If you are a website owner, you probably do collect EU residents’ data protected by the new General Data Protection Regulation (GDPR). The legislation extends individuals control over the processing, handling and storing their personal data. Perhaps you collected names and emails so visitors can subscribe to your newsletter, take payments details for an online store or use a cookie to track users behaviour. Whatever data processes you have in place, your website is still subject to the EU General Data Protection Regulation that takes immediate effect on 25 May 2018. Most organisations are not yet compliant, so it’s expected a lot of work will occur of the compliance deadline. There are many things to consider while preparing GDPR compliant website. This blog outlines three crucial requirements for a GDPR compliant website.
GDPR compliant website: 3 Key Requirements
Why are you collecting personal data?
GDPR idea is companies to collect as little information as possible about data subject that will respectively decrease the chances of data misuse. This is particularly important for websites as most of the data is generated by internet users activity. Websites need a documented plan outlining data process, handling and retention procedures justifiable for a lawful reason.
User consent is currently the most lawful basis, but GDPR toughens restraints and should be used as a last option by websites to justify data minimisation and storage policies. Consent must be explicitly given by a user before their data is collected/processed. For children under the age of 16, websites must seek consent from a parent or guardian of the child. Personal data also requires explicit consent.
Don’t forget to check our Guide to Data Protection.
- The right of access: Individuals must be allowed to submit subject access requests, which require organisations to provide a copy of any personal data about them.
- The right to rectification: If the information an organisation holds is inaccurate or incomplete, individuals can request to be updated.
- The right to be forgotted: Individuals can request that an organisation deletes data stored about them.
- The right to restrict processing: As an alternative to erasing data, there are times when individuals might prefer to merely limiting processing.
Individuals have nine rights in total, which you can read about in more detail on our GDPR blog.
What cookies are you using?
Cookies are subject to GDPR if they contain personal data but various types of cookies fall into this category, such as those used for Google Analytics, advertising and functional services (e.g. survey and chat tools). Organisations must account for all cookies that contain personal data and decide whether there is a legitimate, specific reason for using them. If there is no justifiable reason, the offending cookies should stop being used. If there is a reason, the website should make this clear. Cookie Law recommends that organisations do this via soft opt-in consent: “This means giving an opportunity to act before cookies are set on the first visit to a site. If there is then a fair notice, continuing to browse can in most circumstances be valid consent via affirmative action.”
Get GDPR Ready with Apex
- City & Guilds Accredited eLearning
- Updated content
- Develops Data Safety knowledge
- Instantly available course
- Completed in 60 minutes
- Subject Access Request game
- Interviews with legal experts
- Interactive content
- Certificate for your CV