8 steps to your GDPR compliant Website
Here comes a super easy walkthrough with eight points that must be fulfilled so that your website is GDPR-compliant and you avoid any types of warnings or fines.
1. Make your website SSL — Encrypted
Websites which collect personal data must always be encrypted. This applies in any case, whether it concerns contact forms, event sign-ups, newsletter signups or e-commerce. You can recognise encrypted pages by looking at the URL and seeing “https”. Many browsers like Chrome then use a lock symbol in front of the URL to display the site as secure.
This is also a great way to see whether the page you are visiting is SSL-encrypted or not.
Check that this is the case on all of your pages and subpages. If not, contact your web administrator as soon as possible.
He should be able to convert your page using a SSL certificate without any trouble. There are enough providers that offer free SSL-certificates like Let’s Encrypt. Not only does the GDPR require encrypted websites — encrypted pages are also preferred in the Google search results and outrank non-encrypted websites.
2. Take a look at your privacy policy
All third party services and plugins that you use on your website and that are making the collected data accessible to any third party, must be listed in the data protection declaration.
One such example is the “Facebook Like Button”.
Even those who are using Google Captcha to prevent robots from spamming the page are passing on personal data — for example to an American server.
Most website owners and operators are not aware of this. Now you are!
In addition, the data protection declaration must now contain significantly more information about what rights users have considering the GDPR.
You can generate a basic data protection declaration for free here.
Generate your free GDPR Privacy
3. Check all your website forms
Can your visitors sign up for a newsletter on your website? Can they make an appointment? Register for an event? Contact you using a contact-form?
Then you have to revise them all!
The way they are now, you can only use them to collect the personal data that you actually need to answer their inquiry.
What actually counts as necessary depends entirely on the situation.
To subscribe to a newsletter, you only need the actual email address.
The first and last name are not important for the action itself.
Therefore, the input fields for the first and last name of your form can not be mandatory!
All mandatory fields in forms must be marked, usually using an asterisk (*).
If you want to collect further data, it must be clear to the user that this information is voluntary by displaying “optional” for example.
An example in your privacy policy could look like this:
“We process your contract data (e.g. services used, names of contact persons, payment information) in order to fulfill our contractual obligations and services in accordance with Art. 6 Para. 1 lit b. To comply with GDPR. The information marked as mandatory in online forms is required for the conclusion of the contract.“
Make sure that you have separate consent for each purpose for which you need data.
If you want to send your newsletter to a visitor who has made an appointment or contacted you, you need additional consent for this type of form.
Before submitting any form, you need a link to the privacy policy.
See an example form below.
4. Check social media plugins and embedded videos
Social media plugins provided by Facebook and other companies collect personal data unnoticed by the website user and can thus create detailed personality profiles.
The same applies if you embed videos, for example from Youtube.com or Vimeo.com.
This means:
If you have installed YouTube videos on your page, then you automatically transfer data from your visitors to YouTube (and therefore Google) — even regardless of whether the user clicks on the video or not.
Privacy lawyers have long criticised these plugins.
They are legally very risky so far. Considering the GDPR, the use becomes even more critical.
SOCIAL MEDIA PLUGINS
One possibility is to simply remove the Facebook Like button and similar.
If you do want to use them, you can use tools like Shariff.
Using this solution visitors can freely decide after accessing the website, whether their data should be transmitted to the social networks through the plugins.
VIDEOS
If you embed YouTube videos on your page, use the “extended data protection mode“. You can find it after choosing “Share”, “Embed” and “Show more”.
There is currently no GDPR-compliant solution for Vimeo.
5. Check your analytics and reporting tools
Everyone who operates a website uses services such as Google Analytics to analyse how much traffic (user visits) it generates and user behaviour to optimize the page for conversions.
IP addresses are collected during that process.
According to GDPR, these have to be limited in such a way, so that the collected data is anonymised and so that personal reference or identification is no longer made possible.
To do this, contact your web administrator, who can include the “anonymizeIP” command in the source code of your website.
In addition, you must enable a data processing contract with Google and indicate in the privacy policy that you are using analytics and reporting tools.
“Please note that the data processing agreement pursuant to § 11 German Federal Data Protection Act (1990) previously made available at this location is no longer available as of the EU General Data Protection Regulation 2016/679 (GDPR) becoming applicable on 25 May 2018. Instead, a data processing agreement pursuant to Article 28 GDPR is available from this date for electronic acceptance (pls. see Art. 28 (9) GDPR with the option to conclude data processing agreements in ‘electronic form’). More information about the data processing agreement for Google Analytics can be found here.”
In addition, there must be a link to the Google Analytics usage and data protection provisions, and an opt-out function must be integrated.
This means:
With one single click, a user must be able to make sure, that his data is no longer passed on to Google or any other third party.
Please talk to your webmaster to integrate this opt-out function.
Google Data Processing Contract
6. Inform about cookies!
Your website probably uses cookies.
Small files that save data locally to the device. They are used to recognise the user and make it easier for them to surf the website.
Cookies are still a grey area even after the General Data Protection Regulation.
But to in order to avoid warnings, your website users should give their consent to you for using cookies when they first visit your website.
The text of the cookie popup should state as specifically as possible what data it is going to collect, what it is used for and to which third party services it may be passed on.
For example:
“In order to continuously optimize your user experience on our website, we use cookies. By continuing to use the website, you consent to the use of cookies and our privacy policy.”
A section on cookies also belongs to the data protection declaration.
The GDPR requires you to state the legal basis for the use of cookies.
In addition, there must be a note for users in the data protection declaration on how they can prevent the setting of cookies.
7. Check your newsletter!
Everyone who uses newsletter services such as MailChimp, CleverReach or Newsletter2Go must conclude a contract with the service provider for order processing. Please ask your service provider for such a contract or agreement.
You may also need to revise the registration form. It must state what the newsletter is used for and what information subscribers receive when they sign up for it.
As a mandatory field, you can only ask for the email address.
A link to the privacy policy also needs to be included in the registration form.
Users must also be clearly informed that they can withdraw their consent.
Put a link to the unsubscribe form on the page with the registration form.
To ensure that someone is not registered as a subscriber against their will and that you can prove your consent with legal certainty, you must use the double opt-in method.
This means that before you activate an e-mail address for sending the newsletter, the user must confirm again via a personalized confirmation link (so-called check mail) that he is actually the owner of this mailbox.
Furthermore each newsletter mail must contain a link to unsubscribe to the newsletter.
8. Check your Web Host!
Your web host provides websites and takes over the operation of web servers and the network connection. If these services are only connected to the Internet access service without the processing of personal data, then there is no data processing.
However, if such web hosts also take on tasks in which they process personal data, such as email management or email archiving, then there is data processing and you must conclude a contract for data processing.
Get your free Data processing Agreement Template
