Trying to make a website GDPR Compliant can seem like a daunting task - there's so much confusing information out there it can feel overwhelming.
Hopefully, we can help.
We've broken down the 80+ pages of GDPR paperwork into 5 simple steps that you can follow to make your website GDPR compliant.
The bottom line is that you need to know what data you gather, what you do with it, and how to let a user access it (their own data, that is). Here's what you need to do:
- Perform a GDPR Website Compliance Check
Using a GDPR Website Compliance Checker, analyse your website for tacking cookies, pixels and other tags that may be revealing personal information to third parties. You can follow the simple instructions in our article How to check my website's GDPR compliance to get through this process smoothly.
If your website deploys analytics, social media content, advertisements or other tracking content, then you'll need to set up a GDPR Consent Manager to acquire opt-in consent from users before allowing tracking to take place. - Review the user data your site collects (and has collected)
It is important to know what data you're collecting on your website, and for what purpose. Common data collection points for websites include contact forms, shopping carts and mailing list sign-ups. Ensure that in each case, you are only collecting the essential information for the intended purpose.
If, for example, your shopping cart also adds users to your mailing list, there must be a checkbox (not pre-ticked) that clearly asks the user to opt-in to this service.
For every piece of information you collect, you should be clear about why you are collecting it, how you store it, how long for, and who else has access to it. This should be made public in your privacy policy and also highlighted in your website where it is not immediately obvious as part of a workflow.
We suggest creating a simple spreadsheet, in the following format, to collate this information:
Personal information Collected from Purpose All purposes made clear during collection? Genuine requirement for collection?
If no - is consent obtained?Storage location(s) Retained for Shared with First & last name Enquiry form Sales leads & customer support Yes Yes Website database, CRM system Unknown / indefinite Sales partners Email Enquiry form Sales leads & customer support No (mailing list not mentioned) Yes Website database, CRM system Unknown / indefinite Sales partners Email Mailing list sign up form Add to mailing newsletter subscription Yes Yes Mailing list service provider (Mailchimp) Until unsubscribe Mailing list service provider (Mailchimp) Date of birth Account creation None No No Website database, CRM system Unknown / indefinite Sales partners ... Download the basic data flow audit Excel template
Using a sheet like this, we can quickly identify GDPR violations. These include:- Superfluous data collection ('just in case' data - e.g. Date of Birth in this example)
- Data usage outside declared scope (e.g. signing users up to mailing lists without consent)
- Data retention periods not being specified or adhered to (the longer you store personal data, the greater the risk of a breach)
- Sharing data with third parties not listed in your privacy policy or during opt-in consent
If you've found GDPR violations, then you should either stop collecting that data (and probably delete the data you've currently collected like that), or take the appropriate corrective action, such as obtaining the correct consent.
For each third party that you share data with, you should also ask for a GDPR compliance agreement, as if they're not compliant, then you're not compliant. Most major service providers should be able to easily accommodate this.
If you've built up a mailing list or user database from harvested email addresses or bought-in data (for example), then we'd recommend you stop using this and begin building up a compliant, consent based user data set. - Begin accepting GDPR Data Rights Requests
As part of GDPR, users may make a number of requests relating to their personal information. Loosely, this includes:
- Finding out what data you hold about them (right to access)
- Correcting the data you hold about them (right to rectification)
- Deleting the data you hold about them (right to be forgotten)
- Stop using their data (right to restriction)
- Download their data (right to portability)
It's a little more complex than this, but that's it in a nutshell. Essentially they're in charge of any data you hold that relates to them. Exceptions apply in special circumstances, such as not having to delete a person's address data if you have an active contract to deliver something to them; but in most instances what the data subject wants, the data subject must get.
Data Rights Requests have to be dealt with fully within 30 days to avoid the risk of penalty. This means you should have a system in place for accurately logging receipt of requests and tracking their progress to ensure deadlines are met.
Our GDPR Compliance Kit includes a Data Rights Request website form widget, and an admin dashboard for tracking progress, managing deadlines, and logging evidence of completion. - Review and update your privacy policy
You now need to be extremely clear (granular) about all the personal information you collect, why you collect it, what you do with it, who you share it with and how long it is kept for.
This sounds daunting but really all we need to do is take what we learned in steps 1 and 2 and present it in a clear, easy to understand format. This is as an addition to your existing privacy policy - you don't need to rewrite everything unless it's superseded by new information. - Put some plans in place
There are a few things you need to be on top of as you go forward into GDPR website compliance, and these include:
You need to know which data protection authority you fall under, and have their contact details in a know location. This is in case of...
You need to be ready to act in the event of a data breach. Thankfully, you've already worked out what data you store and where, so if your security is compromised it'll be easy to work out what data is affected and to which data subjects it belongs. Your plan must include identifying the scope of the breach, and reporting the breach to your data protection authority within 72 hours. You must also be able to notify the impacted data subjects as soon as possible. We suggest spending an hour creating some document templates for this when you're not under the pressure of an actual breach might be time well invested.
You need to know how security of your data is maintained. This could be speaking to your web host to get a copy of their security policy, implementing a scedule to keep your CMS and plugins up to date, and ensuring you regularly change your passwords to something difficult to guess.
You need to ensure that in future, you consider privacy before profit. Ensure any new systems, plugins, partners or processes only gather data that is necessary for the task at hand, and only keep it as long as is reasonably required.
And that is, in a nutshell, how you can start your compliance journey.
We're passionate about helping site owners become compliant without getting lost and confused, and we believe we've built the simplest and most cost effective GDPR website complaince tools on the market to help you do this.