Over a million developers have joined DZone.
{{announcement.body}}
{{announcement.title}}

Checklist for the General Data Protection Regulation

DZone's Guide to

Checklist for the General Data Protection Regulation

The GDPR deadline may have come and gone, but not every one is compliant. In this post, we'll talk about what you can do to fix that.

· Security Zone ·
Free Resource

Discover how to provide active runtime protection for your web applications from known and unknown vulnerabilities including Remote Code Execution Attacks.

Which Websites Are Affected by the GDPR?

Almost all. The only excluded websites are those that serve only family or personal purposes. For example, a page that shows only holiday photos, has no banner ads, and does not use analytics tools is not affected. All other website operators have to deal with the new EU data protection regulation - even if you do not ask for users' data at all. Because when a visitor calls your website, then their IP address is transmitted. And IP addresses fall under the concept of personal data.

The following eight points should be in place to make your website GDPR compliant and to avoid warnings and fines.

1. Make Sure Your website Is Encrypted

Sites on which personal data is collected must, now, always be encrypted. This applies in any case where contact forms or newsletter subscriptions are concerned. Encrypted pages can be recognized by the fact that the URL starts with HTTPS. Many browsers then display a lock in front of the URL or the word "safe." Make sure that this is the case on all your pages and subpages. If not, contact your administrator immediately. This should be an easy change to make to your page with the help of an SSL certificate. Free certificates are available at Let's Encrypt . By the way: Not only the GDPR requires sites to be encrypted - Google also prefers encrypted search results.

2. Revise Your Privacy Policy

All services and plug-ins that you use on the site that make data accessible to a third party must be listed in the Privacy Policy. Personal data is passed on, for example, from the Facebook Like Button. Even those who use Google Captcha to prevent robots from leaving comments on the page, or Akismet, a popular plug-in that filters out spam comments, share personal information. In addition, the privacy policy must now contain significantly more information about what rights the users have according to the GDPR.

3. Review All Forms on Your Website

Is it possible to make an appointment on your website? Or sign up for a newsletter? Or write a message via a form? Then you have to revise the contact form. In fact, you are only allowed to collect the personal data that you actually need to answer a request in your forms. What is actually considered necessary, in the end, depends on the situation. For a newsletter subscription, for example, you only need the e-mail address, but not the first and last name. Therefore, the fields for the first and last name must NOT be mandatory fields. Required fields in forms - in this case only the field for the e-mail address - must be marked. If you want to collect more data, then it must be clearly pointed out to the user and they must be told why you need the data, on what legal basis you process it, and what you do with it. This can look like this, for example:

"We process your contract data (e.g. services used, names of contact persons, payment information) for our contractual obligations and services in accordance with Art. 6 (1) lit. b). DSGVO to meet. The details marked as obligatory in online forms are required for the conclusion of the contract." - Source

Verify that you have separate consent for each purpose for which you require data. For example, if you want to send a newsletter to a customer who has made an appointment with you online, then you need additional consent.

And before submitting the form you should link to the privacy policy and be confirmed that it has been read.

4. Check Social Media Plugins and Embedded Videos

The social media plugins that Facebook and the like make available, collect personal data unnoticed by the website user and can thus create detailed personality profiles. The same applies if you embed videos, for example, from YouTube or Vimeo on your page. This means that if, for example, you have YouTube videos installed on your page, then you automatically transfer data from your website visitors to YouTube (and therefore Google) - regardless of whether the user clicks on the video or not. Data protectors have been criticizing these plug-ins for a long time, and their use has been legally risky so far. The GDPR makes the use even more critical.

So, how can you protect your website visitors while making make your website GDPR compliant?

Social Media Plugins

One possibility, of course, is to simply remove the Facebook Like Button, for example. Those who do not want to do without it can resort to solutions such as Shariff. Visitors can only decide freely after the website has been called whether their data should be transmitted to the social networks through the plug-ins or not.

Videos

If you embed YouTube videos on your page, use the "advanced privacy mode." You'll find it after choosing Share, Embed, and Show More. For Vimeo, there is currently no GDPR compliant solution.

5. Check Your Statistics Tool

Most website owners use services like Google Analytics to analyze how many visitors come to their site and what they see there. Thereby, IP addresses are collected. These must be shortened, that is anonymised, that no personal reference is possible. For this, contact your web administrator, who can install the "anonymizeIP" command in the source code of your website. In addition, you must enter into a contract processing agreement with Google, and the Privacy Policy requires that you use the Statistics Tool. In addition, there must be a link to the Google Analytics Terms of Use and Privacy Policy, and there must be a contradiction built-in, the so-called opt-out feature. This means that with one click in the privacy statements, a user can ensure that their data is no longer passed on to Google. How to integrate this opt-out feature is described here on Google.

6. Inform Users About Cookies

Almost all websites use cookies. These are small files that store data locally on the device. They serve to recognize the user and make it easier for them to surf the website. With regard to cookies, the legal situation is still unclear now that the GDPR is being enforced. In order to avoid warnings, one should obtain the consent of the website users on their first visit to the page with a so-called cookie warning. The text of the cookie warning should state as concretely as possible what the data is about, what it is used for, and with whom it may be shared. For example, it can be formulated as follows:

"To make our website optimal for you and to be able to improve it continuously, we use cookies. By continuing to use the website, you agree to the use of cookies. Further information on cookies can be found in our privacy policy."

The privacy statement also includes a section on cookies. The GDPR requires that the legal bases for the use of cookies are mentioned there. In addition, provide a note to users in the privacy policy on how they can prevent the use of cookies.

7. Check Your Newsletter

Anyone who uses newsletter services such as MailChimp, CleverReach, and Newsletter2Go must conclude a contract processing contract with the service provider. Ask your service provider for such an agreement.

You may also need to revise the registration form. It must state the purpose of the newsletter and what information subscribers receive when they register. You may only request the e-mail address as a mandatory field.

The registration form should also include a link to the privacy policy. There must be further indications as to how and why the shipping service provider processes data. If, for example, it is evaluated how many users click on links in the newsletter, then the privacy policy would have to inform and explain why this happens - namely to optimize the newsletter for the users.

Users must also be clearly informed that they can revoke their consent. So also put a link to the unsubscribe form on the page with the registration form.

8. Check if You Need to Conclude a Processing Contract With Your Web Host

The web host (provider) provides web pages and takes over the operation of web servers and the network connection. If only the internet access service without the processing of personal data is connected with such services, then there is no order processing. However, if such web hosts also take on tasks for which they process personal data, such as e-mail administration or e-mail archiving, then there is a processing order and you have to draw up a processing contract.

Find out how Waratek’s award-winning application security platform can improve the security of your new and legacy applications and platforms with no false positives, code changes or slowing your application.

Topics:
data protection ,gdpr compliance ,security ,security compliance ,data privacy and data security

Opinions expressed by DZone contributors are their own.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}