GitHub

How to make your website GDPR compliant

The deadline for implementation of the new General Data Protection regulations (GDPR) is fast approaching, which expands the requirements that all economic entities that process personal data within the EU must meet. Businesses have until the 25th May 2018 to make any necessary changes to their processes.

What is GDPR?

Given how extensive the terms of the GDPR is, it is not our intention to go into minute detail regarding the ins and outs of the full regulations; instead, we'll cover just the main gist of the regulations and the reason for their introduction.

The GDPR was created to unify the personal data protection rules across the EU, and must be followed by all companies, businesses or other entities that collect personal data in some way. For these entities, the GDPR will introduce many additional rules that will affect many areas of the data management process, such as the collection and storage of data processing documentation, monitoring of potential personal data breaches, and involving a supervisory authority in matters such as, for example, the aforementioned data breaches.

The GDPR's main purpose is to enhance the protections that EU citizens have when their data is used and collected, and afford them new rights such as the right to transfer their personal data, or to be forgotten; that is, to have their personal data removed from a system when the law no longer requires its retention.

With all of these new regulations comes enforcement, and in order for companies to protect themselves potential multi-million euro fines , it is important that they ensure that they protec any collected personal data as effectively as they can.

Does GDPR affect you and your webpage?

Whether you are operating a large online store, news portal or just a small personal blog, if you process any kind of data taken from the users who visit your site, then you will be subject to the new regulations. This also applies if you do not collect personal data yourself, but utilize third-party services for this purpose.

If you have or use any of the following items on your website, then it will be worth double-checking that you meet the requirements of the GDPR before the May deadline:

  1. Your website collects data on visitors, such as via Google analytics.
  2. Your site has a registration form.
  3. You have e-commerce functionality on your site; that is, you collect information to process payments, orders etc...
  4. You have a newsletter sign-up form.
  5. You include social media links on your pages e.g. Facebook, Twitter etc...
  6. You use a comments system for your articles, such as Disqus.
  7. Your site has scripts that use cookies.
  8. You have a contact form for users to get in touch.

This isn't an exhaustive list, but it should give you an idea of the most common situations that will involve some degree of personal data collection and processing on your website.

How to make your website compatible with the new GDPR rules?

The main takeaway from the GDPR is that if you process data in any way, then you will need to implement data protection procedures to ensure customer privacy. To decide which methods will fit the needs of your site, you should consider the following questions:

  1. Does your hosting company provide sufficient data protection?
  2. Do you use a CMS, and does it provide sufficient protection for any collected data?
  3. Are any plug-ins or scripts your site uses from a safe source that meets regulation standards for data handling?
  4. Is a CMS absolutely necessary for the management of your site, or would a static site be as effective?
  5. Is the data transferred via forms on your website protected via a safe SSL connection?
  6. Who has access rights to manage your website (such as access to the admin panel of your CMS)?
  7. Do I take enough measures to protect my website and FTP access, as well as adequately monitor who uses my laptop or computer, and prevent unauthorized access?

Each website may well have its own nuances that will need to be taken into consideration, but we can look generally at some example solutions or procedures that can be implemented to ensure adherence to the GDPR.

Is your CMS suitable for your needs?

Though it may seem important to have as many features as possible on your website, which would mean using a server-based CMS, one should consider whether all the extras and plugins are truly necessary. If a small free webpage, electronic business card or blog is the extent of your needs, then installing a bigger CMS can be more trouble than is necessary; broken or poorly-coded plugins are often an entry point for hackers, who could easily get access to, for example, your newsletter database and the data within.

We would also recommend using a static website solution if minimizing database leaks is important to you; static websites don't use databases, and often they will use third-party solutions for other functions such as comments and newsletters. This way, you'll be able to provide similar functionality to a dynamic website, but without the plug-in solutions that can be so risky compared to a static site.

How much data is reasonable?

When you're deciding how to manage your site, you should keep two rules in mind; first, only collect the minimum amount of personal data that is absolutely critical for running my website.

Secondly, be honest and open with your users about what data you are collecting, why you are collecting it, and how you will use it. Seek confirmation that you may collect and use their data.

These rules may seem a bit nebulous at first, but we can look at a few examples to see how they could be used in practice:

Forms

When adding forms to your site, make sure that only essential fields are covered. If you don't need to call your clients, then there's no need to include a phone number field in any contact forms. Even if you do occasionally use a phone number, consider whether it would be more prudent to stick with electronic communication which also has the benefit of being recorded.

GDPR Forms

Opt-in

Users must be informed of and choose to accept actions that may include the collection of data, such as agreeing to terms and conditions or signing up to receive a newsletter. The user will need to accept the opt-ins, and a record of the agreement should be kept by the data administrator.

Under each form where such opt-ins are required, we should add an information clause that includes details such as who is the data administrator, and provide details on the privacy policy (via a link, for example). We could also include this information in confirmation emails sent after a user completes a form.

To be clear; each individual act of data collection will need to be clearly marked and consent sought. Many registration forms will include a terms and conditions checkbox, but clicking it will also sign the user up for the site's newsletter. Once the new regulations are active this kind of action will no longer be permitted.

The user will instead need to explicitly give permission for each instance of data collection, so we can't add two separate 'agreement' opt-ins to a single checkbox, such as agreeing to terms and conditions and signing up to a newsletter. Instead, we would need to use a separate opt-in checkbox for each separate data collection, which clearly describes what the information collected will be used for.

GDPR Opt-in

One final note on opt-ins; the users' agreement to one or all of your data collection acts will require explicit consent; that is, they must actively choose which data collection they agree to, and click the relevant checkboxes. For this reason, no checkboxes can be pre-checked; the user must be the one to click to add their agreement before proceeding.

Granular opt-ins

If we are going to pass all or a part of the data to a third-party for processing, then the user must also be informed and their permission sought. The most common example of this is the collection of statistics; we collect the data, but a third-party analyzes and creates reports based on that data.

Google Analytics is a perfect example of this kind of stat-driven reporting, but don't start worrying if you use this on your site; the basic configuration of Google Analytics which most people will use does not collect any identifying information and doesn't conflict with the GDPR, so no consent is required from the user. However, if we use something beyond the default configuration and turn on any of the following features:

  • User ID
  • Demographic reports
  • Remarketing functions

Then we must inform the user and get their consent.

A few useful links about Google analytics:

Withdrawal of data or opt-out

Every individual should have the right to withdraw their consent at any time. Furthermore, the user must have the option to access their data records and make changes at any time. This seems straightforward enough, but in practice it can be a little bit tricky.

For example; if we were running an online shop selling apps, we would collect all data necessary for processing. We would also collect data about the user, such as logs detailing the last login time, IP address and whether they have downloaded any items. We may have a support desk for customers, and a forum for discussion that the customer takes part in.

If the customer should then request access to the data we have stored, we have to integrate the entire e-commerce system and then export all of the client-related data that we have, on request, at any time. The GDPR allows a time limit of only 30 days to complete such a request, so though with just one or two clients making the request we could viably complete the data export manually, it just wouldn't be feasible when dealing with hundreds of clients.

Unfortunately, it's currently very difficult to find a fully-automated solution. Even the most common e-commerce-friendly CMSs and extensions such as WordPress, WooCoomerce and Joomla! do not have a built-in way to collate such data.

However, there is some light at the end of the tunnel; GDPR regulations are subject to modification by each country in the EU, who may choose to introduce mitigating solutions. For example, in Poland, the responsibility for transferring data will be limited, applying only to companies that employ in excess of 250 people. It will also not apply to companies that are not processing potentially sensitive data; that is, data that could be used against the customer in any way.

The right to be forgotten

A user may, on request, demand to remove any and all information that we have stored about them. Also when data are no longer necessary for the purpose for
which they were collected or processed.This doesn't just mean registration data; it encapsulates all aspects of our site. If a user posted on our forum or commented on blog posts, then they will have many files, links and posts dotted around. It thus falls to the data administrator to ensure that all such information has been removed should a request to be forgotten be received.

'Removed' is the keyword here; if a request to be forgotten is made, it will not be sufficient to simply deactivate or hide a profile; the data must be deleted entirely. In addition, the regulations charge data administrators with the responsibility to ensure the information stored by associated third-parties (that is, parties to which data provided to us was passed to for processing or analysis) is also deleted.

Privacy Policy

A Privacy Policy is a document which must be included on a website; for example, as a link. It should adequately inform your website visitors of what data you collect, what you use it for, who the data will be passed to (if applicable), and how the visitor can enforce their rights detailed above.

In the privacy policy you should include points similar to the following:

  • Who you are; who is the data administrator.
  • What information is collected (names, email addresses etc...), and what you do with it when it is processed.
  • Why you collect the data; why is it necessary for your site to have this data?
  • How you store the data and keep it safe and protected.
  • Who you share the information with.

This is just a summary, but to actually follow these steps you need to be sure exactly what data you are collecting, as well as where and when you are doing it.

Besides the data you collect through forms, your site will also likely send cookie files which are used to optimise the user experience with webpages, as well as gain valuable statistical data on how users behave on your site.

For forms, you will not need to have consent agreements except when the form is completed and sent, as doing so before this would negatively affect your site's usability. But you will need consent for any cookies you send.

We have already mentioned Google Analytics, but do you know what other elements on your site may be collecting personal data via cookies? The list can be quite extensive:

  • Facebook, Twitter, Google+ or other social media buttons and plugins
  • Comment system (WP, Disqus)
  • Google Adsense or Adwords
  • Embedded videos from Vimeo, Youtube etc...
  • Affiliate programs
  • Chat software
  • Support desk software such as Kayako

As well as giving users information about cookies and how they are used on your webpage, you have to give users the choice to opt-in, so users can decide if they agree or not.

How to allow for opt-in with cookies

The most common way to obtain consent regarding cookies is via a Cookie banner, which appears after users first arrive on your site. The ones in use on many websites today are passive, but to meet the GDPR requirements we should add agreement options covering the scope of the cookies encountered on our site.

A good way to approach this is to separate cookies into groups, with each group having its own agreement checkboxes. Groups could be set up as:

  • Necessary
  • Preferences
  • Statistics
  • Marketing

Grouping like this allows users to make an informed decision about what they are willing to allow.

GDPR opt-in cookies

Users will also need to have the ability to change their minds about any of the agreements in the future, so we need to make a mechanism available that works similarly to the initial consent request.

You can see this implementation in action on this GDPR popup demo page. Notice that the comment section, which is powered by Disqus and requires a cookie that we've separated into a 'Functionality' group, does not load until the visitor confirms that they accept the functionality-related cookies. This means that even without consenting to specific cookies users can still see your non-cookie-related content.

As well as being responsible for providing information about our own activities, it also fall to the data administrators of our site to ensure that any third-party companies that we use on our site to collect data have a reasonable safety policy, as we take responsibility for any data collected through our site regardless of whom is doing the collecting.

We should be careful to only sign data-processing agreements with above-board, reliable companies that can give a sufficient guarantee that they will treat the data appropriately, with all the necessary procedures and protections in their data processing to meet GDPR rules and protect the rights of our users.

To summarize

The points discussed above covers only a few fairly broad points directly regarding your website and GDPR regulations. Besides the direct requirements discussed earlier, you will also have to prepare yourself in other ways, such as:

  • Preparing a registry for personal data processing.
  • Authorizing and training co-workers or other staff who have access to the data.
  • Creating records of any violations of personal data processing regulations.
  • Preparing a risk and consequence analysis for data processing procedures.

Working on this can be a daunting prospect, and there truly are a huge number of things that must be done to ensure that the GDPR requirements are met. however, if you're serious about continuing to have a site presence online, then the fact is that we must implement solutions to meet the regulations. As an added bonus, your customers will appreciate that you take full responsibility for protecting their data, making them all the more willing to work with you!

If security and GDPR-compliance are big concerns for your website, then Publii may be just the site-building tool you need. With it you can start building a super-fast static site that's near hacker-proof and GDPR-compliant, all from the comfort and safety of your desktop.

Download Publii

You may want to learn how to create an email newsletter subscription form with GDPR compliance

Subscribe

Get the latest Publii news, updates and more delivered directly to your email inbox

You can change your mind at any time by clicking the unsubscribe link in the footer of any email you receive from us, or by contacting us at contact@tidycustoms.net. By clicking below, you agree that we may process your information in accordance with our Privacy Policy.