6 vital steps to make your website GDPR compliant
General Data Protection Regulation (GDPR), the EU data protection law, came into effect on May 25, 2018, making it essential for businesses to comply with its guidelines to avoid high fine and penalties.
Complying with GDPR is not optional. GDPR enforces data controllers to use both organizational and technical safeguards to make sure there is no alteration with the data. Being non- compliant with GDPR can result in expensive consequences.
Take these steps to help ensure that your website is GDPR-compliant:
1. Clean up the website privacy policy
Update the privacy policy to make the collection and use of data transparent. It includes explaining your data collection usages, cookie usage, and data privacy rules regarding the method and reason for sharing user data. Make sure it contains information about data that is collected by any related plugins.
Don’t just copy and paste someone else’s user policy. It might not contain the proper information specific to your site. If appropriate, you might include items like to whom you sell data. If this is not the case, then explicitly mention that you don't sell data. If you share data with another processor, specify with whom, and the purpose. Specify why you need to collect particular personal information.
Follow this with all types of data you collect, by specifying what you use it for, and how you protect it.
2. Get clear consent to use cookies
The GDPR states cookies constitute personal data, as they can be used to identify an individual. You must obtain clear, specific consent from users to place cookies and to track them. It could be handled by a popup on a user’s first visit to allow them to consent or decline cookie usage. To comply, a default answer (such as accept) doesn’t suffice. The user must choose an option. Without explicit consent from the user, you can’t place cookies on their browser. The site should still be accessible without cookie placement, even though features such as personalization will be lost.
3. Ensure plugins used in the website comply with GDPR
Many plugins utilize user data. It’s vital to review which plugins make use of such user data and to ascertain what they do with it as plugins too must comply with GDPR. Many plugins, for example, make use of cookies. Such usage must be listed in your privacy policy and must be subject to user consent.
It’s the website owner’s responsibility to ensure that every plugin uses consent to export, provide or delete the user data collected by it. If a plugin is collecting the recipient’s address and storing it on a list, without explicit consent for it, you will be violating GDPR. Things like this are a big deal for plugins that make heavy use of user data, but most are working on updates to allow compliance with GDPR. In some cases, you might need to switch to a different plugin.
4. Limit the data that you collect and store via form submissions
Forms have the potential to collect a lot of interesting personal data, but don’t do it! Collect only the fields you need for processing. Don’t keep that data for longer than is essential. Many plugins store data collected from submitted forms in the database. Increasingly, such plugins are being reconfigured to include a “do not store form data” option. If your plugin has this option, make use of it!
5. Clean up your newsletter mailing lists
If your website has a mailing list, you might already be using standard procedures such as double opt-in for your list. Double opt-in means that after the user provides their email, you send a message containing a confirmation link that the user must click on to finalize their subscription. Double opt-in is not required by GDPR. However, it is an excellent way of ensuring that you can prove proper consent was obtained. If you purchase mailing lists from a third party, experts advise you to stop. If you use a purchased list where contacts haven’t given consent for such use, you’ll be in violation of GDPR.
Individual rights are a basic tenet of GDPR compliance
Right to access and portability
Among the modification to your website will be the implementation of a method of exporting user data to CSV or any other commonly used format. If you use a CMS, it might be possible to do this through a plugin. Developers are working to incorporate this functionality into plugins. Until then, you’ll need to code the system for handling this on your own.
Right to be forgotten
Be sure to implement a procedure for deleting personal data when requested. Several exceptions exist, which allow you to keep the data, but generally, if the user asks you to remove it, you must. It includes content created by the user, on the forum, blog comments or through form submissions. Soon, CMS systems like WordPress and Joomla! may add a “Delete my account” button to facilitate this, but it hasn’t happened so far.
If you don’t need it, delete it.
Privacy by design
It’s essential to have safeguards in place for protecting data and for restricting data sharing. Collect only data that is necessary. Resist all the extra, interesting, but not vital, questions you might add to customer signup forms.
6. Consider using HTTPS for website
Consider using SSL for your site as it encrypts the communications between your website and a user’s browser. It will prevent hackers from stealing data through network communication.