This handy checklist help you keep your website GDPR compliant.
Find out in 11 Steps
Your website has to inform a person providing their data who the data controller is. If there are any issues regarding their personal data they have to know how to contact the company.
The data controller is normally a legal entity/person not a natural person (a human being). This means that in general, the business that owns the website is the data controller.
Providing the contact email address of the data controller will check this requirement.
[Article 13 – Information to be provided where personal data are collected from the data subject]There has to be a purpose or a reason for you to collect personal data. According to the GDPR a business is not allowed to collect personal data it does not need. This is often referred to as “Data Minimization“, or “Data Limitation“.
If you collect an email address to communicate with customers or potential customers, then you need to inform the person that communication is the reason for collecting their email address. It may be blindly obvious to both parties, but the website must still inform the person that this is the reason for collecting the email address. This is done to prevent companies from collecting personal data without a legitimate reason.
The same holds true for collecting a person’s name, their IP-Address, their billing address etc. If it’s personal data, then you must provide a reason for collecting it.
[Article 5 §1b & §1c – Principals relating to processing of personal data]Once you have shown the person the purpose for collecting any sort of personal data, you must inform them about the legal basis for collecting their data. There are 6 legal bases in the GDPR, they are:
The most common legal bases are: Consent, Contractual Obligation and Legitimate Interest for websites. In very rare cases will need to use the other 3 for your website.
[Article 6 – Lawfulness of processing]You must inform the person who’s information you are collecting if their personal information will be passed on to other companies or whether it will stay within the company. Generally the information will stay within the company but there are cases where the info will be passed on to another company. This is often the case in the marketing and advertising world.
If your company collects data that will be passed on to a 3rd party then you must inform the person of this. This information can/should be provided in the privacy policy.
[Article 13 – Information to be provided where personal data are collected from the data subject]At the time of collecting the data you must also inform the person how long you will store their data. Storage times can often be indefinite i.e. the length of time you will hold their data is not foreseeable when collecting the data. It could be for a fixed amount of time because you are legally required to store certain information, example; employee data or business transactions for tax purposes etc.
You could also store the data until the person uses their right to be forgotten (deletion), when they no longer want to receive a newsletter. In such a case the data can either be deleted or made anonymous. Do not forget that a key principal of the GDPR is data minimization: only collect the data your business needs (see point 2).
[Article 13 – Information to be provided where personal data are collected from the data subject]] [Article 14 – Information to be provided where personal data have not been obtained from the data subject]When your website collects personal data it must inform the person of their GDPR rights. Those rights are:
Informing a person about their rights on your website is one step towards GDPR website compliance. It is important to remember that your business has to be able to fulfil these requests when a person makes them.
[Chapter 3 of the GDPR]This article (Article 25 in the GDPR) has a very broad scope. People are writing books about privacy by design and by default and new programs are being made that focus on this principle. In the context of your website, which will spill over into the practises of your business/organization there are a few things that you can do to implement this principal.
NOTE: SSL certificates are not specifically mentioned in the GDPR but they should be a default.
What does point 3 mean exactly? Find tools, like TRUENDO, that are designed to make you follow the principals of the GDPR. The tools should not cost your business an arm and a leg. This principal also requires you to take the initiative, to find the best products that will help you reach GDPR compliance.
[Article 25 “Data Protection by design and by default” see §1]This is a big topic in the GDPR/Data Privacy world! Because cookies can collect personal data that can be used to make a profile about your online behaviour, they also fall under the GDPR. This is the overlap between the GDPR and the ePrivacy Directive.
To keep this short: if your website uses cookies, you must inform an EU-citizen visiting your website that it uses cookies. (see link to Cookie Law below)
Marketing cookies: in general they are not strictly necessary and you therefore need consent from a person to set marketing cookies. Informing a person that you use cookies is not enough.
Statistics cookies: your website can set them automatically if the data collected is immediately anonymised. Google Analytics offers this function. If the cookies are not anonymised then you will need the consent from the user to be on the safe side of the GDPR.
Preference Cookies: For these cookies you need the consent of the user. Because the preferences of a customer can be used to make a profile, your website must collect consent from the user.
Commonly, a website asks you to “accept cookies” and then you never see an option of opting-out. Strictly speaking a website is violating the GDPR if they use this practise, provided the data collected is not anonymised. This practise does not adhere to the principal of Article 7 of the GDRP. If setting a cookie is based on consent it must be as easy to revoke consent as it is to give consent. That’s it!
There are plenty of privacy policies that tell a person to change their browser settings to prevent cookies from being set. This goes against the GDPR. It’s not as easy as clicking on accept and it will have an impact on most other websites a person visits.
Note: Just to clarify, the GDPR is not the Cookie Law, the ePrivacy Directive is the “Cookie Law”. The reason for the cookie notifications is in the ePrivacy Directive. The GDPR does overlap with the ePrivacy Directive, see Recital 30 of the GDPR.
[Article 7 – Conditions for Consent] [Recital 30 of GDPR] [ePrivacy Directive: Recital 25 = “Cookie Law”]Adding social media embeds to your website like a Youtube videos, online maps providers, like buttons, share buttons, social media posts (like a tweet or instagram post) and comment boxes, will mean that the person visiting your website, will send information to the social media service to see the content.
This means your website is sending browser information to a 3rd party (personal information in the form of an IP-Address and possibly tracking data). Your website must inform a person of this, ask them if they want to read or watch the content from the social media embed before it loads on the page. Only then is your website GDPR compliant (with regard to social media embeds).
[Article 13 – Information to be provided where personal data are collected from the data subject]If your website allows users to login with Google, Facebook, Twitter, Instagram, Pintrest, Linkedin or any other service, then you collect certain information from them. This could be an email address, a name, a date of birth, a phone number, a profile picture etc. Whatever it is that your website requests from the social media service, you have to inform the person logging in, why you need it, the legal basis for collecting it, how long you will store their personal information, their GDPR rights etc.
Please remember that you should only request the information that you need from them and nothing more (Data Minimization).
[Article 14 – Information to be provided where personal data have not been obtained from the data subject]This perhaps the hardest part of making your website GDPR compliant. Article 12 states the following:
The controller shall take appropriate measures to provide any information referred to in Articles 13 and 14 […] in a concise, transparent, intelligible and easily accessible form, using clear and plain language, […].
With the right tool this can be easy to do and you will tick the boxes in this GDPR Website Checklist.
[Article 12 -Transparent information, communication and modalities for the exercise of the rights of the data subject]Using the right tools can also make your life much easier. TRUENDO will cover all the points on this GDPR Website Checklist (with the exception of SSL certificates). To make your website GDPR compliant, make an account with TRUENDO and offer your website’s visitors an easy-to-read GDPR compliant privacy policy.
DISCLAIMER:
This “GDPR Website Checklist” is not legal advice and was not written by a lawyer. It is solely the opinion of the
author. The author strongly recommends that you seek legal advice for issues around GDPR and ePrivacy compliance,
for your website and in general, for your organization. It was written in a diligent manner with the intention of
providing the reader with accurate and up-to-date information.If you have any issues or concerns regarding the
content of this “GDPR Website Checklist” then please email TRUENDO.
July 2020