10 steps to a GDPR compliant website
We’ve worked hard to develop a Consent Management Platform that truly complies with the GPDR provisions, so we had a lot to read & learn.
The main problem is that your website is probably the easiest thing to check by anyone, including any controlling authority. Simply load the website, inspect, see what's loading and you know what's happening right from the homepage.
The other problem is that almost everyone uses something for their digital marketing, including retargeting or personalization. And that is usually referred to as "profiling", or "processing large volumes of information" or "automated decisions"
While everyone seems genuinely interested in respecting the law, it is not always easy to understand how to achieve this.
We know how opaque this type of processing can be for most people and how difficult it is for website owners to make it all clear and transparent for their audience.
Some have tried with cookie consent, others with implicit consent like "by continuing....", and others simply closed their sites to European citizens.
So, here’s what we’ve learned: You need to tweak your site in order to make it GDPR-compliant. There's no way around it.
First, you need to know what's happening.
1. Find out what is running on your sites. You should at least know what sites you own and who manages them, to start with.
It may sound silly, but you would be amazed how many large companies out there do not know this. Sometimes there are sites that were parts of old campaigns, closed projects, products that are no longer available.
Detect and review every application, tag, form, cookie etc. that you have on your website (plus, eliminate what is unnecessary or long-forgotten there). If you need help with this, click here.
2. Understand what each application does and who's behind it. You will need all this information when asking consent from your users.
As for the external vendors and third-party solutions that track the user, find out what data they process and for what purpose, how they store it and for how long, if they share/ disclose it to other third parties, what are their safeguards for data protection, their DPO’s contact details etc.
Tip: Sign written data protection agreements with these third parties. You need to make sure you have agreements with your marketing technology providers and a clear understanding of the roles split (controller/ joint controller/ processor), liabilities and guarantees. Keep in mind that you, as the site owner, are a data controller responsible with the lawful basis of the processing on your digital properties, as well as informing your users on who’s processing their data and how.
3. Determine if consent is needed and what type. If you are unsure, check out our database →
As for the external vendors and third-party solutions that track the user, find out what data they process and for what purpose, how they store it and for how long, if they share/ disclose it to other third parties, what are their safeguards for data protection, their DPO’s contact details etc. You will need all this information when asking consent from your users.
If by this time you realise you do not need to ask for consent, skip to #7 →.
Now it’s time to change things on your site.
4. Prevent applications from starting without appropriate consent. This is where most companies fail, by the way.
If you already use a tag manager: Try to set up your tags for the applications that require consent not to fire automatically. Create some custom triggers or events, that can be called from the web page when the appropriate consent is given.
If you use Avandor Consent ;), you're already set up! Simply remove the tags from the site and paste them into the Avandor Consent Manager interface and specify when/where to run each tag.
If you don't use a tag manager, your developers are out of luck. They will need to manually create code that starts those application tags when being called from the consent manager.
Relying on communicating consent to third party apps (using parameters or consent frameworks) is a risky approach that leaves you out of real control.
5. Ask for the appropriate consent Install (or develop) a consent manager and get valid consent.
“By continuing to use this website you agree...” notice is no longer enough. Get rid of it.
Valid consent means feely given, specific and informed consent given for data processing (more about that here). This translates to:
- do not block access to your site if you did not get consent
- do not pre-tick any checkboxes
- do not declare marketing/tracking apps as "functional" (even if you really need them). Some people already got fined for this...
- explain clearly the purposes you are asking consent for
- ask consent for each purpose separately
- explain what data is being processed, and which companies operate the data
- explain the user's rights
- inform about the way you collect, store and process their personal data
- make sure the user can return to the consent management window at any time
Keep in mind: you are not asking consent for cookies (that would be pointless), instead you are asking consent for data processing done directly or via applications operated by third parties.
6. Store consent records for inspection
When you rely on explicit consent as a legal ground for your processing operations, you should make sure that you safely store all consent records into your system (as the controller must be able to prove that a user in a given case has consented!).
The rationale behind the obligation of demonstrating valid consent from the users is that data controllers must be accountable.
Hold on, there's more to do
7. Secure your site and infrastructure
You need to make sure your website (server, CMS, databases etc.) and all the data you store on it is secure (with a special focus on PII – personally identifiable information – such as names, email addresses etc.). You should also make sure that the data transferred via forms on your website is protected via a safe SSL connection.
Develop internal procedures in case of data security breaches and let your users know that you’ve implemented safeguards to protect their data.
8. Provide means for data access or even removal
The GDPR also recommends that “the controller should be able to provide remote access to a secure system which would provide the data subject with direct access to his or her personal data.
Probably the easiest way to grant your users their right to data access and removal is via special software (such as Avandor Consent Manager) while managing their data processing preferences, as well as the other rights they have.
9. Facilitate data protection inquiries
Make it easy for your users to address data protection inquiries on predefined topics. This will also help you and your data protection team to manage these requests and provide answers and solutions within the legal terms.