Share this article
8 Steps to make your website GDPR compliant
The GDPR, or General Data Protection Regulation, is one of those intimidating laws that most businesses have in the backs of their minds. However, many companies don’t have an adequate grasp of GDPR or how to become compliant in GDPR.
What is GDPR and what is a GDPR compliant business?
The GDPR is a law of the European Union, though the UK has essentially the same law of its own, which is meant to protect EU consumers’ private data. It’s a law that guarantees certain privacy-related rights to EU citizens and lists practices your organization needs to follow regarding data privacy, such as keeping data secure, giving users the option to delete their data, being transparent about your data collection, and so on.
Countries require compliance with GDPR to help their citizens stay safe from data breaches, manipulative or invasive marketing, and other risks that come from a loss of digital privacy. Unless you’ve led a concrete effort to implement measures to comply with GDPR on your website, chances are there are critical requirements you’re missing. And those missing pieces can cause you to not be GDPR compliant. A lack of GDPR compliance can be costly, to the tune of millions in penalty fees.
How do you make your website GDPR compliant? The exact process will depend on what measures you already have in place and which ones you don’t, but follow these 8 steps to make sure all your bases are covered.
1. Find out where you stand with GDPR compliance
For all those who say, “I don’t know how to make my website GDPR compliant or where to even begin,” becoming GDPR compliant is easier to get started than you might realize. Before you make any changes, you need to know where you stand with GDPR compliance.
When first starting your journey to becoming GDPR compliant, there are a few questions you’ll need to ask, specifically which GDPR requirements do you currently meet and which ones should be on your to-do list?
The best way to make an initial GDPR compliance assessment is with compliance software—a tool that scans your site and its operations against the GDPR requirements. The right compliance platform will identify all the requirements you’re missing so you can start off with a clear and efficient action list to become compliant with GDPR.
2. Add requests for permission where necessary
One of the cornerstones of GDPR for websites is a switch from implied consent to specified consent. Implied consent is when users implicitly agree to data collection by being on your website. Specified consent occurs when users explicitly opt-in to data collection. Any time you’re collecting any user data, you need a checkbox, button, or similar way for users to consent to it.
If you’re using cookies or gathering any other data that users don’t purposefully provide, you need a pop-up or notification they see as soon as they get to your site. If you’re using any data you obtained from web sources, you must gain consent before adding them to a mailing list. Sources include:
- Forms
- Surveys
- Pages where users purposefully input data
3. Add data collection information to your site
Another key to GDPR compliance is being transparent about:
- What data you’re collecting
- How you’re using it
- How you’re processing it
- Who can access it
- Who you’re sharing it with
If you already have terms of service or a privacy policy on your site, you can include this information there. Or, you can add a new page or document to your site with these details as part of becoming GDPR compliant.
4. Investigate any third-party apps, plug-ins, or tools
Many websites use third-party components in some way. You might be using Google Analytics or other tracking tools for website metrics. You might have implemented plug-ins to allow for certain features or designs, or you may use a third-party chat service for example.
However, it’s important to understand that some of these plug-ins may cause your website to not be GDPR compliant. Regardless, if you’re using a third-party tool that plays any role in collecting, storing, using, or processing data from users, you need to make sure that tool is GDPR compliant.
5. Create a way to get in touch
Among other requirements, GDPR guarantees users certain rights regarding their data, like:
- The right to request all the data you have about them
- The right to request that you delete all their data
Users need to be able to reach the right person in order to act on their rights. Within your GDPR policy that details your use of user data, include the contact information of your data officer so users can reach out to them with these requests.
6. Update your data security
GDPR is all about the use and accumulation of user data, but it doesn’t just apply to you and how you use the data. To be GDPR complaint you also need to safeguard users’ data against unauthorized people accessing and misusing it.
For this reason, you need to implement data security measures to be GDPR compliant. This may look different at every company, but it can include tools and precautions like:
- Access controls
- Specific employee IDs
- Anti-virus software
- Firewalls
- Other security measures
7. Develop policies for GDPR compliance
As we noted above, GDPR guarantees that users have certain rights when it comes to your data, so you need to comply with users’ requests. These include:
- Requests to see all the data you have for them
- Requests to delete all their data from your servers
- Requests to correct their data
To be GDPR compliant, you need a GDPR policy that outlines your protocols and processes for addressing these requests.
You also need policies regarding potential data breaches, like protocols for addressing a breach and notifying users that their data was compromised. Be sure to have systems in place to monitor site changes and ensure GDPR compliance. This step of becoming GDPR compliant can be as simple as using an automation tool like Vanta to regularly scan your system.
8. Confirm and document your GDPR compliance
If you’ve followed the steps above and followed the guidance from your initial automation scan, your website should now be GDPR compliant. You need to confirm and document GDPR compliance.
The simplest strategy for how to make sure your website is GDPR compliant is to run your scan again. This thoroughly documents your compliance with each GDPR requirement so you can rest assured that you’ve checked all the boxes and that you’re adequately protecting your users’ data.
Get GDPR Compliant
Ultimate GDPR compliance checklist
How can GDPR compliance software make a difference to your business?
No items found.
FEATURED VANTA RESOURCE
The ultimate guide to scaling your compliance program
Learn how to scale, manage, and optimize alongside your business goals.
PCI Compliance Selection Guide
Determine Your PCI Compliance Level
If your organization processes, stores, or transmits cardholder data, you must comply with the Payment Card Industry Data Security Standard (PCI DSS), a global mandate created by major credit card companies. Compliance is mandatory for any business that accepts credit card payments.
When establishing strategies for implementing and maintaining PCI compliance, your organization needs to understand what constitutes a Merchant or Service Provider, and whether a Self Assessment Questionnaire (SAQ) or Report on Compliance (ROC) is most applicable to your business.
Answer a few short questions and we’ll help identify your compliance level.
1
2
3
4
!
👍
Does your business offer services to customers who are interested in your level of PCI compliance?
Identify your PCI SAQ or ROC level
The PCI Security Standards Council has established the below criteria for Merchant and Service Provider validation. Use these descriptions to help determine the SAQ or ROC that best applies to your organization.
Good news! Vanta supports all of the following compliance levels:
SAQ A
A SAQ A is required for Merchants that do not require the physical presence of a credit card (like an eCommerce, mail, or telephone purchase). This means that the Merchant’s business has fully outsourced all cardholder data processing to PCI DSS compliant third party Service Providers, with no electronic storage, processing, or transmission of any cardholder data on the Merchant’s system or premises.
Get PCI DSS certified
SAQ A-EP
A SAQ A-EP is similar to a SAQ A, but is a requirement for Merchants that don't receive cardholder data, but control how cardholder data is redirected to a PCI DSS validated third-party payment processor.
Learn more about eCommerce PCI
SAQ D
for service providers
A SAQ D includes over 200 requirements and covers the entirety of PCI DSS compliance. If you are a Service Provider, a SAQ D is the only SAQ you’re eligible to complete.
Use our PCI checklist
ROC
Level 1 for service providers
A Report on Compliance (ROC) is an annual assessment that determines your organization’s ability to protect cardholder data. If you’re a Merchant that processes over six million transactions annually or a Service Provider that processes more than 300,000 transactions annually, your organization is responsible for both a ROC and an Attestation of Compliance (AOC).
Automate your ROC and AOC
Download this checklist for easy reference
Questions?
Learn more about how Vanta can help. You can also find information on PCI compliance levels at the PCI Security Standards Council website or by contacting your payment processing partner.
Related resources
ON-DEMAND WEBINAR
ISO 27001
ISO 27001:2022 What's changed and what it means for your business
In late 2022, ISO 27001 rolled out changes to the Annex A controls, minor updates to the clause language, modernized controls, as well as 12 new controls. Whether you have ISO 27001 and want to learn more about these updates, or are pursuing ISO for the first time, this on-demand webinar is for you. Join Matt Cooper, Senior Manager of Privacy, Risk, and Compliance at Vanta, and Steve Conley, IT Audit Director at Insight Assurance, to dive in.
The compliance news you need. Delivered securely to your inbox.
Subject to Vanta's Privacy Policy, you agree to allow Vanta to contact you via the email provided for marketing and other purposes
