Whether you are an e-shop owner, or you manage a news portal that collects emails to send a newsletter, or even if you have a small corporate website that receives messages through the contact form, one thing is certain, you must be ready by May 25th 2018, for the General Data Protection Regulation (GDPR).
Which sites does GDPR concern?
The websites that should be prepared for GDPR are the ones that collect, process and store visitor/user data. Let’s look at a short list of features and practices of websites that are subject to the regulation:
- You are using Google Analytics
- Your site has registration forms
- E-commerce features that collect payment information, orders etc.
- You have subscription forms for a newsletter
- You use commenting systems like Disqus, etc. in your articles
- You have a contact form on your site
Table of Contents
10 Steps for preparing your website for GDPR
2. Encrypt data with SSL/TLS
If your site does not encrypt the data through an SSL/TLS certificate already, then you should put it in your immediate priorities. As we have mentioned in previous articles, the SSL/TLS certificate is the first step for GDPR, because it offers privacy and security in the transactions and transfer of user data. In simple terms, you must change your website to use HTTPs instead of HTTP.
3. Electronic forms
If your site has input forms (communication, support, sales, etc.), you will need to add check boxes of consent (that are not pre-filled) but selected by the user, since the pre-filled boxes are not considered as free consent.
Users should be able to give different consent depending on the type of data processing performed each time. For example, if you provide your user data to third parties, you will need to add another consent box where you will ask for the user’s consent.
4. Easy unsubscription or revocation of permission
Users should be able to unsubscribe or revoke their consent from processes and actions that process their data. For example, you should allow your users to unsubscribe from the newsletter in an easy way and at any time they want it.
6. IP logging
- If, for example, your blog has a comment system that records users’ IPs in the database, let them know in the comments section about this.
If you intend to use the email from registered members of your site to run an advertising campaign on social media, you should first have them informed. Also, give them the ability to unsubscribe from specific marketing actions if they so desire.
9. Online Payments
If you use payment gateways such as PayPal, Stripe, Sagepay, etc. for the financial transactions of customers and their personal data pass through your e-shop first, you will need to encrypt this information via an SSL certificate.
The GDPR legislation is not explicit about the number of days that you can store your customer’s personal data. It is in your own judgment as to what can be claimed as a reasonable and necessary time. Finally, be prepared to provide and if you are required to remove all the information you hold for each customer.
10. Information leak
The GDPR defines the duty of businesses and organizations, in the event of data breaches, to notify within 72 hours the country’s Data Protection Authority.
Be informed about the source, storage location, and the way of processing the data. Take all the necessary steps on your site to ensure that the data is encrypted and protected from malicious actions. Provide users with “concise, clear, comprehensible and easily accessible” information and the ability to block, view or even easily remove their data from your system.