GDPR Compliance for Websites

How do I make my website GDPR compliant?

Your website is the face of your company and would be the first place of user engagement. It’s also a place where a lot of data is collected and hence important for GDPR compliance. 

1. Identify data collection points: The first step is to identify what data you collect on your websites and collection points of the data. Then we can apply GDPR requirements around them.
   

• Cookies, Tags, and Trackers: Identify if you use cookies, tags or other technologies for analytics, personalization or advertising on other websites. Common examples would be Google Analytics, Double Click to create an audience, etc.
• Forms: Usually used by Marketing teams to collect personal information from users to send them newsletters, marketing materials. It’s important to identify all these forms along with what information you are collecting from each form.
• Sign-Up Pages: Another place where you would collect personal information to generate an account on your system.
  

2. Implement Notice & Consent on collection points: Once you have identified all collection points you will have to give users notice on data collected, purposes of processing and allow them to consent to each purpose separately. 
   

• Cookies: Implement a cookie banner giving information on the use of cookies for different purposes and give users an option to Accept or Reject cookies. You should also implement a second layer where users can give granular consent for each purpose separately. 

• Forms: Implement a checkbox for each purpose that you want to use this information for and give notice along with the checkbox with a link to a detailed Privacy Policy.
  

• Sign-Up pages: Implement a notice and link to privacy policy. If you intend to use email addresses for sending marketing emails take consent here.
  

3. Update your Privacy Policy: You will link your privacy policy in all your notices for detailed information and you should ensure it’s updated all the time. 
   

• Include GDPR notice requirements: For your privacy policy to be compliant you need to include details on data you collect, purposes of data processing, the legal basis for processing, contact details of organization, rights of user, etc. We have covered GDPR requirements of privacy notice in detail here.
• Layered Approach: It will be easier if you can use a layered approach and link the right section to your privacy policy while giving a notice. For example, referring to the cookie policy on the cookie banner will make it easier for users to make a choice rather than reading the entire policy. 
• Maintaining versions: The burden of proof for GDPR compliance rests on you hence it makes sense to save versions of privacy policy. It will help you as proof if there is a conflict in the future.

4. Automate Consent: You need to ensure that a user’s choice of consent is honored, it’s best to automate this to avoid any human errors.

• For cookies and tracking technology there are multiple CMPs who can automate that for you.
• For consent collected from forms, you have to ensure that the same is populated in all your internal systems like Salesforce, Hubspot, Mailchimp etc. You should also train your team to ensure they do not send communications or contact users who have not given cookie consent.

5. Allow consent withdrawal: For consent to be valid, withdrawal of consent should be as easy as giving consent. This means if you collect consent by one click, withdrawal of the same should not involve a lengthier process. One of the ways to simplify consent withdrawal is to build a Preference Center for users and include it in all communications and on your website. This will ensure GDPR compliance and build trust with your users.
   

6. Implement Security: Security is one of the key principles of GDPR. You should ensure that the data users enter on your website is secured. There are a lot of good resources on the internet on securing your website. We really liked this article by Webfx.
   

7. Monitor for non-compliance: Your website will evolve with time and you will use new tools, launch new campaigns. It’s important for you to review your website again whenever you are making new big changes. You can also use our website scanning tool for monitoring your website and get alerts in case your website becomes non-compliant.