Introduction - Website Compliance Checklist
In many cases, your company will receive data through your website, for example when your clients are buying products in your online store, updates their data in the member's area, or a customer sends you a message to get in touch with you.
In all these situations, data is processed through your website and if you have customers from Europe, then your website must comply with the General Data Protection Regulation (GDPR). Therefore, you must ensure data privacy. Due to that, you need knowledge about the GDPR and you must have the resources for compliance in your organization.
I created this Website Compliance checklist to give you an overview of the tasks you should carry out to make your website GDPR-compliant. If you have any questions, please send me an email to contact@griffox.com.
1. What data is stored on your website?
The GDPR obliges you to be accountable for complying with the requirements. Of course, this means that you must know what data you have, who has access to this data, where this data is stored, for what purpose this data was stored, and who your business processes are working.
You should be able to answer the following questions, as it is not enough to know that you have stored your client's data somewhere in cloud storage. Because cloud storage can be almost anywhere in the world, it can be a little bit complicated sometimes to know exactly where your data is stored.
Let's talk about an example before we take a look at some questions.
Imagine the following situation: a customer is buying products from you for many years. He always pays promptly and he put his data in your member's account. He uses your social media buttons from time to time and he is reacting to your sales advertisements. But he lives in France. Do you know exactly the purpose for which his data were originally collected?
Data processing about the GDPR means that it is designated for a particular purpose. If your customers are living somewhere in Europe then you have to comply with the GDPR. Accordingly, you can only process data for the purpose for which it was originally collected.
Questions
What personal data did you process and store?
Which persons or third parties have access to this data?
Do you control the processing of the data and how do you document this check?
How do you document the purpose of data storage?
On what basis does the data processing take place (contract, consent, ...)
Where exactly do you store the personal data?
How long do you store data? At what intervals do you perform data deletion?
Does your website collect personal information from minors (under the age of 16)?
Do you process special categories of personal data according to Article 9 GDPR (basic and ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, as well as the processing of genetic data, and biometric data for the unique identification of a natural person, health data or data on sex life or the sexual orientation of a natural person)?
2. How do you secure your website?
A website is your professional online presence and it is of particular importance that you take care of the security of your site and that the site is protected against attacks. And you should also be aware that a specific page of your website can contain several business processes.
The GDPR also obliges you to ensure that you implement appropriate measures that guarantee the security of your data processing. The GDPR generally refers to the current state of the art. This means that you must focus on the current state of the art, which is generally recognized. You can read about this in Article 25 and Recital 78.
Questions
Have you installed an SSL certificate that encrypts all information exchanged between the website and the server?
Do you use strong passwords for administrator accounts?
How do you protect your website against DDoS attacks?
Do you use pseudonymization, anonymization, and encryption measures to protect the stored data?
Do you have a data storage concept that ensures that you store backups in different locations?
Do you observe the principles of storage limitation and data minimization?
3. Your Privacy Policy
The GDPR requires you to have a privacy policy. This is because Article 13 of GDPR stipulates that the website owner must inform the user at the time of data processing about the purposes and legal basis for data processing.
The privacy policy must also outline the
rights of the user. In addition, it is important that you write the policy in clear and understandable language and that the privacy policy is placed in a way that the customer can easily find and access it.
The following list which is also part of my blog article Dealing with the GDPR - Part 3 - Website, Privacy Policy, Cookies & Consent Management will help you to check if your privacy policy is containing all necessary aspects.
Questions
Which information’s collected from users or other sources?
How do you process data? How and why do you gather that data?
What are the lawful bases of data processing?
How do you use it?
Do you share data with third parties?
Are you using cookies or plugins?
How do you handle social logins?
How long do you store the data of your visitors?
Is the data secured through specific security measures?
Do you collect data from minors?
What are the rights of the user?
Is your data transferred internationally?
4. Cookies and the cookie banner
If you don't know what cookies do or why they are used on websites you can find additional information in my Blog Article Dealing with the GDPR - Part 3 - Website, Privacy Policy, Cookies & Consent Management.
Nowadays it is very common to use cookies on websites. But we must always keep in mind that cookies process data and due to that you must achieve compliance with applicable laws like GDPR or CCPA (California Consumer Privacy Act).
When you create a cookie banner it is important to keep in mind that cookies are used for various data processing purposes and that the legal basis for data processing is therefore different. Cookies are usually grouped. They are often divided into technically necessary, functional, performance, and marketing & analysis.
Technically necessary cookies are classified as cookies that must be present for the basic functions of a website to be able to function. They are technically necessary to access functions of the website, such as the member's area, adding items to a shopping cart, or completing the purchase of products. They also allow navigating between pages without losing previous actions from the same session. These cookies are the only cookies allowed by law without the need for prior consent from the user.
Functional cookies store previous preferences of the visitor to a website to offer them these preferences such as region, language, or user name again on subsequent visits to the website. This allows different personalized functions to be used, such as news or local weather. Functional cookies usually do not track any browser activities. They can be designed as first-party, third-party, persistent, or session cookies.
The use of performance cookies makes it possible to track how users use a website, which pages are visited more frequently or less frequently, and whether errors occur on websites. Performance cookies are also used to monitor the performance of the website. Performance cookies are not intended to collect any identifiable information from visitors but help to improve the performance of the website. By analyzing this performance data, improvements can then be made to the website. Performance cookies are usually first-party cookies. However, they may also be cookies from third parties.
Analysis and marketing cookies have the purpose of collecting specific information about the user. Based on this information, the user then receives advertising on the topics relevant to him. Analysis and marketing cookies always require the user's consent. In addition, they pursue the purpose of creating user profiles to create aggregated profiles on this basis, which can be transferred to other websites. These types of cookies are almost permanent cookies from third parties. These cookies also track the user across sites.
Questions
Have you grouped your cookies?
Have you described why you use cookies and what purpose the cookies serve?
Are the cookie buttons designed in such a way that the user must actively agree?
Have you checked whether the cookies only work if you have actively consented?
Do you use a consent management tool? If so, what data is stored and how can you access this data?
If you use third-party cookies, you should create a separate cookie policy.
5. User Rights
The GDPR grants your users extensive rights. These rights relate, for example, to the deletion of data or the portability of data provided by the customer. In addition, the customer has extensive rights to information.
In this context, you must describe a procedure in your privacy policy or on your website on how the customer can exercise his rights. You can find information regarding user rights in Articles 12 to 23 of the GDPR and the Recitals 58 to 73.
The following list gives you an overview of the user rights:
Transparent information, communication, and modalities for the exercise of the rights of the data subject (Art. 12 GDPR)
Information to be provided where personal data are collected from the data subject (Art. 13 GDPR)
Information to be provided where personal data have not been obtained from the data subject (Art. 14 GDPR)
Right of access by the data subject (Art. 15 GDPR)
Right to rectification (Art. 16 GDPR)
Right to erasure (‘right to be forgotten) (Art. 17 GDPR)
Right to restriction of processing (Art. 18 GDPR)
Notification obligation regarding rectification or erasure of personal data or restriction of processing (Art. 19 GDPR)
Right to data portability (Art. 20 GDPR)
Right to object (Art. 21 GDPR)
Automated individual decision-making, including profiling (Art. 22 GDPR)
Restrictions (Art. 23 GDPR)
In addition, you must think about how you will react to customer inquiries. For example, in which form do you want to comply with his request for information? Can you print out your customer's data with one click or do you have to laboriously search for them from different systems?
Since there are no concrete specifications for the user rights procedure, you can design it in different ways. Make sure it's customer-friendly and try to support your clients.
6. What can you do in the case of a data breach?
If you determine that a data breach has occurred, you should first analyze and document it carefully. Here you must document from when to when the data breach existed, which data was affected, who the affected persons are, how many data sets and persons are affected, and in what form the data is affected (disclosure, deletion, . ..).
You should take affected sites offline as soon as possible and generally inform customers that the affected service or website is currently unavailable.
The GDPR states that you must notify the relevant supervisory authority within 72 hours. The procedure is described in Article 33 and Recitals 85, 87, and 88.
In addition, you must also notify affected users if there is an increased risk to users' rights and freedoms because of the violation.
7. Forms on your website
Forms on a website are very useful because they are usually located in the encrypted area (https) of the website and processes can be comprehensibly controlled via forms. Furthermore, forms can be designed with different security features.
Since a form also processes data, it is important to have an overview of the forms you use and to add the relevant information to the privacy policy.
Depending on the design of the form, there are different legal bases for data processing. Whether an opt-in is required always depends on the purpose of the processing, your privacy policy, and the contractual relationship between you and your customer.
8. Consent for sending emails
If you're doing email marketing, you must check for GDPR compliance and country-specific legal requirements. For example, cold calling is not allowed in every country.
Regardless of where your recipient lives, you should always make sure you have permission to send email. This is important for customer communication, but also for newsletters.
However, it is always possible that the legal basis for sending emails can be derived from various regulations.
In any case, it makes sense to confirm the email dispatch via a double opt-in. This makes it easier for you to prove that you were allowed to send the email in the event of a dispute.
In addition, you should note that unsubscribing from emails is just as easy as subscribing to the newsletter.
According to the GDPR, you must encrypt outgoing emails.
9. Third Party Data Processors and Services
Data processors are institutions that process your customers' data on your behalf. The same applies to third-party services. Articles 28 and 29 of the GDPR provide comprehensive information on data processors and your obligations when using data processors.
Before starting a contract with a data processor be sure that the data processor has sufficient guarantees about the security of the data processing and that the data processing is carried out by the GDPR.
Questions
How often do you audit your data processors?
Have you listed the data processors in your data protection declaration or pointed out that data processing is carried out by third parties?
10. International data transfer
International data transfer can be complex, which is because the GDPR divides countries into secure third countries and non-secure third countries. Depending on the country to which data is to be transferred, it must be clarified which legal bases must be observed for the data transfer.
Questions
Before a data transfer, you should therefore deal with the following questions:
Did you carry out a Transfer Impact Assessment (TIA) before the data transfer?
Does the receiving country have an adequate level of data protection?
What contractual arrangements have been made?
Are all the necessary agreements with the recipient company/service provider in place?
If you have any questions, feel free to contact me!
