Website Compliance - Everything for GDPR Compliance

GUIDE TO WEBSITE COMPLIANCE

1. Know the Data

Why, where and how do you collect the Data?
Where is the data stored and who has access to it? For how long do you store the Data?

2. Obtain Consent/Opt-in

Every time you ask for personal information, make sure user is informed and agrees to processing.

3. Draft the Documents

Prepare Cookie Policy, Privacy Policy and Terms & Conditions. Make sure to update them accordingly and periodically.

4. Create a Cookie Banner

When user visits the website, make sure to ask for consent to set cookies on the device. Give user chance to accept and reject cookies.

5. Secure your Website

Use HTTPS, strong passwords, anti-virus software. Keep only the Data that is necessary and needed for the provided services.

6. Review Processing

Review all the processing activities where you are sending personal data to other entities. Make sure you use GDPR compliant plugins.

Follow the steps below to make sure your website is GDPR compliant.

If you don’t know how personal data flows through your internal systems, you don’t know how it is controlled. Here are some questions to ask yourself:

From what sources do I collect the Data?

What kind of Data is collected from these sources?

Why do I collect the Data?

How is the collected Data processed?

When is the Data disposed of?

Do I have consent to collect this Data?

Why does my website require this Data?

Where is this Personal Data stored?

Who all has access to this Data?

Do any third parties hold this personal data? If yes, how do I control their processing of personal data?

Are these third parties based outside the EEA? If yes, what mechanism do they have in place to protect personal data from being accessed by foreign bodies or from being used for purposes other than those permitted under the contract with that third party?

How long does this personal data need to be kept? Can any of this information be deleted or anonymized?

Website security is something that you cannot afford to ignore. As a website owner, you must ensure your website is secure. This means that the data stored on the website needs to be protected and that the website itself needs to be protected from outside attacks.

– Install an SSL certificate (HTTPS website URL) that will encrypt any information sharing between the site and server.

– Use strong passwords for admin accounts.

– Add extra layers of protection to your server in case you allow users to share payment information.

– Use a CDN provider that can improve security, e.g., by protecting websites against DDoS.

– Use anti-virus software or services to protect against unauthorized access to the site.

– Do not collect, use or store personal data more than what is necessary for your website.

– Try not to send or share personal data, especially sensitive type to third-party services.

– Pseudonymize or anonymize personal data before storing them to de-identify the users.

– Remove personal data once your website does not need them.

– Back up the data in multiple locations.

Consent definition under the GDPR according to Article 4 states:

“‘consent’ of the data subject (user) means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”

It means that consent must be:

– Freely given: Users must be presented with an actual choice and not coerced with negative consequences.

– Specific: Consent should only be given to specific actions (e.g., weekly newsletter) instead of a broad consent to the use of data for whatever reasons a business sees fit.

– Informed: Users must understand the full scope of data collection and its use before making the decision to consent. It should be made clear that consent is being requested, and for what specific purposes.

– Unambiguous: It needs to be made obvious that the user is giving their consent.

– Affirmative action: Users must take an action to demonstrate their consent to the processing of their data

To meet GDPR compliant consent, you must follow several conditions:

Make Consent Opt-in: As mentioned in Article 4 of the GDPR, users must take an affirmative action, meaning pre-ticked, opt-out boxes will no longer pass the consent test. From now on, users must manually complete an action in which they choose to participate in the data collection/use/sharing practices described.

Document Consent: Businesses must maintain a record of all users’ consent, including how they consented, what exactly they consented to, and when they gave their consent. This is essential for protecting your business, and will serve as evidence in the event that a user claims they did not give their consent.

Make it Easy to Withdraw Consent: Businesses should make it as easy to withdraw one’s consent as it is to give. Users should be given the ability to withdraw their consent at any time through a clearly defined process.

Unbundle Consent: Consent should not be a precondition to complete a contract or receive a service – unless absolutely necessary to perform the contract or service. Users should be able to decide against consent without consequence.

Make It Granular: Users should be able to issue separate consent to different data-processing activities. Each processing purpose requires separate consent.

If your website has any kind of forms, e.g. inquiry, contact, or subscriptions, that collect personal data, you must ensure:

– Include a privacy statement that explains why you’re asking for their details; what you’re going to do with them; and that they can withdraw consent at any time.

– Add an opt-in option, such as an unticked checkbox or a disabled toggle switch to get user consent to collect data.

– Add a checkbox (or similar option) so that people can choose whether to receive correspondence from you or related services.

– Add a link to the Privacy Policy for further information.

To confidently acknowledge that all of your subscribers have consented to sign up to your email list, you should include a double opt-in process for all new sign-ups.

When double opt-in is enabled, a person is not added to an email list until they confirm their consent twice. The first consent happens when the signup form is completed, and the second consent occurs when a user clicks the confirmation link in the email that’s automatically sent to them after filling out the form.

The GDPR does not explicitly state that a double opt-in process is mandatory but it is highly recommended. By implementing a double opt-in for all new email sign-ups, you’re further verifying that users are consenting to relinquish their data, which demonstrates your dedication to the data protection standards set by the GDPR.

According to the GDPR, cookies count as personal data, so you need to ask your users for consent before using cookie data.

Organizations can still use cookie data provided that they meet the following GDPR requirements:

– Users must give clear consent to the use of cookies BEFORE any are used.

– Organizations must clearly specify how cookie data will be used.

– All user consents must be documented and stored.

– Website access should not be impeded if cookie use consent is not provided.

– Users should have the ability to seamlessly withdraw cookie use consent..

Here are the key points you can consider while adding a cookie banner:

– The language used in the banner should be clear and concise by avoiding legal jargon and long sentences.

– Describe what kind of cookies you are setting and why.

– Explain why you need to set cookies.

– Explain how users can manage their cookie preferences.
Include an opt-in option for cookies where users can accept them.

– Display an opt-out option for users who wish to block all cookies from your website.

– Add a third option for selective enabling of consent based on cookie category.

– Include information about your privacy policy and a link to this page.

– Closing or non-interaction with the banner should not mean the user has consented.

– Do not load cookies without users’ explicit consent (opt-in).

– Opt-out means the cookies should remain blocked, on subsequent visits as well.

– There should be an option to recall the banner in case the user wants to withdraw or change consent status.

A cookie policy should address the following three things:

– What are cookies?
– How and why you use cookies?
– How to disable cookies?

The cookie policy must:

– indicate the type of cookies installed (first-party cookies vs third-party cookies* );

– Indicate all third-parties that install, manage, or access cookies via your site/app, with a link to their respective policies, and any opt-out forms (where available);

– describe, in detail, the purposes for which cookies are used;

– be available in all languages in which the service is provided.

Privacy Policy checklist:

1. Your business and contact information

First and foremost, your privacy policy should include your organization’s full name, address, and any other contact information you can provide. If you have a data protection officer (DPO) or an equivalent individual at your organization, you should provide their information as well.
Under the GDPR, a DPO is required if you process sensitive data on a large scale or monitor individuals on a large scale. Hospitals, security companies, and the like are good examples of organizations that need a DPO. For more specifics on the GDPR DPO requirement, see Article 37 of GDPR. Even if you don’t meet those requirements, keeping a dedicated privacy professional on staff isn’t a bad idea.

2. The categories of data you collect

You’ll want to describe the categories of personal information collected, sold, shared, and disclosed within the preceding 12 months as well as details on what types of personal information you collect from users. This could include, for example:
– Personal identifiers, such as names, email addresses, identification numbers, and the like
– Geolocation data
– Demographic data, such as race, gender identity, age, and the like
– Internet activity data

Different regulations have different categories of data that you should disclose. When in doubt, try to follow the CPRA’s guidance, which requires that categories of collected data must be “described in a manner that provides consumers a meaningful understanding of the information being collected.”

Additionally, it’s a good idea to disclose that you do not collect the personal information of minors, if that’s the case. If you do collect the personal information of minors, you should seek legal counsel’s help in making sure you are handling that data and the disclosure properly.

3.The sources of the data or how you collect data

You will need to describe how you collect or source data, including a description of the categories of sources. While you likely collect some information from the user directly, it’s possible you collected information from a third party, such as a government database, internet service providers, advertising networks, and so on.

4. The purpose of data collection

What do you intend to do with your users’ data? It could be for fraud prevention, a better customer experience, marketing purposes, or any other reasonable use case for user data. Furthermore, it’s a good idea to delineate the purpose behind each category of personal information that you listed in item two of this list. If you don’t have a good reason to collect a given category of data, then most data privacy regulations require you to not collect it at all.
Note that if you intend to use personal information for targeted advertising, many regulations require you to clearly and conspicuously disclose that fact, as well as the fact that the consumer can opt out of this processing.

In addition, most major privacy laws require that you disclose whether consumer data will be used in automated decision-making processes, how consumer data impacts this decision-making, the associated results and consequences, and the users’ right to opt out of that decision-making. Often, these automated processes can include an element of bias, a reality that these laws try to mitigate with this requirement.

5. The legal basis of data collection

You’ll also want to take note of your legal basis behind data collection. The GDPR, for instance, lists out the following as acceptable legal bases for collection:

– User consent (which is the most common basis used today)
– A contractual obligation
– A legal obligation requiring your organization to process user data (e.g., a lawsuit or subpoena issued by a governmental entity.)
– Vital interest; that is, that processing the user’s data is necessary to preserve life, safeguard fundamental rights, support humanitarian emergencies, and other select circumstances.
– Public interest
– A legitimate interest in processing the user’s data (another commonly used basis, though you’ll need to disclose the nature of your legitimate interest)

6. The consumer’s rights

Make sure you clearly describe the rights the user (or data subject) you are collecting data from possesses and how they can exercise these rights.

These can vary from regulation to regulation, but generally, data subjects have:

– The right to access personal information
– The right to rectify incorrect personal information
– The right to object to the processing of personal information
– The right to withdraw consent to the processing of personal information
– The right to lodge a complaint with a supervisory authority (which varies depending on where the data collection occurs)
– The right to appeal a business’s decision with regard to a data subject’s request
– And more depending on your and your users’ location

7. Who you share personal information with

Your privacy policy should disclose whether or not you sell personal information, whether you have sold personal information in the last 12 months, and which categories of personal information you have sold. Under the CCPA, you only had to disclose if you sold data — that’s changed under the CPRA, which stipulates that you disclose both shared and sold data.

If possible, provide the specific details of the recipient. Under the CCPA/CPRA, you also have to inform your users about which categories of recipients you sell their data to or share their data with (e.g., suppliers, credit reference agencies, government departments).

8. Whether the data will be transferred across borders and how

Transferring data into another country or state can expose your users’ data to greater risk. If you operate out of California or the EU, for instance, and transfer data to a jurisdiction with less robust data protection laws, the recipient may treat your users’ data with less than the respect it deserves.

However, it’s possible to establish safeguards to enable a compliant data transfer. Typically, this takes the form of a contractual agreement (specifically, the GDPR’s Standard Contractual Clauses) between your organization and the receiving party affirming that they will treat your users’ data to the same standards as yourself.

9. Whether data collection is voluntary or mandatory

Indicate what categories of data that you collect are required or are optional. If your users decline to share data that would be useful for marketing and analytics purposes, they can still use your website, make a purchase, use your app, or engage in whatever other activity serves as the focal point of your relationship. On the other hand, if you operate an e-commerce business and they refuse to share their address with you, you won’t be able to ship them the products they order. Depending on the nature of your organization, the type of data that needs to be collected in order to serve your users will vary.

10. Your data retention policies

How long do you intend to retain the different categories of your users’ data? If you’re uncertain about the exact answer, under what circumstances will you no longer need a user’s data? Explain what criteria you will use to determine when you’ll delete that data.

11. Your security measures

Certain regulations require that you state your security measures in a privacy policy, while others merely require that you maintain them — in any case, it’s still a good idea to include them in your privacy policy. This builds trust with your users and signals that you take their privacy seriously. You might indicate whether you pseudonymize and/or encrypt personal data, whether you can back up and restore data in the event of an emergency, whether you comply with security standards like SOC 2, and more.

12. How you will communicate changes to your policy

As your organization evolves and laws change, your policies will too. Tell consumers how you’ll let them know about future changes to your data management plan.

13. Effective date

Was your data protection strategy updated a week ago or a decade ago? Show full transparency by including the effective date of your current privacy policy.

Website forms should clearly state how all collected data will be used. Avoid complex phrasing or the use of jargon, your messaging should be clear and concise.

Pre-ticked consent boxes are not permitted. Individuals need to always be aware that they’re consenting to data collection.

If you’re using third-party plugins that collect data, like Google Analytics, you need to make the data anonymous. This can be challenging to do manually, but you can find GDPR-compliant plugins that handle this process for you. Just search for a tool with GDPR compliance settings.

The first thing you need to do is find out which of the services or companies your company uses directly are GDPR-compliant. You must be aware of the privacy policies of any third-party service or company you use directly (or indirectly).

If they are doing work on behalf of your company then you should ensure they align with your privacy policy. This means that they should be GDPR compliant as well.

Here is what you should do to prepare in the event of a data breach

– Keep a record of your processing activities.

– Block all access to your website until you fix the vulnerability.

– Conduct a thorough investigation — where, when and how it happened, what data was involved, and who got affected and how.

– Notify the appropriate supervisory authority about the breach within 72 hours with all the information you have. Usually, the breach notification must include the categories and the approximate number of users concerned; the categories and the approximate number of personal data records affected; any action taken, or measures planned, by the company in response to the breach, including measures to mitigate its possible adverse effects.

– Notify the affected users if there is an increased risk to users’ rights and freedoms as a result of the breach, including what they can do to protect their data.

– Update your policies and procedures to prevent future security breaches on your website.

– Prepare a plan of action if another data breach happens or is likely to happen in the future.

If your business website relies on transferring personal data from EU to non-EU countries, then you should ensure the following:

– Have you done the necessary risk assessments before transferring the data?

– Does the recipient country or service provide an adequate level of data protection system in place?

– Do you have all the necessary agreements with the recipient company/services?