Whether you are an e-shop owner, or you manage a news portal that collects emails to send a newsletter, or even if you have a small corporate website that receives messages through the contact form, one thing is certain, you must be ready by May 25th 2018, for the General Data Protection Regulation (GDPR).
Which sites does GDPR concern?
The websites that should be prepared for GDPR are the ones that collect, process and store visitor/user data. Let’s look at a short list of features and practices of websites that are subject to the regulation:
- You are using Google Analytics
- Your site has registration forms
- E-commerce features that collect payment information, orders etc.
- You have subscription forms for a newsletter
- Your site has scripts that use cookies
- You use commenting systems like Disqus, etc. in your articles
- You have a contact form on your site
Table of Contents
10 Steps for preparing your website for GDPR
1.Privacy Policy
In your site’s privacy policy, you must detail and make clear about how you collect, edit and store your user data. Also, do not forget to mention the time you intend to keep the data and how users can view and delete their data.
2. Encrypt data with SSL/TLS
If your site does not encrypt the data through an SSL/TLS certificate already, then you should put it in your immediate priorities. As we have mentioned in previous articles, the SSL/TLS certificate is the first step for GDPR, because it offers privacy and security in the transactions and transfer of user data. In simple terms, you must change your website to use HTTPs instead of HTTP.
3. Electronic forms
If your site has input forms (communication, support, sales, etc.), you will need to add check boxes of consent (that are not pre-filled) but selected by the user, since the pre-filled boxes are not considered as free consent.
Users should be able to give different consent depending on the type of data processing performed each time. For example, if you provide your user data to third parties, you will need to add another consent box where you will ask for the user’s consent.
4. Easy unsubscription or revocation of permission
Users should be able to unsubscribe or revoke their consent from processes and actions that process their data. For example, you should allow your users to unsubscribe from the newsletter in an easy way and at any time they want it.
5. Cookies
If you use cookies, you will need to inform your visitors when entering the site and provide more details about them in the privacy policy. You should also allow them to disable cookies through browser settings.
- If you use third-party cookies, such as google analytics, this should also be mentioned in your site’s privacy policy.
6. IP logging
In case you record (log) the IP addresses of users or visitors to your site, you should report it in the privacy policy because IP addresses are “personal data” of individuals.
- If, for example, your blog has a comment system that records users’ IPs in the database, let them know in the comments section about this.
If you intend to use the email from registered members of your site to run an advertising campaign on social media, you should first have them informed. Also, give them the ability to unsubscribe from specific marketing actions if they so desire.
8. Re-marketing
Re-marketing works by using cookies that “mark” and monitor the users of your site so you can follow up with them with targeted advertising in other online websites. The use and manner of operation of these should be clearly displayed within your site’s privacy policy.
9. Online Payments
If you use payment gateways such as PayPal, Stripe, Sagepay, etc. for the financial transactions of customers and their personal data pass through your e-shop first, you will need to encrypt this information via an SSL certificate.
If your e-shop stores personal information, even if after sending the information to the payment gateway, then you will need to modify the privacy policy and e-shop processes to remove any personal information within a reasonable amount of time, for example 90 days.
The GDPR legislation is not explicit about the number of days that you can store your customer’s personal data. It is in your own judgment as to what can be claimed as a reasonable and necessary time. Finally, be prepared to provide and if you are required to remove all the information you hold for each customer.
10. Information leak
The GDPR defines the duty of businesses and organizations, in the event of data breaches, to notify within 72 hours the country’s Data Protection Authority.
Summing up:
Be informed about the source, storage location, and the way of processing the data. Take all the necessary steps on your site to ensure that the data is encrypted and protected from malicious actions. Provide users with “concise, clear, comprehensible and easily accessible” information and the ability to block, view or even easily remove their data from your system.
Leave a Reply