It is high time to make your website GDPR compliant, as the regulation is going to be effective from May 25th, 2018. If you would like to revisit our article on what GDPR is and how it can affect a site owner or developer, you can read our previous article here.
What do you have to do to comply with GDPR?
Now that you know what GDPR is and what it is about, here are the steps to follow to be compliant with GDPR.
These pages are one of the key items to being GDPR compliant. The page should inform the user:
- How you are using their personal data
- With whom are you sharing their data
- What cookies are used in your site and its purpose
- Consent to email about order notification
- Simply visiting a site is no longer considered as a consent. A user consent must be collected by means of an opt-in checkbox or choosing settings.
- It is equally important that the users must be able to withdraw the consent easily. If the consents are asked via opt-in boxes in settings menu, user should be able to return to that menu and update his preferences.
- Unless a user explicitly says that he would like to be included in the list, don’t add them. Silence is not considered as a consent.
- Suppose a user gives his consent to process his personal data, it doesn’t mean that you can process data for a long period. The consent should be collected or renewed every 12 months from the time of the user’s first visit to the site.
- A cron job can be set up for automatically sending emails to the users and to collect consent.
For more information on 'Consents', click here.
- Cookies are considered as ‘personal information’ therefore you have to disclose all of the cookies which are set by your site, why they are set and option to opt-out before they are set.
- However, there are different types of cookies which can be exempted from the consent requirement. For example: Cookies used in a merchant website, Session ID cookies for the duration of session, authentication cookies etc. These are mentioned in the ‘Guidance on Cookie Consent and Expiration ‘ by French Data Protection Authority1.
Be it a third party or a custom cookie, which ever cookies you are using, you should make the information visible to the user in simple words. For eg: Say you are using Google Analytics , a sample privacy statement can be :
This website uses Google Analytics to help analyse how visitors use this site. No personally identifiable information is collected about you unless you explicitly submit that information on this website. The information collected is used to create reports of activities on this site. We use this to provide relevant content to our visitors.
For more information on 'Cookies', click here.
- The cookie banner of 'The Marketing Eye'4 can be taken as a reference.
For more information on 'Cookie Banners', click here.
- You must make sure that no checkboxes added to collect personal information from the user is ticked by default.
For more information on 'Unfilled Checkboxes', click here.
Right of Access
- A user should be able to easily access his personal information collected by the website.
- In the context of a Drupal website, he should be able to access his user profile page which displays all of his information.
For more information on 'Right of Access', click here.
Right to Rectification
- A user should be able to update or correct his personal information. He must be able to edit his own profile data.
- Care should be taken to ensure that users are only permitted to access information as per their role.
For more information on 'Right to Rectification', click here.
Right to Erasure
- A user should be able to request for deletion of his personal information.
- He can either do this by sending out an email to site admin or via a button in the user profile page.
- For the latter, a call-to-action button can be added to his profile for the same.
- Once the request for erasure is received, data should be deleted within 1 month.
- Upon deletion, the user should be informed about the erasure.
For more information on 'Right to Erasure', click here.
Now what happens to the contents or orders of your site if you are to delete the entire user data?
- If you are sending the personal data of users to any third parties like Salesforce or Hubspot, you are obliged to inform all the third parties to delete the personal information of the user via an API call or similar.
- This again comes up with another issue - backups. You should separate the list of forgotten user IDs so that when a restore process occurs, you re-forget the forgotten users.
Right of Data Portability
- User should be given an option to export all of his personal information.
- The ‘Export Data’ button can be included in the user dashboard.
- The exported data can be in the form of a CSV or spreadsheet.
- If your website only stores the information like favourites, bookmarks etc then it is not mandatory to provide this feature, as this does not fall under personal information.
For more information on 'Right of Data Portability', click here.
Right to Object
- The user should be able to object to the processing of his personal information. This can be in the form of a button in the user settings page.
- Once the user objects to processing of personal information, you should make this profile hidden from public and other users.
- Such profiles can be marked as “restricted” and can be made visible only to the site admin.
For more information on 'Right to Object', click here.
- You should check your user's age and if the user is a child below 16, then the law states that the parental consent should be obtained. How to obtain this is not well defined, but an option will be to provide a field to accept email id of the parent and verification of the same.
For more information on 'Age Checks', click here.
Delete Data that are No Longer Needed
- You should explicitly mention the amount of time that the user’s personal data will be stored in your site and delete the same after the time period.
- If you are an e commerce site owner, then you should create a cron job to anonymise the order information, once the delivery is complete.
Technical and Security Measures
- Audit logs should be kept and you should be careful about potential data misuses such as employee logins, unprotected servers and insecure connections.
- You should ensure that the access permissions given to a user is correct and he is not authorized to access sensitive information.
As an additional note, we would like to highlight the part that you don’t have to include everything which is mentioned above unless you are processing personal data of EU citizens. To know more, get in touch with us
- ‘French Data Protection Authority Issues Guidance On Cookie Consent And Expiration’, blog, published December 18, 2013, Hunton Andrews Kurth, accessed May 2018.
- Heather Burns, ‘How GDPR Will Change The Way You Develop’, blog, published February 27, 2018, Smashing Magazine, accessed May 2018.
- Bozho, ’GDPR- A practical Guide For Developers’, blog, published November 29, 2017, Bozho’s Tech Blog, accessed May 2018.
- Neal Dyer, ’GDPR: B2B vs B2C-Can you still email your database?‘, blog, published December 19th, Marketing Eye, accessed May 2018.