If you are running 50+ websites for your company, it is important to make sure they are all GDPR compliant. To help you out, we have put together a checklist of procedures you need to follow. This way, you can ensure that you are meeting all the requirements of GDPR for your website portfolio and keeping your users’ personal data safe and secure.
In addition to this, it is important to provide users with the choice to opt in or opt out of data collection on your website. To make the process of GDPR compliance easier for you, we have created a checklist that details the specific procedures you need to follow to ensure that your business and website portfolio are GDPR compliant.
The GDPR
As of now, it is reasonable to assume that most people are aware of what the GDPR is and what it entails. Therefore, I will not delve into the specifics of the regulation or provide any further information on what it is.
The GDPR is a data protection regulation introduced by the EU in May 2018. It aims to strengthen and unify data protection for individuals within the EU, regulate the export of personal data, and grant individuals greater control over their personal information. Since its implementation, it has led to a greater awareness of data privacy and encouraged businesses to adopt more responsible data practices.
Here is our simple GDPR compliance checklist for all your websites
Before we dive into our checklist, it is important for you to be mindful of the personal information that your company possesses, where it is stored, and who has access to it. This is especially crucial for companies that have multiple websites. So, before we proceed, take a moment to consider this aspect and make sure you have a clear understanding of your company’s data management practices.
Know the data you hold
To do this, there are several key questions that you should ask yourself and your team. Here are some of the most important ones:
- What personal information do you store, and why?
- Does the data contain sensitive personal information? If so, how do you ensure that it is kept secure?
- Do any of your websites gather personal information from children under the age of 16?
- Why is this information required for all of your websites?
- Have you obtained consent to process this personal data, and if so, how?
- Where is this personal information stored, and who has access to it overall?
- Are any of these personal details held by third parties? If so, how do you regulate the processing of this data?
- What measures have been implemented to prevent unauthorised third parties from accessing your personal information, or using it for purposes outside the scope of the agreement with said third party?
- How long must this personal information be stored, and can any of it be removed or made anonymous?
Secure Your Website
It is crucial to prioritize the security of your online presence. Your website’s security must be a top priority, as the owner of your website portfolio, to ensure that your websites and the data stored within are protected from outside intrusions. Unfortunately, hackers and malicious individuals frequently target websites, making it essential to take measures to safeguard your user information.
Here are some steps you can take to secure your website, and protect user data:
- Install an SSL certificate to encrypt any information transmitted between your website and the server, indicated by the HTTPS website URL.
- Ensure that all admin account passwords are strong and secure.
- If your website collects payment information from users, implement additional levels of security to safeguard the server.
- Use a CDN provider that offers enhanced security measures, such as protection against DDoS attacks.
- Utilize anti-virus software or services to prevent unauthorized access to your website.
- Do not collect, use, or store personal information beyond what is necessary for your website.
- Avoid sharing sensitive personal information with third-party services.
- Anonymize personal data before storing it to prevent users from being identified.
- Remove personal information once it is no longer necessary for your website.
- Create multiple copies of your data to ensure its safety and availability.
Update privacy notice
It is important to ensure that your whole website portfolio has a clear and accessible privacy statement. This statement should be easy to find on every page of your site, even if there is no personal data being collected. The purpose of a privacy notice is to inform your visitors about how their data is being collected, used, and shared. It should also clearly explain their rights and your responsibilities. These rights may include the right to have their data deleted and the right to access their personal information. To make sure your privacy notice is effective, it must be written in simple, easy-to-understand language. It is not acceptable for users to have to search for the policy or click through multiple pages to find it.
Get Consent For Emails
If you have a mailing list that includes European residents, it is important to ensure that you are complying with GDPR regulations. This means that you must have explicit consent from your users in order to send them emails, particularly if you are using email marketing services to distribute newsletters or for any other kind of communication.
To make sure that you are getting this consent, it is generally recommended that you use a process known as double opt-in. This means that after a user provides their email address to your website, they will receive an email asking them to confirm that they want to be added to your mailing list. This helps to ensure that users have a clear understanding of what they are signing up for and can prevent accidental or unwanted signups.
Additionally, you should always make sure that users have the ability to easily opt-out of receiving emails from you. This means that you should include an unsubscribe link in all of your emails, and make sure that it takes users directly to a page where they can quickly and easily unsubscribe without any hassle.
Add A Cookie Banner
If your website uses optional cookies, it is important to obtain users’ consent to store cookies on their devices. You can do this by implementing a cookie banner that informs visitors about how your website uses cookies and what data is collected. Additionally, the banner should make it clear that users have the right to object to the storing of cookies.
To ensure that your cookie banner is effective, there are several factors to consider:
- Use simple and direct language in the banner, avoiding legal jargon and lengthy sentences.
- Specify the type of cookies you are using and why you need them.
- Explain why it is necessary to set cookies and how they benefit users.
- Clearly outline users’ options for controlling cookies, including an opt-in option for receiving them.
- Provide an opt-out option for users who wish to prevent your website from placing any cookies at all.
- Offer a third option for enabling consent only for certain cookie categories.
- Include a description of your privacy statement and a link to this page.
- Ensure that the banner cannot be closed or ignored as authorization.
- Do not load cookies without users’ prior consent (opt-in).
- If a user opts-out, cookies should continue to be banned on subsequent visits.
- Make it easy for users to withdraw or modify their consent by including a way to recall the banner.
Check Forms On Your Website
When your website has any forms that ask for personal information, such as contact details, you need to make sure you are following some important guidelines:
- Provide a privacy statement that explains why you are collecting this information, what you will do with it, and that users have the right to withdraw their consent at any time.
- In order to collect data from users, make sure they explicitly opt in. This can be done with a checkbox that is unchecked or a toggle switch that is turned off.
- Give users the option to choose whether they want to receive correspondence from you or related services.
- It is a good idea to include a link to your full Privacy Policy for more information.
Review Data Processors Or Third-Party Services
As a business owner, it is crucial to ensure that the services or companies you directly use are GDPR-compliant. Your first step should be to find out if they adhere to the regulations set forth by the GDPR. Any third-party service or business that you use must provide you with their privacy policy, either directly or indirectly. It is important to verify that they comply with your own privacy policy, especially if they are working for your business. Remember that they must also adhere to the GDPR guidelines, just like you.
Review International Data Transfer
If your company’s website relies on transferring personal data from the European Union (EU) to countries outside the EU, you need to consider a few things:
- Make sure to conduct proper risk assessments before transferring any data.
- Verify that the recipient country or service has adequate data protection measures in place.
- Ensure that you have all the necessary contracts in place with the business or service receiving the data.
Provide Data Rights Provision
As a user of a website, you have the right to request updates or deletion of any personal information that the website may have collected from you. This right is important, and website owners must ensure that users have easy access to the appropriate options to make these requests. However, the GDPR, which is a regulation designed to protect the privacy of individuals in the European Union, does not specify how website owners should provide this information to their users.
One way to make it easy for users to make these requests is to include a button or a link in the footer of each page on the website. Alternatively, the website can provide a separate page with more detailed instructions on how to manage personal data. Some websites even allow users to make these requests through email. To comply with GDPR regulations, website owners must clearly outline how they adhere to these rules in their privacy notice.
Analyze And Mitigate Data Breach
Here are some steps you can take to prepare yourself in case of a data breach:
- Keep track of your actions as you process information.
- Block all access to your website until you have resolved the issue.
- Conduct a thorough investigation into the breach, including where, when, and how it occurred, what data was affected, who was impacted, and what the consequences are.
- Within 72 hours, report the breach to the relevant supervisory authority with all the information you have. This should include the number of affected users, the type of personal data involved, and any measures you have taken or plan to take to address the situation and mitigate harm.
- If the breach poses a high risk to users’ rights and freedoms, inform them immediately and provide guidance on how they can protect themselves.
- To prevent future breaches, update your policies and procedures for website security.
- Develop a plan of action for dealing with future breaches or anticipating potential ones
Stay GDPR compliant with Nixon Digital with over 50+ websites
However, it is important to keep in mind that there is no one-size-fits-all strategy or solution when it comes to GDPR compliance. Each organization operates differently and must comply with GDPR in their own way, which requires careful planning and analysis of unique business requirements.
At Nixon Digital, we can help you stay up-to-date with GDPR best practices across your entire website portfolio. Our platform automates the compliance process and provides a clear overview of all your domains, helping you achieve consumer trust. You can easily monitor whether each domain is compliant with GDPR and other regulations. Learn also more about the best compliance audit practices.