5 Tips To Ensure Your Website Is GDPR Compliant
by Chad Donnick - April 16, 2018 - 3 minute read
Time is running out - the General Data Protection Regulation (GDPR) deadline less than 2 months away, it is important for organizations to have a plan in place for compliancy with the new privacy regulation.
GDPR will take effect May 25, 2018, enforcing stricter laws to protect the data privacy of European Union (EU) citizens, with the intention of unifying data privacy requirements across the EU and giving users more control over their personal data.
Any organization that markets to or processes personal information of EU citizens must receive consent to use their personal data and prove active security measures within regulation.
Personal data can include (but is not limited to):
- Email signups
- Online forms collecting name, photo, email, phone number, address, etc.
- Custom tables
- Data stored in CRMs
- Accounts/users
- Payment forms with personal data
- Cookies
- Social networking posts, user generated content
- Some analytics
Steps to Compliancy
To start your journey to meeting GDPR requirements, consider the 5 action steps below:
1. Data Mapping
Begin assessing your company’s current data and security practices and determine where protected information is collected, dispersed, and stored.
Map out this data to clearly reflect the data flow (including tags embedded and other third-party integrations that collect personal data).
As the Data Controller it is your responsibility as a company to know what all collected personal information is used for and who is using it.
2. Consent and Transparency
The most fundamental step to becoming GDPR compliant is to receive explicit consent from users for any data collected. Inactivity or pre-checked boxes are not considered consent.
- Cookies that track visitor behavior should be turned off by default.
- Implement a Cookie Consent Agreement that is easily accessible on the site that states all data collected and its purpose in plain language. Ideally, this should list all specific consents the user is agreeing to, and must provide the ability for a user to revoke consents individually.
- To encourage users to accept the collection of their personal information, be sure to explain how you are using the data to provide a better user experience tailored to their specific needs.
- Implement consent agreement checkboxes on all forms. The consent agreement should outline what the form data will be used for, and how a user can revoke consent. Forms should not be able to be submitted unless the user selects the checkbox.
3. Update Email Subscriber Procedure
Request opt-in permission from any current subscribers that did not explicitly opt-in previously. No soft opt-ins are allowed, and double opt-ins are encouraged.
4. Data Management Supporting Right to Access and Erasure
Confirm your data management allows you to obey users’ requests as it relates to their personal data. Users can request a report of any personal data that has been collected and how it has been used, and can request the data be corrected or deleted.
You must be able to provide this information free of charge and are responsible telling other organizations to delete any links to copies of the data.
5. Analytics and Advertising
Under GDPR, pseudonymization (artificial identifiers) and anonymization are acceptable, as long as your Cookie/Privacy policy is updated to reflect this.
To help ensure that no personally identifiable information (PII) is being transmitted to Google via page URLs or forms, you can filter out PII in both Google Analytics and at the code level, and turn on the Google IP Anonymization Tool so that no personal IP addressed are collected or shared.
Google is also taking additional steps to comply with GDPR, including supporting User ID data deletion and providing a solution to show non-personalized ads before the May 25th deadline.
While the regulations may require companies to invest time and money to implement procedures, policies, and website features to ensure compliancy, if consent and compliancy efforts are ignored, a company can face significant fines (up to €20 Million).
GDPR is alleged to pave the future of data privacy restrictions internationally, and though this means significant change, this opens up the opportunity for better data management overall, a shift towards more responsible data use and storage, increased transparency and trust between you and your users, and higher quality data collection.
There are various CMS and website tools to help make data management and GDPR compliancy easier for data controllers, such as the Kentico Data Protection App (which allows for easy collection of data into a single location per user and a simple method of data erasure), Cookie Law and Tracking Consent web parts, and GDPR assessment tools to identify the chain of data collectors, third party vendors, and potential security risks.