GDPR Compliance Requirements for an Online Business Website
The General Data Protection Regulation or GDPR came into effect on May 25, 2018, with the aim of standardizing personal data management among countries in the European Union. However, countries across the world have geared up to meet GDPR compliance requirements.
So, what is GDPR compliance?
It is a regulation that will ensure an increase in transparency of data processing, set up clearer consent provisions, and provide users the right to request or remove their data, along with other data privacy measures. This post will talk about the GDPR compliance in the US and Europe.
GDPR Compliance Checklist
Learn about the primary focus areas of the regulation in the checklist below:
- Consent: Clear consent of users is required for soliciting all the personal data, not just for data with a sensitive nature. While collecting personal data, data collectors should be able to show that users have given their consent to the processing of their data.
- Data Protection Impact Assessment (DPIA): If a website stores visitors’ personal data, it needs to perform a data protection impact assessment (DPIA) prior to each campaign or project which requires personal data. A DPIA is an auditing process that evaluates the procedures and measures how effective and volatile those procedures in terms of protecting the personal data. The DPIA fulfills the following objectives:
- Makes an assessment of the potential risks and after-effects;
- Ensures all the legal, regulatory and policy compliance regarding privacy;
- Reviews current protections and considers alternative processes to mitigate privacy risks.
In addition, frequent and systematic data monitoring is also required for compliance, especially when data processing is done on a large scale.
- Personal Data Processing for Business Purpose: The GDPR regulates personal data processing by a company or a website when its processing activities are related to offering products or services to individuals.
- Keeping Data Processing Records: Keeping a record of data processing activities should be an ongoing process for the GDPR compliance. The personal data that companies process must reflect the current situation.
- Notifying for Personal Data Breaches: In case there is any breach of security that leads to the accidental or unlawful loss, disclosure, destruction, or alteration of data, the authorities must notify the breach to the Data Protection Authority not later than 72 hours when feasible.
- Erasing Data: Individuals have the right to ask the controller to get their personal with immediate effect. A number of grounds apply for erasing data such as:
- the personal data is no longer required pertaining to the purposes for which it was collected;
- the individual withdraws consent on processing the data;
- the individual raises an objection to the processing;
- Unlawful processing of personal data; or
- Penalties: There are financial penalties for non-compliance of data protection regulations by individuals or enterprises, depending on the nature of the violation. For an organization, the penalties are below:
- Up to €10 million or 2 percent of the annual worldwide revenue, whichever is higher, or
- Up to €20 million or 4 percent of the annual worldwide revenue, whichever is higher.
GDPR Compliance Requirements for Websites
Organizations need to consider several factors to make their website GDPR compliant. Here are they:
Which Websites need to be GDPR Compliant?
A business website should chalk out a specific plan for collecting personal data, and how to use that data on lawful grounds.
Currently, having user consent is most common lawful ground. However, the rule for collecting and keeping the data has become stringent by the GDPR. There are specific rules for seeking consent, which varies depending on the nature of the information you are seeking. Sensitive personal data requires clear consent.
The data rights are below:
- The Right to Access: An organization must allow individuals access to their personal data. For this, organizations need to provide a copy of an individual’s personal data.
- The Right to Rectify: Individuals can request to update or rectify their personal data that an organization is holding if it is inaccurate or incomplete.
- The Right to Data Erasure: In certain circumstances, individuals can request to remove their personal data. They can request verbally or by writing. This right also called “the right to be forgotten.”
- The Right to Restrict Data Processing: Individuals may also restrict the processing of data instead of erasing it.
Resort to Data Encryption
Considering the importance of data privacy and protection, websites need to have a strong data protection strategy in place. Incorporating an SSL certification is a basic requirement these days to protect the stored data on the server of a website.
Data Protection for Mobile Websites
Businesses are required to provide data protection for mobile websites and Apps as well. Data breaches are rampant in those platforms these days. Considering this, the GDPR stipulates that data collection rules must be integrated with mobile websites and App.
Change the Cookies of Your Website
The cookies of your website need to be GDPR compliant only if it collects and retains personal data. For example, cookies such as advertising, financial services, and surveys fall into this category.
Implied Consent is Not Valid
To comply with the GDPR, users need to take affirmative action to confirm their consent. It means implied consent is not valid. That is why adding cookies to a websites’ landing pages with cookies hoping that visitors will not opt-out is not going to work.
The Cookie Law suggests that websites obtain visitor consent via a soft opt-in model, which says:
“This means giving an opportunity to act before cookies are set on the first visit to a site. If there is then a fair notice, continuing to browse can in most circumstances be valid consent via affirmative action. Although see above about a persistent opt-out route. This however may not be sufficient for sites that contain health related content, or other sites where the browsing history may reveal sensitive personal data about the visitor. Then it may require explicit consent, a higher bar to get over.”
The law further states that the statements like “By using this site, you accept cookies” are not compliant. If a website does not provide any genuine and free option, then it is not a valid consent. In addition, a choice of opting out should be available on the site.
The following screenshot shows cookie statement of the www.cookielaw.org.
Specific Consent is required for Different Cookies
Websites that use various types of cookies for different data processing objectives need valid consent mechanisms for each objective. It means there have to be separate consents for tracking and analytics cookies.
Make sure all the Consent Forms on your website are unchecked by default so that users give consent to opt-in. Getting confirmation from visitors will keep your site compliant with the GDPR.
GDPR Compliance for WordPress Websites
You can make your WordPress website make GDPR compliant by using a simple yet powerful plugin like WPLegalPages.
WPLegalPages WordPress Plugin
If you are seeking a fast and easy way to get your website GDPR ready, then WPLegalPages plugin is the one you need. What this plugin can do?
Well, it can ensure that your website meets all the GDPR compliance requirements including Agree to Terms and Conditions, Affiliate disclaimer generator, and cookie consent.
The plugin is also compatible with the current versions of Gravity Forms, Contact Form 7, and WordPress Comments, which will help you add consent options to them.
Some of the key features of this plugin are:
- Pre-built Legal Template: It has more than 25 built-in legal templates that are approved by lawyers to comply with all the internet laws.
- Easy To Edit Pages: The plugin is easy to install and only takes a few minutes to set up legal pages on your website. Just fill in the details about your business in pre-made templates and publish.
Before installing, you can also learn more about the plugin by clicking the More Details. In the next window, you will find all the details such as Description, Installation, FAQ, and Reviews (as shown below):
WPLegalPages is a powerful plugin with a complete range of Legal policies for your WordPress website.