8 May 2018
Make your Website
Short GDPR overview, followed by recommendations of course of action for small and medium-sized companies to make their websites GDPR compliant.
What is GDPR?
The General Data Protection Regulation is a new law, affecting all EU nations from May 25, 2018. The purpose of the law is to secure and protect the personal data of EU citizens. Companies or organizations failing to meet the new regulations risk substantial fines.
The new rules for handling personal data concern both how data is stored, how it is protected, routines for handling security issues, users being able to access their data and to have it deleted. It is also required to be able to report what the data should be used for, and why it is collected.
GDPR also applies to companies from non-EU countries, if the person using their service is an EU citizen.
As is often the case with new laws, there is some uncertainty and thus some areas that are open to interpretation on how GDPR should be applied. Note that we are not lawyers, and the advice we give is based on our interpretation of GDPR applied to the general needs for small and medium-sized businesses to make their websites GDPR compliant.
What do I Have to Do?
If you or your organization are responsible for a website, these are some of the most important things to do to become GDPR compliant:
Make sure to clearly inform visitors about which personal information is stored, why and how it is stored, as well as where and for how long.
Inform visitors about how to avoid getting personal information stored. You are also required to inform people how to access their personal data that has already been stored, and which according to the law should be delivered in a “portable transferable format”. Another requirement is to make sure people can have their data deleted when they choose to.
Make sure to inform visitors when data needs to be stored, in order to provide them with the possibility to make active choices to opt-in or -out.
Keep in mind that you may not collect more personal information than is deemed necessary, and only collect data for predefined purposes.
Review Security Practices
One of the new rules under GDPR is that all afflicted parties must be informed within 72h of the time a data breach has been detected. There should, therefore, be a plan of action for these situations. Examples of data breaches could be:
- personal information has leaked as a consequence of the website being hacked
- personal information has been accessed by a supplier that is not GDPR compliant
- personal information has been accessed by a third party without the user’s consent
- personal information has been accessed by someone in a country that is not GDPR compliant
Make sure all forms where visitors enter some form of personal information (for example name, address, email, phone number) also link to a site with information about how personal data are handled. Having pre-ticked checkboxes will become illegal – the purpose is that the user must consciously and actively tick their checkbox choices.
Data Protection Officer
Designate a person to be Data Protection Officer, who is responsible for documenting how personal data is handled, designing personal data management policies, perform risk analyses and establish contracts with vendors handling personal data. In short, a person with the task of ensuring that the company is GDPR compliant.
Data Processing Agreement
If you hire suppliers that provide services that involve personal data processing, those suppliers also must be GDPR compliant. To make sure that is the case, a so-called Data Processing Agreement that ensures both parties comply with GDPR must be in place.
Website hosting companies are typical examples of suppliers that need to have a Data Processing Agreement in place with their customers. Because of practical reasons, hosting companies often create the contracts for their clients to sign, since it becomes unmanageable for them to review different agreements with each individual client.
Other vendors that are also applicable for setting up a Data Processing Agreement are cloud service providers (where personal data is stored in the cloud), as well as companies that offer services to analyze user behavior on websites. A common example is Google Analytics, which is widely used by many websites.
Since Google Analytics is so common, here are some tips on how to ensure GDPR compliant use of Google Analytics.
GDPR & Google Analytics
Even though Google also has to be GDPR compliant, an additional security measure may be to enable IP Anonymization in the Google Analytics settings. As a consequence, no complete IP addresses are stored, which however also will affect the accuracy of GA’s geographical services negatively.
Also make sure to accept the Data Processing Amendment, which should be found under Account Settings in Google Analytics Admin.
GDPR & WordPress
Keep in mind that personal information also includes comments on blog posts and that plugins that handle user data also have to be GDPR compliant. If they are not GDPR compliant straight out of the box – make sure there are other ways of meeting the GDPR requirements on for example allowing users to request or delete their data.
One of the new rules under GDPR is that all afflicted parties must be informed within 72h of the time a data breach has been detected. To improve the ability to detect security issues, we recommend keeping plugins and WordPress installations up to date, as well as installing a security plugin such as Wordfence.