GDPR Compliant Websites
Previously, we examined the implications for professional services firms regarding the imminent and pervasive institution of state data privacy laws. This time, on a related issue, we consider the practical implications of the General Data Protection Regulation (GDPR) for websites and website development, as professional services firms’ websites are required to be compliant with the data protection principles and rights of the GDPR. Depending on the type and purpose of the website, different steps may be needed to achieve accord as follows:Updated privacy policy: A privacy policy should provide clear and concise information about the collection, processing, storage, and transferal of personal data of website visitors, customers, or users. It should also inform them of their rights and how they can exercise them, as well as how their data is safeguarded and who they can contact for any questions or complaints. Links should be included to the organization’s privacy policy on every page of the website, and make sure it is easily accessible and visible.
Website compliance: The website should be designed and developed in a way that respects the data protection principles and rights of the GDPR. This means:
o Only collect and process personal data that are necessary, relevant, and adequate for the website, and do not use them for any incompatible purposes.
o Keep personal data accurate and up to date, and delete or correct them if they are inaccurate or incomplete.
o Limit the retention of personal data to the period that is necessary for the website, and erase or anonymize them when they are no longer needed.
o Ensure the security and confidentiality of personal data by using appropriate technical and organizational measures, such as encryption, firewalls, passwords, access controls, backups, etc.
o Implement data protection by design and by default, which means that consideration should be given to data protection issues from the early stages of website development, and the application of the highest level of data protection settings by default.
o Conduct data protection impact assessments (DPIA,) which are systematic processes to identify and evaluate the risks and impacts to the website regarding the personal data of website visitors, customers, or users, and to implement measures to mitigate or eliminate them.
o Appoint a data protection officer (DPO,) if the website involves large-scale or regular processing of sensitive personal data or monitoring of individuals, or if the website’s publisher is a public authority or body. A data protection officer is a person who is responsible for overseeing and ensuring the compliance of the website with the GDPR, and who acts as a contact point for data subjects and supervisory authorities.
Cookie (HTTP Cookie) Consent: Cookies are small files that are stored on a website visitors’ devices to remember their preferences, track their behaviour, or provide them with personalized content or ads. Therefore, a user’s unique ID, browsing history (tracking the pages visited by the user,) site-specific settings and preferences such as language or layout choices, user hobbies and interests (inferred from browsing behaviour,) links clicked, frequency and duration of website visits, login credentials, geolocation, and IP address, contact information (e.g., phone number and physical address,) banking information, &c. may be recorded. Under the GDPR, a website needs to obtain consent from visitors before any cookies that are not strictly necessary for the functionality of the website are used. The website also needs to provide visitors with clear and specific information about what cookies are used, why they are used, and how the visitor can manage or delete them. Cookie consent banners, pop-ups, or notices that ask for consent and provide information can be used (see more on cookie consent banners in the next post.)
Data Storage Reduction: One of the best ways to comply with the GDPR is to minimize the amount and type of personal data that is collected and stored on the website. This reduces the risk of data breaches, unauthorized access, or misuse of personal data, and also simplifies the data protection obligations and responsibilities. Only collect and store personal data that are essential for the website, and delete or anonymize them as soon as they are no longer needed. Avoid collecting or storing sensitive personal data, such as data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning health, or data concerning a natural person’s sex life or sexual orientation, unless there is a specific and lawful reason to do so, and explicit consent from the data subjects have been obtained.
Mailing List Update: If email newsletters, promotions, or other marketing communications are sent to website subscribers, make sure to obtain valid consent from them to satisfy the GDPR. This means:
o Provide them with clear and specific information about what information will be sent to them, how often, and for what purposes, and how they can unsubscribe or change their preferences at any time.
o Ask them to actively opt-in to receive emails, by ticking a box, clicking a button, or filling a form, and not use pre-ticked boxes, implied consent, or silence as consent.
o Keep a record of when and how consent from subscribers was obtained, and be able to prove it if requested.
o Respect their right to withdraw their consent at any time, and provide them with an easy and effective way to unsubscribe from an email list, such as a link or a button at the bottom of every email.
Those were some of the main provisions that should be taken to make a website GDPR compliant, depending on the type and purpose of the website: again, update the privacy policy, follow detailed steps to meet compliance, implement a cookie consent algorithm if using cookies, limit data storage, and update mailing lists. However, the GDPR is a complex and comprehensive law that may require more specific or additional actions depending on the website’s context and circumstances. Therefore, it is advisable to consult a legal or data protection expert. Next time we take a closer look at the use of cookies and cookie consent, together, the pièce de résistance in GDPR website compliance, before moving on to email marketing under the GDPR.
GDPR Compliance Checklist – A 12 Step Guide for you: https://youtu.be/De8S5e27hgI
What does a DPO do? https://youtu.be/vPkEvH4aDsE
Who can be DPO? https://youtu.be/EM_OJPvFH1s
What is a DPIA? The GDPR Data Protection Impact Assessment (DPIA): https://youtu.be/pJZTIQsS1tg
How To Make Sure You Are Compliant With GDPR, CCPA, LGPD, etc for Shopify: https://youtu.be/_tTnugrxzw4
GDPR Compliant Webflow Website: https://youtu.be/pMb3545Jx78
