The GDPR, or General Data Protection Regulation, is one of those intimidating laws that most businesses have in the backs of their minds, but many companies don’t have an adequate grasp of it. Unless you’ve led a concrete effort to implement measures to comply with GDPR on your website, chances are that there are critical requirements you’re missing. And those missing pieces can be costly, to the tune of millions in penalty fees.
How do you make your website GDPR compliant? The exact process will depend on what measures you already have in place and which ones you don’t, but follow these steps to make sure all your bases are covered.
1. Find out where you stand
For all those who say, “I don’t know how to make my website GDPR compliant or where to even begin,” it’s easier to get started than you might realize. Before you make any changes, you need to know where you stand: Which GDPR requirements do you currently meet and which ones should be on your to-do list? The best way to make that initial assessment is with compliance software.
A compliance software tool scans your site and its operations against the GDPR requirements. The right compliance platform will identify all the requirements you’re missing so you start off with a clear and efficient action list.
2. Add requests for permission where necessary
One of the cornerstones of GDPR for websites is a switch from implied consent (if users are on your site, they’ve de facto consented to your data collection) to specified consent (users must opt-in to your data collection for you to take in their data). Any time you’re collecting any user data, you need a checkbox, button, or similar way for users to consent to it.
If you’re using cookies or gathering any other data that users don’t purposefully provide, you need a pop-up or notification they see as soon as they get to your site. If you’re using any data you get from forms, surveys, or other pages where users purposefully input data, you need to get their consent if you’re using the data in any way such as adding them to your mailing list.
3. Add data collection information to your site
Another key to GDPR compliance is being transparent about what data you’re collecting, how you’re using it, how you’re processing it, who can access it or who you’re sharing it with, and so on. For that reason, one of the primary steps for how to add GDPR to your website is including this detailed data information.
4. Investigate any third-party apps, plug-ins, or tools
Many websites use third-party components in some way. You might be using Google Analytics or other tracking tools for website metrics. You might have implemented plug-ins to allow for certain features or designs, or you may use a third-party chat service for example. Regardless, if you’re using a third-party tool that plays any role in collecting, storing, using, or processing data from users, you need to make sure that tool is GDPR compliant.
5. Create a way to get in touch
Among other requirements, GDPR guarantees users certain rights regarding their data, like the right to request all the data you have about them, the right to request that you delete all their data, and so on. For them to do this, they need to be able to reach the right person. Within your GDPR policy that details your use of user data, include the contact information of your data officer so users can reach out to them with these requests.
6. Update your data security
GDPR is all about the use and accumulation of user data, but it doesn’t just apply to you and how you use the data. You also need to safeguard users’ data against unauthorized people accessing and misusing it. For this reason, you need to implement data security measures. This may look different at every company, but it can include tools and precautions like access controls and specific employee IDs, anti-virus software, firewalls, and other security measures.
7. Develop policies for GDPR
As we noted above, GDPR guarantees that users have certain rights when it comes to your data, so you need to comply with users’ requests. These include requests to see all the data you have for them, requests to delete all their data from your servers, requests to correct their data, and so on. To be GDPR compliant, you need a GDPR policy that outlines your protocols and processes for addressing these requests.
You also need policies regarding potential data breaches, like protocols for addressing a breach and notifying users that their data was compromised. Be sure to have systems in place to monitor site changes as well to make sure your site stays compliant. This can be as simple as using an automation tool like Vanta to regularly scan your system.
8. Confirm and document your compliance
If you’ve followed the steps above and followed the guidance from your initial automation scan, your website should now be GDPR compliant. You need to confirm and document this, though. The simplest strategy for how to make sure your website is GDPR compliant is to run your scan again. This thoroughly documents your compliance with each GDPR requirement so you can rest assured that you’ve checked all the boxes and that you’re adequately protecting your users’ data.
Get GDPR Compliant