Checklist for the General Data Protection Regulation
Checklist for the General Data Protection Regulation
The GDPR deadline may have come and gone, but not every one is compliant. In this post, we'll talk about what you can do to fix that.
Join the DZone community and get the full member experience.Join For Free
Which Websites Are Affected by the GDPR?
Almost all. The only excluded websites are those that serve only family or personal purposes. For example, a page that shows only holiday photos, has no banner ads, and does not use analytics tools is not affected. All other website operators have to deal with the new EU data protection regulation - even if you do not ask for users' data at all. Because when a visitor calls your website, then their IP address is transmitted. And IP addresses fall under the concept of personal data.
The following eight points should be in place to make your website GDPR compliant and to avoid warnings and fines.
1. Make Sure Your website Is Encrypted
Sites on which personal data is collected must, now, always be encrypted. This applies in any case where contact forms or newsletter subscriptions are concerned. Encrypted pages can be recognized by the fact that the URL starts with HTTPS. Many browsers then display a lock in front of the URL or the word "safe." Make sure that this is the case on all your pages and subpages. If not, contact your administrator immediately. This should be an easy change to make to your page with the help of an SSL certificate. Free certificates are available at Let's Encrypt . By the way: Not only the GDPR requires sites to be encrypted - Google also prefers encrypted search results.
3. Review All Forms on Your Website
Is it possible to make an appointment on your website? Or sign up for a newsletter? Or write a message via a form? Then you have to revise the contact form. In fact, you are only allowed to collect the personal data that you actually need to answer a request in your forms. What is actually considered necessary, in the end, depends on the situation. For a newsletter subscription, for example, you only need the e-mail address, but not the first and last name. Therefore, the fields for the first and last name must NOT be mandatory fields. Required fields in forms - in this case only the field for the e-mail address - must be marked. If you want to collect more data, then it must be clearly pointed out to the user and they must be told why you need the data, on what legal basis you process it, and what you do with it. This can look like this, for example:
"We process your contract data (e.g. services used, names of contact persons, payment information) for our contractual obligations and services in accordance with Art. 6 (1) lit. b). DSGVO to meet. The details marked as obligatory in online forms are required for the conclusion of the contract." - Source
Verify that you have separate consent for each purpose for which you require data. For example, if you want to send a newsletter to a customer who has made an appointment with you online, then you need additional consent.
4. Check Social Media Plugins and Embedded Videos
The social media plugins that Facebook and the like make available, collect personal data unnoticed by the website user and can thus create detailed personality profiles. The same applies if you embed videos, for example, from YouTube or Vimeo on your page. This means that if, for example, you have YouTube videos installed on your page, then you automatically transfer data from your website visitors to YouTube (and therefore Google) - regardless of whether the user clicks on the video or not. Data protectors have been criticizing these plug-ins for a long time, and their use has been legally risky so far. The GDPR makes the use even more critical.
So, how can you protect your website visitors while making make your website GDPR compliant?
Social Media Plugins
One possibility, of course, is to simply remove the Facebook Like Button, for example. Those who do not want to do without it can resort to solutions such as Shariff. Visitors can only decide freely after the website has been called whether their data should be transmitted to the social networks through the plug-ins or not.
If you embed YouTube videos on your page, use the "advanced privacy mode." You'll find it after choosing Share, Embed, and Show More. For Vimeo, there is currently no GDPR compliant solution.
5. Check Your Statistics Tool
6. Inform Users About Cookies
7. Check Your Newsletter
Anyone who uses newsletter services such as MailChimp, CleverReach, and Newsletter2Go must conclude a contract processing contract with the service provider. Ask your service provider for such an agreement.
You may also need to revise the registration form. It must state the purpose of the newsletter and what information subscribers receive when they register. You may only request the e-mail address as a mandatory field.
Users must also be clearly informed that they can revoke their consent. So also put a link to the unsubscribe form on the page with the registration form.
8. Check if You Need to Conclude a Processing Contract With Your Web Host
The web host (provider) provides web pages and takes over the operation of web servers and the network connection. If only the internet access service without the processing of personal data is connected with such services, then there is no order processing. However, if such web hosts also take on tasks for which they process personal data, such as e-mail administration or e-mail archiving, then there is a processing order and you have to draw up a processing contract.
Opinions expressed by DZone contributors are their own.