How to make your website GDPR proof
Something tells us you don't want to be fined for violating privacy laws. Sleep on your two ears and take these steps to make your website or webshop GDPR compliant.
- Word of explanation about General Data Protection Regulation
- Importance of making your site GDPR proof
- Test your website's privacy settings
- Use these steps to make your website GDPR proof
- 5 steps to make your website GDPR (AVG) compliant
- Step 1: Inventory what personal data you process
- Step 3: Use a cookie banner to ask permission to process personal data
- Step 4: Ensure secure storage and processing of personal data
- Step 5: Create a data breach reporting protocol
- Making your business GDPR (AVG) proof: additional tips!
Word of explanation about General Data Protection Regulation
You probably already know what GDPR is, but for completeness we repeat it once more. That way you won't discover any surprises. 😉
Generally speaking, the global term GDPR stands as an abbreviation for the General Data Protection Regulation. Specifically, it is a European privacy law that has been in effect since May 25, 2018. The main purpose of the GDPR is to protect the privacy and personal data of individuals within the European Union. It used to be referred to (including in the Netherlands) as the Personal Data Protection Act.
This specifically introduced legislation has specific requirements that websites must comply with, such as obtaining consent to collect personal data and taking appropriate security measures.
The same as AVG
GDPR is a well-known term, but actually there is also a Dutch-language term to refer to that same law! Namely AVG. Those three capital letters stand for Algemene Verordening Gegevensbescherming. So GDPR and AVG mean exactly the same thing. There is no difference. Are you with me? 😀
Importance of making your site GDPR proof
Why you should put a GDPR proof website online? If only all questions were as simple as this one! Being GDPR proof is actually logic itself. After all, it's required by the GDPR AND you'll face hefty fines if you don't.
Besides, you owe it to your visitors and customers. They need to be one hundred percent sure that you as a business owner are handling their personal data safely and according to GDPR rules.
Test your website's privacy settings
Almost every website processes personal data. So probably yours does too! How GDPR proof is your website right now? Do the free iubenda compliance scan and find out which parts you urgently need to address. Maybe it's not that bad and you can save some work! 😃
Use these steps to make your website GDPR proof
As a matter of fact, it's a very good idea to use a roadmap to get your site legally ready. Because making your website GDPR (AVG) proof can be quite complex. That's because it's quite a tangle, figuring out which GDPR requirements your website must or must not meet.
A good roadmap is essential to becoming GDPR-proof and helps you to proceed systematically when implementing the AVG rules on your website. It provides guidance, structure and clarity, so you won't overlook important steps.
By including all required actions in your roadmap, you work more efficiently and save time and worry. So you can comply with data protection requirements as quickly as possible. Sounds good, right? 😀
5 steps to make your website GDPR (AVG) compliant
You can always count on Combell! So, also for making your online business GDPR proof! We will help you with this step-by-step plan and with reliable compliance software from iubenda! As a result, you will immediately take very big steps. 😉
Step 1: Inventory what personal data you process
Make an inventory of the types of personal data you collect from your visitors and customers. Taking inventory is an essential part of making your website GDPR proof.
Because you need to get a view of the extent of data processing on your site. So keep accurate records of what info you collect, how you use personal data and what you may be sharing with other parties. Don't fail to communicate transparently about this, because you are obligated to do so.
If you process personal data that is "likely to present a high risk to the rights and freedoms of natural persons," chances are you will need to conduct a Data Protection Impact Assessment (DPIA). This is the job of a Data Protection Officer.
Is your policy ready to go? Make it a web page and give it a place on your website. That way you are transparent about all the data that is collected, the reasons for collecting it and how the data is used.
Step 3: Use a cookie banner to ask permission to process personal data
Cookies allow you to track the surfing behavior of visitors. For example, through IP addresses. You can only do that if you have permission to do so. In fact, the GDPR states that anyone who puts cookies on an application must be transparent about it. You do that by communicating about the use, the reason why and the retention period of your cookies.
In addition to being well informed, your customers should be able to give their explicit consent for non-essential cookies to be placed on their device. These are non-strictly necessary cookies such as targeting or advertising cookies. Explicit consent is not required when it comes to essential cookies (first-party cookies).
If you flout these rules, you risk high fines or other severe penalties. To give you an idea: GDPR fines in Belgium average up to 25,000 euros per company. They all have to do with GDPR violations.
Step 4: Ensure secure storage and processing of personal data
In step 4 of our roadmap for GDPR readiness of your website, it is important to ensure the secure storage and processing of personal data.
That means taking appropriate technical measures to ensure that the personal data you collect and process is very secure against data loss or hacking!
One way of making your IT environment a fortified fortress is by installing firewalls, backups and protection against DDoS attacks. Do this thoroughly, because cybersecurity is one of the main requirements of the GDPR rules.
By the way, Combell puts a lot of effort into cybersecurity. Therefore, your hosting provider has a great responsibility in terms of security.
In order to optimally protect your data, we try to block as many attacks as possible beforehand. This way, your application remains completely unaffected.
Step 5: Create a data breach reporting protocol
Having a data breach reporting protocol is required by the GDPR (AVG) for all websites that process personal data.
Legally, a data breach means that there has been "unauthorized access to personal data or it has been accidentally destroyed, altered or lost."
Establish a clear and structured reporting protocol that allows you to respond quickly and carefully in the event of a data breach.
The protocol should include the steps you take as a company when discovering a leak (such as immediately stopping further data loss), determining the extent and impact of the leak, notifying relevant authorities and communicating with data subjects.
By the way, did you know that you also have reporting obligations? If you notice a data breach then you must report it to the relevant supervisory authority within 72 hours. Unless the data leak does not pose any risk to the rights and freedoms of data subjects.