Tech 21 Century

10 Steps for your Website to Comply with the GDPR

Whether you are an e-shop owner, or you manage a news portal that collects emails to send a newsletter, or even if you have a small corporate website that receives messages through the contact form, one thing is certain, you must be ready by May 25th 2018, for the General Data Protection Regulation (GDPR).

how to comply with GDPR for website owners

Which sites does GDPR concern?

The websites that should be prepared for GDPR are the ones that collect, process and store visitor/user data. Let’s look at a short list of features and practices of websites that are subject to the regulation:

  • You are using Google Analytics
  • Your site has registration forms
  • E-commerce features that collect payment information, orders etc.
  • You have subscription forms for a newsletter
  • Your site has scripts that use cookies
  • You use commenting systems like Disqus, etc. in your articles
  • You have a contact form on your site

10 Steps for preparing your website for GDPR

1.Privacy Policy

In your site’s privacy policy, you must detail and make clear about how you collect, edit and store your user data. Also, do not forget to mention the time you intend to keep the data and how users can view and delete their data.

2. Encrypt data with SSL/TLS

If your site does not encrypt the data through an SSL/TLS certificate already, then you should put it in your immediate priorities. As we have mentioned in previous articles, the SSL/TLS certificate is the first step for GDPR, because it offers privacy and security in the transactions and transfer of user data. In simple terms, you must change your website to use HTTPs instead of HTTP.

3. Electronic forms

If your site has input forms (communication, support, sales, etc.), you will need to add check boxes of consent (that are not pre-filled) but selected by the user, since the pre-filled boxes are not considered as free consent.

Users should be able to give different consent depending on the type of data processing performed each time. For example, if you provide your user data to third parties, you will need to add another consent box where you will ask for the user’s consent.

4. Easy unsubscription or revocation of permission

Users should be able to unsubscribe or revoke their consent from processes and actions that process their data. For example, you should allow your users to unsubscribe from the newsletter in an easy way and at any time they want it.

5. Cookies

If you use cookies, you will need to inform your visitors when entering the site and provide more details about them in the privacy policy. You should also allow them to disable cookies through browser settings.

  • If you use third-party cookies, such as google analytics, this should also be mentioned in your site’s privacy policy.

6. IP logging

In case you record (log) the IP addresses of users or visitors to your site, you should report it in the privacy policy because IP addresses are “personal data” of individuals.

  • If, for example, your blog has a comment system that records users’ IPs in the database, let them know in the comments section about this.

7. Advertising on social media

If you intend to use the email from registered members of your site to run an advertising campaign on social media, you should first have them informed. Also, give them the ability to unsubscribe from specific marketing actions if they so desire.

8. Re-marketing

Re-marketing works by using cookies that “mark” and monitor the users of your site so you can follow up with them with targeted advertising in other online websites. The use and manner of operation of these should be clearly displayed within your site’s privacy policy.

9. Online Payments

If you use payment gateways such as PayPal, Stripe, Sagepay, etc. for the financial transactions of customers and their personal data pass through your e-shop first, you will need to encrypt this information via an SSL certificate.

If your e-shop stores personal information, even if after sending the information to the payment gateway, then you will need to modify the privacy policy and e-shop processes to remove any personal information within a reasonable amount of time, for example 90 days.

The GDPR legislation is not explicit about the number of days that you can store your customer’s personal data. It is in your own judgment as to what can be claimed as a reasonable and necessary time. Finally, be prepared to provide and if you are required to remove all the information you hold for each customer.

10. Information leak

The GDPR defines the duty of businesses and organizations, in the event of data breaches, to notify within 72 hours the country’s Data Protection Authority.

Summing up:

Be informed about the source, storage location, and the way of processing the data. Take all the necessary steps on your site to ensure that the data is encrypted and protected from malicious actions. Provide users with “concise, clear, comprehensible and easily accessible” information and the ability to block, view or even easily remove their data from your system.

Related posts:

  1. Issues Surrounding Mobile Security And Privacy Concerns
  2. Iframe Injection Website Attack and Tips to Clean the Infection
  3. The Results Of A Hacker Finding Your Personal Information

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

COMPARISON GUIDES

Linksys Velop vs Netgear Orbi – Best WiFi Mesh System
Wink Hub 2 vs Samsung SmartThings
iRobot Roomba 960 Vs 980
Netgear Arlo Vs Arlo Pro Vs Pro2
Netgear Arlo Pro2 vs Nest

Amazon Disclosure

We are a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for us to earn fees by linking to amazon.com, amazon.co.uk , amazon.de, amazon.it, amazon.es and affiliated sites.
Amazon and the Amazon logo are trademarks of Amazon.com, Inc. or its affiliates.