private

The General Data Protection Regulation (GDPR)

How to Make Your Website GDPR Compliant (Part 1 of 2)

In May, the EU General Data Protection Regulation (GDPR) comes into effect. It introduces new regulations for almost all website operators. Only websites that are solely for family or personal purposes are excluded from the new rules.

The GDPR sets precise standards regarding what is to be considered personal dates and what form of consent must be given by the user in order to use his data (for marketing purposes).

Note: We are neither lawyers nor can we offer legal advice with this contribution. Therefore, the following measures do not claim to be complete.

What is the General Data Protection Regulation (GDPR)?

 

The GDPR is a European law with the aim of establishing a uniform legal framework for the processing of personal data by private companies and public authorities within the EU. The GDPR will become applicable when it comes to the processing of personal data. Personal data are all information relating to an identified or identifiable person. An identifiable person is a person “who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”.

According to the GDPR, personal data is involved even if the data processor cannot identify the data but a third party can do so. Thus, pseudonymized data such as IP addresses and cookies will also be considered as personal data. In practice, this wide definition means that in case of any doubt you should always expect personal data within the meaning of the GDPR, as almost all information could be interpreted as a personal date.

The regulation will come into force on 25 May 2018, from then on, your business is facing a potential fine of £20M or 4% of your annual turnover, in the event of a breach of duty.

With the approaching due date, uncertainty is spreading among many website operators. So what must be taken into account in order to avoid fines? The following article will give you an idea of the most important GDPR measures on your website.

In this article we will show you what you need to know about web hosting and your privacy policy. We also give you practical advice on how to make your contact forms GDPR compliant.

The second article on the GDPR deals with the following topics:

  • Newsletter Consent According to GDPR
  • Alternatives for Social Plugins in the context of the GDPR
  • Cookie Pop Up – yes or no?
  • GDPR compliant use of Google Analytics
  • GDPR compliant integration of Google Fonts

Contents of the Privacy Policy

 

From 25 May, the legal basis for data processing must be stated in the privacy policy. Such legal bases can be a purchase contract in online shops; the “legitimate interest” of a website operator can also serve as a legal basis, however, the specific interest must also be described here.  A justified interest for the storage of IP addresses can be the security of the website to defend against hacker attacks. However, IP addresses should not be stored for more than 14 days, and the user must be informed of this storage, including the reasons for this storage, within the privacy policy. In principle, you have to inform website visitors about all processes on your website in which data is collected and processed. This includes cookies, log files, localization functions, registration options such as newsletter subscriptions, comment functions, social sharing options, but also the use of analysis or tracking tools. In addition, you must also inform the user about his rights regarding information about the processed date, its deletion and correction as well as their right of revocation. Furthermore, there will be an obligation to inform about the right to restrict processing, the right of objection, the right to appeal to a supervisory authority and the right to transfer their personal data. According to the GDPR, the right of objection should also be highlighted, e.g. in bold or with a border.

NOTE: There are some tools or generators that will help you to make your privacy policy GDPR compliant.

Webhosting – Subcontracting Data Processing

 

As a website operator, you are not permitted to store personal data on a web space provided by a third party without an existing legal basis. To avoid asking every single visitor for consent, a subcontractor agreement according to Article 28 GDPR is the most efficient solution.

Such a subcontract regulates that the data processing will meet the requirements of the GDPR and ensure the protection of the rights of the data subject. Above all, however, the service provider is obliged to protect the data accordingly. In order to guarantee this, the website operator is granted control rights. One exception is the so-called housing: If you only rent servers in a data center without data processing by a third party, you do not need a contract for data processing. The leading web hosting providers mostly offer templates for subcontracting on their websites. You should make sure that these templates meet the requirements of the GDPR.

If your website is hosted outside the EU, for example in the USA, you should make sure that your web hosting provider has submitted to the so-called Privacy Shield. With this agreement between the EU and the USA, the hosting provider obligates to comply with European data protection standards.

GDPR Compliant Privacy Policy

 

A big part of GDPR is communicating to your users about how and why you’re collecting and using their data, especially all processes in which their personal data is processed. Article 13 of GDPR considerably extends the obligation to inform compared to the former German Telemedia Act:

Easily Accessible Privacy Policy

Your website visitor should be able to find the privacy policy easily and intuitively. Therefore, the privacy policy should be easily accessible from all pages, but in any case, linked via the home page. It is recommended to link the privacy notice in the footer of the page by default. You should make sure that cookie messages or similar pop-ups do not overlay the link to the privacy policy.

Furthermore, the privacy notice must be provided “in a concise, transparent, intelligible and easily accessible form, using clear and plain language”. If your target group is international, the privacy policy should also be available in all required languages.

GDPR Compliant Contact Forms

 

You should ensure that the transmission of data is secured by TLS or SSL encryption so that it complies with the principle of integrity and confidentiality according to GDPR.  Unencrypted forms can be identified by the fact that the corresponding URL starts with “http” and not with “https”. In addition, the data protection declaration should also regulate data processing via the contact form. In the best case you link the privacy policy in the vicinity of the send button with the note “Please take note of our privacy policy”.

Further Articles