s rights and freedom. Therefore, you must not think of it as a burden, but a process of building a better and safer user experience.
Disclaimer: This blog post does not provide legal advice. The article is for information purposes only. For any legal assistance related to GDPR compliance, please contact an expert.