Are you on the brink of setting up a new website or organization? Before you go live, you need to be GDPR compliant.
Unless you somehow missed out on the flood of opt-in emails last year, you don’t need reminding that the GDPR came into effect on May 25, 2018. The GDPR impacts every business that runs a website and collects any form of data from European citizens.
If you collect an email address to send a newsletter, a mailing address to schedule a delivery or even cookies, then the GDPR affects you.
GDPR compliance is one of the best things you can invest in when setting up your new website. But what does it mean? We’ll show you what you need to run a website that falls in line with European (and now Irish) law.
The EU General Data Protection Regulation (GDPR) represents the broadest privacy legislation in the world. It also impacts you.
The GDPR is based on two principles: transparency and accountability.
In today’s business climate, the EU wants businesses that handle the personal data of EU citizens to be clear about how they process it. Data processors must share:
The goal is to encourage organizations to collect only the data they need so that people can browse the internet privately and securely without the sites they encounter selling data that belongs to them.
When the GDPR references accountability, it means that organizations need to take responsibility for promoting privacy. It means honesty and transparency and holding itself accountable for the action it says it takes. If the organization is unable to hold itself accountable, then the EU will take its turn.
Accountability is the tangible reason why the GDPR matters so much. The fines can range from two to four percent of your global turnover (or up to 20 million euro) depending on the severity of the infringement.
Before you put together the components of a GDPR compliant website, you’ll need to do a fair bit of preparatory work.
The first thing to do is refer back to the GDPR to review some of the critical rules. Some of the questions you’ll answer include:
The first two answers shape the way you approach data. The third determines whether you appoint an internal or external DPO. Keep in mind that it’s better to have a nominated DPO and not need one then get caught without one.
With a better idea of the legislation in mind, you’ll set about on an audit of your data processes. A thorough review provides all the information you need to complete the bits and pieces for your website. Without a complete audit, you have no idea whether your processes are compliant or you have several violations hidden away.
To get started, you’ll first need to determine and document:
All of these things are necessary because the GDPR requires you to share them with the data subjects, i.e. the people you collect data from. The EU’s commitment to greater transparency means businesses can’t just collect data for the sake of it.
The GDPR prefers all organizations processing the data of European users to meditate on the concept of ‘data minimisation.’
Data minimisation has three components:
Adequacy means collecting data that is sufficient in fulfilling its purpose. Relevancy refers to a link between collection and use. Collecting limited data means only collecting what you need for that purpose.
In essence, the GDPR wants companies to stop collecting huge amounts of data from customers both with and without their knowledge.
The EU watched as companies like Facebook collected huge amounts of data only to misuse it and risk the privacy of people, often without their knowledge.
GDPR preparation is a long process, but it’s worthwhile. It’s not only good business practice, but it avoids those crippling fines.
With the legwork done, you’re ready to start building some of the essential components of a GDPR compliant website.
These three pieces are:
Here’s how to get started.
The GDPR requires you to share your data practices with your data subjects through the use of a privacy policy.
Privacy policies are already standard practice because they were required by other legislation like the previous data directive as well as other international law like California’s CalOPPA.
You’ll need to complete your audit and use the details from it. The core components of a Privacy Policy include:
In addition to providing all this information, the GDPR requires you to write a privacy policy that is (1) easy to find (2) easy to read. That means you need links everywhere including your site’s footer and any relevant posts. You also need to use clear language that anyone can read–no legalese required.
Do you run a site that caters to children? Sites with media and games tend to attract children of all ages.
If your site is likely to attract children (below 16) and you are likely to process their information, then you need to go a step further. The GDPR says your privacy policy must be easy for the youngest user of your site to use.
You briefly covered your collection of cookies in your privacy policy, but cookies warrant their own documentation.
The GDPR only mentions cookies once. However, the misuse of this data is a severe violation.
If you already have a cookies policy, then you should check to see if it includes all this information.
Previous cookie policies often miss out on the language required to opt out or change their settings. The GDPR is keen on these options throughout all data collected–not just cookies.
In addition to the policy, you’ll need to ensure that you update your consent mechanisms for cookies, which we’ll cover in the next section.
Don’t forget to keep records of all consents. If you have asked for consent again since the GDPR, then you’ll need to re-confirm consent and document it.
Many business owners choose to incorporate their cookie policy into their privacy policy. There’s nothing wrong with doing so, but it’s creating one on its own anyway.
First, cookies change often. You’ll need to revise the policy regularly. Working with a standalone document may make updating it easier.
Second, creating a standalone cookie policy encourages you to dive deep into your cookie practices. Many site owners don’t know what cookies operate on their website. Ignorance may be bliss, but it now comes with fines from the EU.
Third, cookies tend to be third-party products. You may not know what happens to them.
We recommend not only a cookie policy but a GDPR compliant cookie solution to ensure you know what’s happening and when.
With a privacy policy and cookies policy in hand, you need one more thing to meet minimum GDPR requirements: consent mechanisms.
If you process data based on the legal basis of consent, then you have special rules to follow. First, you must be able to prove that the data subject consented.
The GDPR requires that the consent be affirmative, freely given, and easy to withdraw.
That means you can’t use any pre-ticked boxes, negative statements, or any other consent mechanisms that might trick customers into handing over data.
Update your consent mechanisms for all data to make sure they meet the conditions. You can read more about the GDPR’s conditions for consent in Chapter 7 of the policy.
As Irish business owners, GDPR compliance needs to be a top priority. Keeping up with the demands is both good business practice and prevents you from seeing fines that could destroy your business.
Are you building a new website for your business? In addition to hosting, we offer a long list of great resources for building, maintaining, and protecting a site over on our blog.
