The General Data Protection Regulation (GDPR) will be the law of Europe in less than a month. The GDPR is the EU’s solution to protecting individual privacy while using the internet. All websites accessed by EU subjects in any way, will be required to satisfy these obligations before May 25th, 2018. In this blog we want to provide guidance for making your website GDPR-compliant. Note that this is specifically targeting websites; we will be discussing compliance for web and mobile apps in a separate post.
Below are nine basic steps you should take to achieve GDPR compliance for your website:
- Inform your visitors if your website collects data from their visit, what you intend to do with that information, and how long you will retain it. If you don’t have a ‘Privacy Policy’ page, you should add one and add all of this information.
- List all types of data being collected by your website, and whether they allow third-party access and how. Keep in mind that the less data you collect, the lower your liability should a breach occur. We recommend creating a website footer file called ‘Cookies’ for this information.
- Secure your data. An SSL certification is your first step needed to protect the stored data on your website server. However, we would encourage you to review your hosting provider’s services to find additional security layers you can activate for your website.
- Create ‘consent forms’ that are unchecked by default so that an user must consciously opt-in. Note that these forms are to be separate from standard terms and conditions screens.
- Provide details regarding any people, including employees and third-parties, who can access any personal information. You must provide clear mechanisms for allowing users to make inquiries into their personal data stored in your website database.
- Review and understand the ‘Right to be Forgotten’ regulations and implement a manual process for handling such requests when they arrive. Assuming the number of requests justifies it, create an automated procedure for handling these processes. Make sure to update your ‘Terms of Use’ page with the new policy.
- Plan to extend your data protection and privacy regulations to mobile websites and apps, if you have them.
- Review and understand the new regulations for reporting breaches. Make a plan for contacting the proper authorities and providing the breach detail quickly, or you may fall short of GDPR compliance requirements.
While GDPR compliance forces businesses to expend resources they might not have otherwise, we believe these are best practices which should be followed regardless. Our visitors want to know what we are doing with their data, and how to access and delete it, should they want to. In other words, privacy protections are good business. While there are still a few weeks to complete the necessary upgrades, now is the right time to get started.
There are a lot of free resources for achieving GDPR compliance for your website. If you are a Prospus customer, you can reach out to your friendly Prospus account manager for a free GDPR compliance audit.