What Does a Websıte Need to Be GDPR Complıant? (8 Key Steps For Your Websıte’s GDPR Complıance)

14 Mar What Does a Websıte Need to Be GDPR Complıant? (8 Key Steps For Your Websıte’s GDPR Complıance)

With the General Data Protection Regulation (“GDPR”) taking effect on May 25, 2018; websites operating within the European Union (“EU”) or targeting EU citizens have become obligated to comply with certain requirements regarding the data they process. According to the GDPR, not only companies established or operating within the EU, but also those located outside the EU, are subject to the regulation if they offer services to EU citizens via their websites. Therefore, the GDPR applies to your business even if you don’t have any physical presence in any EU country.

In light of this information, consider reviewing our GDPR compliance checklist if your website collects and processes personal data of users from EU, regardless of your physical location.

1. Be the Master of Your Collected Data

First and the most crucial step towards GDPR compliance is knowing the data you process, hold and store. Website owners must know which data they gather from their visitors, how do they process, where do they store and who can access said data.

You can start from asking yourself whether you collect sensitive personal data? If so, you should consider that there are certain higher requirements of safety for sensitive personal data. Also, you should know who you are collecting this data from. In cases where the data subject is under 16 years of age, the legal liability would be higher.

After that, you should know where is your collected data stored and who can access it. For instance, in a company with multiple departments, only the relevant departments’ employees should be able to access the user data. Since GDPR only allows processing of personal data on certain legal bases; only the employees, who as a part of their job description have to access to said data, should have such access privileges. Otherwise, you might be in violation of GDPR.

Another crucial point to consider is whether the data is transferred to any third party and whether the said party is GDPR compliant. This is because, you are also liable for any third party’s GDPR violations. And in the case that said third party is based outside of EEA, there are additional requirements in order to be in compliance with GDPR.

In any case, a website owner must always ask themselves whether the data they collect is necessary. With every data you process you undertake a risk and a legal liability, therefore you should not collect any more data than you actually need

.

2. Establish Security Measures for Your Website

For website owners, prioritizing website security is non-negotiable. This involves securing the data stored on the platform and implementing measures to shield it from external threats. Websites face constant attacks, so taking proactive steps to safeguard your online presence is essential.

Some examples for precautions that you can take can be:

• Installing an SSL certificate,
• Using a CDN provider that will protect your website from DDoS attacks,
• Back up you data in multiple locations such as cloud services or servers,
• Use strong passwords for admin accounts.

3. Prepare a GDPR Compliant Privacy Policy

Since GDPR obliges data processors, such as website owners, to inform their users regarding the data they collect and users’ rights, privacy policy is a must-have for every website that collect user data. First and foremost, a privacy policy must be easily accessible and written in clear language. This means that; any user visiting your website should be able access and understand your privacy policy.

A website’s privacy policy acts as a user guide to their data. It should clearly explain how website owner handle the user’s information, starting from collection and storage of the data to potential use and transfer of said data. In addition, a privacy policy must inform the user about control over their data. It has to explain user’s rights under GDPR such as the right to access their data or right to request the erasure of their data.

4. Deploying a Cookie Consent Banner

As mentioned above, websites are obliged to inform their users under GDPR regarding the data they process. This also includes cookies. A website should provide information about the cookies it uses and also acquire explicit consent from its users if it uses non-necessary cookies.

This requirement can be accomplished by deploying a cookie banner on your website. Just like the privacy policy,  a cookie consent banner should inform the users with understandable language and should be easily accessible.

In the case that you website utilizes non-necessary cookies such as marketing or analytics cookies, then you have to obtain users’ explicit consent prior activating such cookies. Therefore, it is crucial for a website owner to identify the cookies that their website utilizes. Upon the entry to the website; (i) the non-necessary cookies initially should be disabled, (ii) users should be informed regarding all the cookies and (iii) an option to use the website without consenting to non-necessary cookies should be provided to the user.

5. Ensuring the Compliance of the Forms on Your Website

Depending on the services provided, websites may present certain types of forms to its users in order to obtain information. These forms can vary from contact forms (which may gather basic contact information such as e-mail addresses or phone numbers) to job application forms or request forms (which may gather users’ CVs, photos or sensitive information depending on the services provided). Therefore, any kind of form that collect information from website users should be reviewed and adjusted in order to be compliant with GDPR.

In light of this, website owners should include a privacy statement or a link to their privacy policy to their forms. Also, depending on the type of the concerned form, an opt-in option to get user consent to collect data can be beneficial.

6. Explicit Consent for Sending Newsletters

In order to have a mailing list of EU citizens and send out newsletters for marketing or promotional purposes, website owners must abide with certain GDPR requirements.

This provision applies to all newsletters and any other communication. Ideally, a website should use a double opt-in process. This means users are needed to confirm their email address after signing up on the website.

Besides acquiring prior explicit consent, users also should be allowed to change their mind at any time and stop receiving newsletters. It should be emphasized that unsubscribing from the newsletters must be effortless for the user. Every email sent out should have a clear and easily accessible unsubscribe link. Clicking this link should lead to a straightforward method for users to opt-out from receiving future emails.

7. Review Your Third Party Services and Data Transfer

According to GDPR provisions, any data processor is also responsible for the GDPR compliance of the third party services they use. Which means, if you use services of a third party company while processing your website users’ data, said third party company should also be GDPR compliant, otherwise you both are liable for any violation.

In light of this information, a website owner must know which of the services or companies they utilize directly or indirectly are GDPR-compliant. Their privacy policies should be evaluated and/or a contract regarding their commitment to GDPR should be signed.

When it comes to data transfer, you must identify what kind of data (sensitive personal data or personal data) you transfer and where do you transfer it to (to EU or non-EU countries). Depending on these, a website owner should; (i) make a risk assessment, (ii) evaluate whether the recipient country or service provide an adequate level of data protection according to GDPR requirements and (iii) sign necessary agreements with the recipient service provider.

8. Data Rights Provisions

According to GDPR, users have the right to obtain information regarding the personal data websites collect from them and correct their personal data hold by the website. The users should have clear and easy ways to do this. However, there is not a legally defined method for this. Therefore, as a website owner you can choose any method to inform your users as long as it is clear, easily accessible and detailed.

You can always reach our İzmir Personal Data Lawyers to get expert legal support on the protection of your personal data or your company’s personal data law compliance.