On January 21, 2019, France’s CNIL imposed €50 million on Google for privacy violations. CNIL’s investigation found that the tech giant violated several standards of GDPR. Google failed to inform users before using their personal data for personalized ads. They were also unable to provide a lawful reason for processing these data.
Now, you may think that GDPR will not bother smaller websites and businesses. Well, you could not be more wrong. GDPR will knock on your doors if your website violates the Regulation, regardless of your business’s size and nature.
Being a website owner, one of the most important things to keep in mind is that data matters- yours and your users’. That is why it is necessary to follow data privacy regulations like GDPR.
Before exploring how a website can achieve compliance with GDPR, let us look at what the Regulation is all about.
Let’s get started!
What is GDPR?
In April 2016, the Information Commissioner’s Office (ICO) in the European Union (EU) introduced a data protection regulation called the General Data Protection Regulation (GDPR). It came into effect on May 25, 2018. The GDPR sets out rules for data protection of people in EU member states and applies to businesses that collect and process EU users’ data. For example, even if a website is not based in the EU but has visitors from the EU member states, it is subject to GDPR.
How to Make a Website GDPR Compliant?
We will discuss six essential steps you can take to make your website GDPR compliant.
1. Study and review
The very first thing you should do is to study and understand the GDPR. There are many rights and guidelines one needs to assimilate with thoroughly. It will help if you are well aware of all the GDPR requirements that apply to your website. Make a list of things that may come under GDPR radar and start making changes accordingly.
How, why, and what type of data you collect from users (EU) play a significant role in defining your website’s GDPR compliance. Do you have proper permission to process such data? Do you have measures to withdraw the processing upon the user request? How long do you have to keep the data? Do you have steps to tackle any data leaks if it happens?
You should avoid collecting any data that is not relevant for the functioning or cannot prove a lawful reason for using them.
Your websites may be using many third-party services, like plugins or SaaS, for several purposes, like analytics, tracking, or functionality. You must review all of the external applications to avoid any potential GDPR violations. It is good to know how each service functions and what data they collect to do so.
Consent has an important place in the GDPR. Article 4 of the Regulation defines consent as
“‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her“
Suppose your website requires you to collect and use the personal data of your users. In that case, you are obliged to obtain consent from them before doing so. Most importantly, make sure the users are not compelled to consent and are well aware of all the information related to your data processing. Each request should have separate consent opt-in options instead of combining them all. The users should be able to give consent by an explicit affirmation, and they can withdraw it at any time they want.
You can request consent through various opt-in methods, like web forms, email reply, checkboxes, oral requests, or yes/no buttons. These consents obtained must be well documented.
In short, no consent, no action.
Analyzing all these details could clarify what necessary changes you need to make to your website. We will discuss some of them.
2. Website forms
Most times, we see websites asking for user details in the form of online forms. They collect data such as full name, address, phone number, and email address through such forms. These details that can identify a person are often used for newsletters, sign-ups, or contacting them.
As you already know, consent is mandatory in such cases.
You can use a checkbox to let users decide if they want to agree to your terms and the data processing.
Never use pre-checked boxes as it is a violation of the law.
As an example, let us consider this sign up form by Spotify:
They request consent for sharing the user data for marketing purposes via an unchecked checkbox. Unless users check the box, the data is not supposed to be shared.
3. Email marketing
Email marketing has always proved to be a useful marketing tool. Pre-GDPR email marketing saw marketers often send mass promotional emails to users. However, post-GDPR email marketing is a different story. You cannot send emails until and unless the users give their permission.
You can achieve GDPR compliant email marketing by reviewing the existing contacts and their details.
Reviewing these details will help you in:
- Identify if their data is still relevant for your services. In case it is irrelevant, you can remove them from your mailing list.
- Requesting re-permission to send emails to existing customers from the pre-GDPR era if it is not already done.
Another step to compliance is by allowing customers the option to unsubscribe from the email services. It is recommended to include an unsubscription link in every marketing email to opt-out of the services whenever they wish.
For example, Pinterest includes an unsubscription link with every email they send to its users:
An interesting fact is that Cookie is only mentioned once in the entire GDPR document. Recital 30 states that:
“Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers […] This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.”
That means data carried by cookies can be used to identify a natural person, i.e., an individual if combined with additional information. Per GDPR, this puts internet cookies under scrutiny.
With the implementation of GDPR, it is mandatory that you get explicit, prior consent before using the cookies. You can no longer consider users’ inactivity or no response, i.e., implied consent as valid consent.
Showing a cookie banner on your website to inform users about the cookies and seek consent from them is the best way to deal with it. A perfect cookie banner has the following features:
- Clear and understandable language.
- All details about cookies.
- Information about third-party cookies.
- Active opt-in and opt-out options with an explanation if necessary.
- Easily accessible to change consent at any time.
There are many cookie consent solutions available for free. They help you set up a cookie banner for your website and log all the consents received. Some can even help you block third-party cookie scripts before loading them on the users’ devices.
- what, how, and why you collect and use the user data,
- how to change consent,
- who controls the data processing, and
- contact details.
Art. 13 of GDPR lists out in detail all the information you should provide.
6. Online payments
Online payments can be a cause of worry as you have to store the user data to pass it along to the payment gateway.
If you use payment gateways, get an SSL certificate for your website for secure data encryption and safe online transactions.
Closing thoughts – why become GDPR compliant?
Complying with the GDPR standards may sound complicated, and sure it is. You have to review many details of your site and change them. However, it is worth it.
If your website is non-compliant, you will have to pay hefty fines or face strict actions.
The fine for severe violation is 4% of annual global turnover or €20 million – whichever is higher. The fine for less severe violation is 2% of annual global turnover or €10 million – whichever is higher.
Other punishments include a written warning, temporary or permanent banning of the site, data removal, and data transfer restrictions.
However, the extent of the fines and punishments depends on the nature and severity of the violation.
The race to GDPR compliance begs the question whether it is just the penalization that should make you serious about GDPR or also that the credibility of your website will be at stake if you violate the law. The answer lies with you. However, in both cases, you are responsible.
Be aware and make your users aware as well.
Shreya is a content writer for CookieYes. She writes about data protection laws and cookies (not the eating type)