GDPR Checklist

Is your Website GDPR compliant?

Find out in 11 Steps

1. Provide the Identity and contact details of the Data Controller
2. Disclose the Purpose for collecting personal data
3. Provide the Legal Basis for collecting personal data
4. Disclose who will receive the personal data collected
5. Display the Retention Time of personal data collected
6. Display a person’s GDPR Rights
7. Implement Privacy by Design and by Default
8. Collect Consent for Cookies and Tracking tools
9. Collect Consent for Social Media Embeds, Online Maps
10. Allowing Social Media Logins – Disclose the personal data collected from the Social Media Service
11. Provide all this information in an Easy-to-Read manner

1. Provide the Identity and contact details of the data controller

Your website has to inform a person providing their data who the data controller is. If there are any issues regarding their personal data they have to know how to contact the company.

The data controller is normally a legal entity/person not a natural person (a human being). This means that in general, the business that owns the website is the data controller.

Providing the contact email address of the data controller will check this requirement.

[Article 13 – Information to be provided where personal data are collected from the data subject]

2. Disclose the purpose for collecting personal data

There has to be a purpose or a reason for you to collect personal data. According to the GDPR a business is not allowed to collect personal data it does not need. This is often referred to as “Data Minimisation“, or “Data Limitation“.

If you collect an email address to communicate with customers or potential customers, then you need to inform the person that communication is the reason for collecting their email address. It may be blindly obvious to both parties, but the website must still inform the person that this is the reason for collecting the email address. This is done to prevent companies from collecting personal data without a legitimate reason.

The same holds true for collecting a person’s name, their IP-Address, their billing address etc. If it’s personal data, then you must provide a reason for collecting it.

[Article 5 §1b & §1c – Principals relating to processing of personal data]

3. Provide the legal basis for collecting personal data

Once you have shown the person the purpose for collecting any sort of personal data, you must inform them about the legal basis for collecting their data. There are 6 legal bases in the GDPR, they are:

1. Consent – a person has to give you their consent to collect their data (Relevant for Website Compliance)
2. Contractual obligation – an example: you have an online shop and sell clothes, you need a certain amount of personal information to fulfil the contract of delivery and payment. (Relevant for Website Compliance)
3. Legitimate interests – Collecting the IP-Addresses of the people that visit your website can be a legitimate interest. Example: In order to prevent DDOS attacks. (Relevant for Website Compliance)
4. Legal Obligation – In certain you cases you may be legally required to collect certain personal information. Example: When employing a person.
5. Processing for vital interests – an example: you have to process personal information in order to save a person’s life (very rarely used)
6. Public Interest – the surveillance of public spaces like a mall or train station. This is based on the safety and security of the public, thus public interest (very rarely used a legal basis for websites).

The most common legal bases are: Consent, Contractual Obligation and Legitimate Interest for websites. In very rare cases will need to use the other 3 for your website.

[Article 6 – Lawfulness of processing]

4. Who will receive the personal data collected

You must inform the person who’s information you are collecting if their personal information will be passed on to other companies or whether it will stay within the company. Generally the information will stay within the company but there are cases where the info will be passed on to another company. This is often the case in the marketing and advertising world.

If your company collects data that will be passed on to a 3rd party then you must inform the person of this. This information can/should be provided in the privacy policy.

[Article 13 – Information to be provided where personal data are collected from the data subject]

5. The retention time of personal data

At the time of collecting the data you must also inform the person how long you will store their data. Storage times can often be indefinite i.e. the length of time you will hold their data is not foreseeable when collecting the data. It could be for a fixed amount of time because you are legally required to store certain information, example; employee data or business transactions for tax purposes etc.

You could also store the data until the person uses their right to be forgotten (deletion), when they no longer want to receive a newsletter. In such a case the data can either be deleted or made anonymous. Do not forget that a key principal of the GDPR is data minimisation: only collect the data your business needs (see point 2).

[Article 13 – Information to be provided where personal data are collected from the data subject]] [Article 14 – Information to be provided where personal data have not been obtained from the data subject]

6. GDPR User Rights

When your website collects personal data it must inform the person of their GDPR rights. Those rights are:

1. The Right to Access their Data
2. The Right to have their data Rectified i.e. corrected
3. The Right to be forgotten i.e. deletion of their data
4. The Right to restrict processing
5. The Right to Data Portability
6. The Right to Object to their data being used
7. The Right to make a Complaint to a Data Protection Authority
8. The Right to know if their data is being used for profiling (only if the data will be used for profiling i.e. automatic decision making)

Informing a person about their rights on your website is one step towards GDPR website compliance. It is important to remember that your business has to be able to fulfil these requests when a person makes them.

[Chapter 3 of the GDPR]

7. Data Protection by design and by default for Websites.

This article (Article 25 in the GDPR) has a very broad scope. People are writing books about privacy by design and by default and new programs are being made that focus on this principle. In the context of your website, which will spill over into the practises of your business/organization there are a few things that you can do to implement this principal.

1. Only collect the data that you need to run your business (this should become your default behaviour). This is a recurring theme in the GDPR – Data Minimisation.
2. Make sure your website uses a valid SSL certificate to ensure that (all) data is transferred in a secure manner.
   

   NOTE: SSL certificates are not specifically mentioned in the GDPR but they should be a default.

3. Find the latest and best tools that help you implement privacy by design and default, that are in your budget.

What does point 3 mean exactly? Find tools, like TRUENDO, that are designed to make you follow the principals of the GDPR. The tools should not cost your business an arm and a leg. This principal also requires you to take the initiative, to find the best products that will help you reach GDPR compliance.

[Article 25 “Data Protection by design and by default” see §1]

8. The retention time of personal data

This is a big topic in the GDPR/Data Privacy world! Because cookies can collect personal data that can be used to make a profile about your online behaviour, they also fall under the GDPR. This is the overlap between the GDPR and the ePrivacy Directive.

To keep this short: if your website uses cookies, you must inform an EU-citizen visiting your website that it uses cookies. (see link to Cookie Law below)

Marketing cookies: in general they are not strictly necessary and you therefore need consent from a person to set marketing cookies. Informing a person that you use cookies is not enough.

Statistics cookies: your website can set them automatically if the data collected is immediately anonymised. Google Analytics offers this function. If the cookies are not anonymised then you will need the consent from the user to be on the safe side of the GDPR.

Preference Cookies: For these cookies you need the consent of the user. Because the preferences of a customer can be used to make a profile, your website must collect consent from the user.

Commonly, a website asks you to “accept cookies” and then you never see an option of opting-out. Strictly speaking a website is violating the GDPR if they use this practise, provided the data collected is not anonymised. This practise does not adhere to the principal of Article 7 of the GDRP. If setting a cookie is based on consent it must be as easy to revoke consent as it is to give consent. That’s it!

There are plenty of privacy policies that tell a person to change their browser settings to prevent cookies from being set. This goes against the GDPR. It’s not as easy as clicking on accept and it will have an impact on most other websites a person visits.

Note: Just to clarify, the GDPR is not the Cookie Law, the ePrivacy Directive is the “Cookie Law”. The reason for the cookie notifications is in the ePrivacy Directive. The GDPR does overlap with the ePrivacy Directive, see Recital 30 of the GDPR.

[Article 7 – Conditions for Consent] [Recital 30 of GDPR] [ePrivacy Directive: Recital 25 = “Cookie Law”]

9. Collect consent for Social Media Embeds & Online Maps

Adding social media embeds to your website like a Youtube videos, online maps providers, like buttons, share buttons, social media posts (like a tweet or instagram post) and comment boxes, will mean that the person visiting your website, will send information to the social media service to see the content.

This means your website is sending browser information to a 3rd party (personal information in the form of an IP-Address and possibly tracking data). Your website must inform a person of this, ask them if they want to read or watch the content from the social media embed before it loads on the page. Only then is your website GDPR compliant (with regard to social media embeds).

[Article 13 – Information to be provided where personal data are collected from the data subject]

10. Allowing Social Media Logins – Disclose the personal data collected

If your website allows users to login with Google, Facebook, Twitter, Instagram, Pintrest, Linkedin or any other service, then you collect certain information from them. This could be an email address, a name, a date of birth, a phone number, a profile picture etc. Whatever it is that your website requests from the social media service, you have to inform the person logging in, why you need it, the legal basis for collecting it, how long you will store their personal information, their GDPR rights etc.

Please remember that you should only request the information that you need from them and nothing more (Data Minimisation).

[Article 14 – Information to be provided where personal data have not been obtained from the data subject]

11. Provide all this information in an Easy-to-Read manner

This perhaps the hardest part of making your website GDPR compliant. Article 12 states the following:

The controller shall take appropriate measures to provide any information referred to in Articles 13 and 14 […] in a concise, transparent, intelligible and easily accessible form, using clear and plain language, […].

With the right tool this can be easy to do and you will tick the boxes in this GDPR Website Checklist.

[Article 12 -Transparent information, communication and modalities for the exercise of the rights of the data subject]

Summary: GDPR Website Checklist

1. Your website must provide the contact details and identity of the data controller. (The data controller is most often a company/business i.e. the owner of the website)
2. The reason for collecting their personal data i.e. the purpose for collecting their data. (Collect only what is required – Data Minimisation)
3. Your website must provide a person with the legal basis for collecting their data (1 of 6 legal bases to choose from, 3 of which are commonly used on websites)
4. You must tell the person giving you their data if it will remain inside the company, or of it will be passed on to 3rd parties (Social Media embeds means you are passing data on to a 3rd party).
5. You must inform the person how long you will store their data for.
6. Your website must inform a person about all their GDPR Rights at the time of data collection.
7. Try and use the lasted and best software, hardware and information on GDPR website compliance, but operate within your financial means.
8. All cookies other than strictly necessary cookies and anonymised cookie data require consent from the user.
9. Social media embeds will mean that your website will share personal data with 3rd parties. A person must be informed about this and they have to consent to the data being sent, before any data is sent to the 3rd party.
10. Social Media Logins – your website must inform a person which data you are collecting and why.
11. Providing all of the above information in an easy-to-read manner can be done, by using the right tools.

Using the right tools can also make your life much easier. TRUENDO will cover all the points on this GDPR Website Checklist (with the exception of SSL certificates). To make your website GDPR compliant, make an account with TRUENDO and offer your website’s visitors an easy-to-read GDPR compliant privacy policy.