GDPR – Is Your Website Ready?

DecorativeDecorativeDecorativeDecorativeDecorativeDecorativeDecorativeDecorativeDecorativeDecorativeDecorativeBlue Dot

What is GDPR and why it’s important?

GDPR is an acronym for General Data Protection Regulation and is a new regulation in the EU, that dictates how companies should collect, process, and store personal data. Even though the law regulates EU market only, it directly affects your company if you process any of the data of the EU citizens. Why is there so much fuss about GDPR? Because non-compliance with GDRP will lead to serious fines up to 20 million EUR. No business would want for that to happen. GDPR comes into force on the 25th of May. You still have some time to get ready but you’d better hurry up.

Ultimately, GDPR is a positive change for the EU citizens who will have more control over their personal data. For businesses, GDPR brings challenges but it also enforces unified procedures which might be beneficial for the business. Companies that strive to comply with GDPR tend to be viewed more positively by their customers.

There are two main aspects of GDPR – personal data and processing of personal data. Here is what these terms mean under GDPR:

How is the law going to be enforced?

GDPR is a strict law but one may wonder how exactly the EU is going to check the compliance. The EU plans to set up Supervisory Authorities (SA) at each member state. SA will carry out the functions of supervisory and controlling authorities including:

  • performing of audits of the business and websites
  • issuing warning for non-compliance
  • issuing corrective measures and defining the deadlines

SAs will most likely form a network and will work together in identifying and correcting the non-compliant behavior.

The implications of law have been observed all over the world with companies updating their privacy policies and sending out email blasts to reassure customers of their compliance with the law. Almost 76% of US companies report that they will spend more than $1 million on GDPR. This shows that US companies have a very large pull of EU customers and that they are concerned about the implications of the law.

How to make your website GDPR compliant?

GDPR is a complex law with complex terminology and a plethora of new information. It’s best to study the law and common practices as well as receive legal advice before you decide on concrete measures. However, these are the most common measures that the companies take to become GDPR compliant:

1. Update your privacy policy

The most important regulation that GDPR establishes relates to how you handle, collect, and process personal information. The procedures for processing personal information are usually described in a privacy policy. There are three elements that you need to be aware of:

  • The right to access defines the rights of the users to access the information including what kind of data is being collected, where the data points are located, and the legal basis for collecting, processing, and storage of data. Users can also request a copy of their data at any time.
  • The right to be forgotten gives users the right to erase their data. Once the user withdraws the consent, all the data relating to the user must be erased and further collection and processing should be stopped.
  • The data portability defines users’ right to download their data and transfer it to a different controller.

You’re also advised to only store the data that’s absolutely necessary. By limiting data collection and the number of data points, GDPR encourages companies to adopt safer policies.

By publishing a new policy you can cover most points mentioned in GDPR. But you also have to make sure that there are procedures in place for data retrieval, data portability, and consent withdrawal.

We have seen many companies engaging in automatization of data removal and portability, as well as those who simply ask users to email them for their request to be fulfilled.

2. Breach notifications

Along with updating your privacy policy following GDPR regulations of user rights, you also need to set procedures for breach notifications. According to GDPR, you need to send a breach notification within 72 hours of the first becoming aware of the breach.

Of course, it’s best to avoid data breaches altogether. But if for some reason, it’s not possible, you’ll need to notify all those affected by the breach within a short period of time.

3. Implications of GDPR onto WordPress plugins

Surprisingly for many site owners, you are responsible for all the personal data you collect including the data collected through plugins. Make sure every plugin you use is compliant with GDPR. So far only a limited number of plugin developers announced their plans in relation to GDPR. If your plugin providers aren’t compliant with GDPR it’s your responsibility to establish a data flow and inform about the processing of data.

4. Explicit consent

Another important implication of GDPR is the changes that the law brings to how consent is collected. For example, a checkbox that is preselected isn’t enough anymore. You have to provide the users with the opportunity to give explicit consent, which they can do by checking the box manually or clicking the “accept” button.

Opt-ins should also be unbundled meaning you need to clearly set out the acceptance of terms and conditions, and then separately set out the consent for other ways of using data. Granular opt-in is preferable and the users must be able to give consent for different types of processing.

5. Clean up your mailing lists

If you’ve ever purchased email lists from third parties you need to stop now. Continuing to use email lists received from third parties is a direct violation of GDPR.

The industry standard is a double opt-in – after the user provides their email, they finalize their subscription by clicking a confirmation link in the follow-up email. Even though double opt-in isn’t a GDRP requirement, it’s an industry practice that will help you prove that proper consent was obtained.

Final Word

GDPR compliance can’t be achieved in one day. Reviewing and making changes to your privacy policy takes time, developing new tools and features for the website might be costly. But there is a plethora of consultants, information, and tools to help you make the necessary changes. Remember that GDPR affects the entire business. It’s not just some law that enforces rules, but also a real opportunity for companies to drive data efficiency. By removing old and unnecessary data, you can increase your business’s efficiency. Additionally, your customers will trust you more if show dedication to lawful collection and processing of personal data.

October 6, 2022
Webflow Blog [How-To]
DecorativeDecorative

Grow quickly with Webflow's unlimited development.

We do work, you do business.

DecorativeDecorativeDecorativeDecorativeDecorativeDecorativeDecorativeDecorativeDecorativeDecorative