Checklist To Ensure Your Website Is Compliant With GDPR
BY chithra.k
3 months ago
comments comment

The European Union Data Protection Regulation(GDPR) law is going to be effective from May 25th 2018 and if you have clients and services across EU, then you should definitely make your website compliant with the regulations.

[ To know more about GDPR, read the article 'What is GDPR and what it means to a website owner?']

The following is a checklist to ensure that your website is a GDPR compliant one. Ensure that:

  1. There is a published "Privacy Policy" page (or similar - About us, Terms of use) which is accessible via the main menu and describes how the personal data is used or processed.
  2. Users are informed in clear and simple language about the cookies used on your site to collect data.
  3. Users have the option to reset their cookie preferences.
  4. Consent is obtained before a personal information is processed.
  5. Users have the option to withdraw their consent.
  6. Modules used in the site gathers only the necessary (i.e. not needed for provision of service) personal data of site visitors.
  7. Registration forms or lead capture forms used in your site provides a clear explanation about the purpose and does not contain preselected checkboxes.
  8. No emails are configured in your site to send without the user’s consent.
  9. Users can easily request access to their personal information.
  10. Users can edit their own personal information.
  11. Users can request deletion of their personal information.
  12. Erasure of data involves erasure of personal information from any 3rd party sites linked with your site.
  13. Users can request to stop processing their personal information.
  14. Users can export their own personal information.
  15. There is a measure to obtain consent of a parent, if the child is below 16 years of age.
  16. Upon completion of the task for which the user data is collected, the data should be automatically deleted.

To know more about the steps to follow to become GDPR complaint, read the article on 'Making your website GDPR compliant'

For development assistance with the GDPR compliance process of your website, get in touch with us!



on 17th December 2018 / by chithra.k
You would have heard about the European Union Data Protection Regulation(GDPR) law that will take effect on May 25th 2018. The aim of this regulation is to give EU citizens the right to control what information is being collected from them by various businesses. GDPR will apply to the processing of personal data by controllers and processors in the EU, regardless of whether the processing takes place in the EU or not. GDPR will replace the prior EU directive known as Directive 95/46/EC (the “Directive”), which has been the basis of European data protection law since 1995. What is "personal" data? Any information relating to an identified or identifiable individual; meaning, information that could be used, on its own or in conjunction with other data, to identify an individual. For example: social security numbers, names, physical addresses, email addresses, IP addresses, behavioral data, location data, biometric data, financial information, and much more. It’s also important to note that even personal data that has been “pseudonymized” can be considered personal data if the pseudonym can be linked to any particular individual. Sensitive personal data such as health information or information that reveals a person’s racial or ethnic origin, will require even greater protection. How is GDPR different from the “Directive”? GDPR has introduced several changes in the privacy law. The below are the major changes that are relevant to the site owners and developers. Definition of personal data: As explained above, personal data is well defined and any processing of personal data of EU citizens would require to comply with the GDPR law. Broader scope: The scope of data protection law is expanded beyond EU and all organizations that process personal information of EU citizens regardless of whether the processing takes place in EU or not. Rights of the data subject/Individual: GDPR provides new rights to data subjects or individuals which you should accommodate while processing personal data of EU citizens. Following are some of the significant new rights : Right of access: Individuals have the right to know about the processing of his personal data - the purpose of processing, categories of personal data concerned, recipients with whom his personal data is shared, period till when the personal data will be stored. Right to rectification: Individuals shall have the right to rectify the incorrect data or complete the incomplete personal data. Right to erasure (right to be forgotten): Individual can request to delete all of his personal data collected by the organization. Notification obligation regarding rectification or erasure: The individual must be informed about the rectification or erasure of personal data. Right to data portability: Individual shall have the right to receive his personal data from one organization and transfer it to other without hindrance. Right to object : The individual has the right to object to the processing of his personal data for certain uses - for marketing purposes or profiling. Strict consents: As per GDPR, organizations must ensure that proper consent from the individual is received before processing their personal data. This doesn’t mean that you should only ask them for their consent, an individual should also be able to withdraw their consent at any time. Breach notification: If there occurs a data breach and if the personal data of the individual is compromised, then the supervisory authority should be informed of the same within 72 hours. Penalties: Any individual who has suffered as a result of violation of this regulation is subjected to receive compensation from the organization. Heavy fines will be imposed especially for severe violations of the regulation. You can download the full pdf from here. Ignorance is no longer bliss Be Careful about the excuse that you don’t know the GDPR regulation. Ignorance about the law doesn’t make you escape from the huge penalties of non-compliance. If you would like to know more about how to become GDPR compliant, get in touch with us. References GDPR Information MailChimp Document on GDPR GDPR Leave a reply Your email address will not be published. Required fields are marker *

on 17th December 2018 / by nisha
As we fast approach May 25th 2018, organizations all across the European Union (and organizations that deal with European citizens and their data) are working to ensure that their business processes are compliant with the General Data Protection Regulation (GDPR) that comes into effect on that date. What is GDPR? The latest regulation in EU law on data protection and privacy, GDPR concerns data usage of all citizens within and outside of the European Union. It explains in detail all the rights and rules that EU citizens have over their personal data. Why GDPR compliance is of vital importance? The main reason for GDPR is about giving back to the people the right to be informed about the data that organizations are gathering of them and the right to know how it is being used and for what. Up until recent times, consent was considered to be given by default. Secondly and more importantly for you as an organization is how you react to the new regulations. By complying and being proactive in your GDPR compliance process you are giving your visitors and clients the message that you have the users best interest in mind and that you play fair and square. You are then well on your way to creating loyal and happy promoters. It also gives you an added advantage as you take a strong strategic position favoring GDPR that sets you apart from your competitors in the industry. The third and definitely not one that can be taken lightly at all are the penalties stated- fines that can go upto €20 million or 4% of the company’s annual turnover whichever is applicable. How to become GDPR compliant? The European Data Protection Regulation was adopted on April 14th 2016 but the regulation will fully come into effect on May 25th, 2018. Organizations will now have to review the systems and processes they have in place especially any data affecting people of the European Union. While it is going to take time for organizations to be fully compliant and effective, companies already dealing with personal data will need to prioritize getting consent from the users before the date. Some key points to consider One of the main things to focus on is to ensure that you do not gather data from visitors on the first page load. Even when gathering information, explicit consent checkboxes (that are not pre-ticked by default) should be there on all data gathering forms. Right to Access This is the basic right around which all other rights like ‘right to update and right to be forgotten are based; where the user should also be able to view all their information that has been collected. This could be through logged in access or through written or verbal means within a stipulated one month period. Right to be Informed Any form on the site with fields for personal information should explain how the information is going to be used. The information provided to the user includes why the information is collected and for what, with whom the information is shared (if any) and get explicit permission to do so for every piece of information. The user consent forms would need to be preserved too. Right to Erasure or to be Forgotten The user should be able to withdraw consent at any time and the user should be able to withdraw consent without any hurdles i.e the process of withdrawal of consent should be quite straightforward. When a person withdraws the consent to use their individual data, the removal of data, involves removing all data that is given and derived from the person’s usage of the services rendered. The consent withdrawal might be just a form for the registered user, but at the back end the submit button once clicked should activate the deletion of all data related to that unique ID. Compliance of cookies With the introduction of GDPR, all third-party integrations and cookies that have access to a site user’s data including IP address and other associated data are to be in compliance with the permission granted by the user. So your ability to comply will be affected by your third party’s ability to comply. While complying with GDPR might be a tough task that must be overcome, it is possible by sticking to two simple rules. Do not ask for private information that you do not need and do not keep the data longer than you need it. All these involve a clearly defined data flow process (data lineage) and a few more fields in the ‘Contact Us’ section. Get in touch with us for setting up GDPR compliant forms and workflows on your Drupal site. References GDPR Information Wikipedia on GDPR GDPR Leave a reply Your email address will not be published. Required fields are marker *

on 17th December 2018 / by chithra.k
It is high time to make your website GDPR compliant, as the regulation is going to be effective from May 25th, 2018. If you would like to revisit our article on what GDPR is and how it can affect a site owner or developer, you can read our previous article here. What do you have to do to comply with GDPR? Now that you know what GDPR is and what it is about, here are the steps to follow to be compliant with GDPR. Update your ‘Privacy Policy’ and ‘Terms and Conditions’ These pages are one of the key items to being GDPR compliant. The page should inform the user: How you are using their personal data With whom are you sharing their data What cookies are used in your site and its purpose Consent to email about order notification Consents For more information on 'Consents', click here. Simply visiting a site is no longer considered as a consent. A user consent must be collected by means of an opt-in checkbox or choosing settings. It is equally important that the users must be able to withdraw the consent easily. If the consents are asked via opt-in boxes in settings menu, user should be able to return to that menu and update his preferences. Unless a user explicitly says that he would like to be included in the list, don’t add them. Silence is not considered as a consent. Suppose a user gives his consent to process his personal data, it doesn’t mean that you can process data for a long period. The consent should be collected or renewed every 12 months from the time of the user’s first visit to the site. A cron job can be set up for automatically sending emails to the users and to collect consent. Cookies Cookies are considered as ‘personal information’ therefore you have to disclose all of the cookies which are set by your site, why they are set and option to opt-out before they are set. However, there are different types of cookies which can be exempted from the consent requirement. For example: Cookies used in a merchant website, Session ID cookies for the duration of session, authentication cookies etc. These are mentioned in the ‘Guidance on Cookie Consent and Expiration ‘ by French Data Protection Authority1. Be it a third party or a custom cookie, which ever cookies you are using, you should make the information visible to the user in simple words. For eg: Say you are using Google Analytics , a sample privacy statement can be : This website uses Google Analytics to help analyse how visitors use this site. No personally identifiable information is collected about you unless you explicitly submit that information on this website. The information collected is used to create reports of activities on this site. We use this to provide relevant content to our visitors. For more information on 'Cookies', click here. Cookie Banner Instead of using the old disclaimer ‘By browsing the site you accept cookies’, you have to be more clear on the cookie policy. The disclaimer should specify the exact purpose of the cookies and the fact that by continuing to browse the website, the user accepts the use of cookies. You can add the types of cookie that are used in the site. For instance: Necessary, Marketing, Analytics etc with checkboxes. The cookie banner of 'The Marketing Eye'4 can be taken as a reference. Also there should be a link to the ‘More information’ page which should display information on how to opt-out or refuse cookies. For more information on 'Cookie Banners', click here. Unfilled Checkboxes You must make sure that no checkboxes added to collect personal information from the user is ticked by default. For more information on 'Unfilled Checkboxes', click here. Right of Access A user should be able to easily access his personal information collected by the website. In the context of a Drupal website, he should be able to access his user profile page which displays all of his information. For more information on 'Right of Access', click here. Right to Rectification A user should be able to update or correct his personal information. He must be able to edit his own profile data. Care should be taken to ensure that users are only permitted to access information as per their role. For more information on 'Right to Rectification', click here. Right to Erasure A user should be able to request for deletion of his personal information. He can either do this by sending out an email to site admin or via a button in the user profile page. For the latter, a call-to-action button can be added to his profile for the same. Once the request for erasure is received, data should be deleted within 1 month. Upon deletion, the user should be informed about the erasure. For more information on 'Right to Erasure', click here. Now what happens to the contents or orders of your site if you are to delete the entire user data? The law does not further describe how data should be deleted. If you want to keep the data for audit purposes, you can either mention this in privacy policy or remove all the personal information of the user and the data of the fields can be replaced with pseudonyms. If you are sending the personal data of users to any third parties like Salesforce or Hubspot, you are obliged to inform all the third parties to delete the personal information of the user via an API call or similar. This again comes up with another issue - backups. You should separate the list of forgotten user IDs so that when a restore process occurs, you re-forget the forgotten users. Right of Data Portability User should be given an option to export all of his personal information. The ‘Export Data’ button can be included in the user dashboard. The exported data can be in the form of a CSV or spreadsheet. If your website only stores the information like favourites, bookmarks etc then it is not mandatory to provide this feature, as this does not fall under personal information. For more information on 'Right of Data Portability', click here. Right to Object The user should be able to object to the processing of his personal information. This can be in the form of a button in the user settings page. Once the user objects to processing of personal information, you should make this profile hidden from public and other users. Such profiles can be marked as “restricted” and can be made visible only to the site admin. For more information on 'Right to Object', click here. Age Checks You should check your user's age and if the user is a child below 16, then the law states that the parental consent should be obtained. How to obtain this is not well defined, but an option will be to provide a field to accept email id of the parent and verification of the same. For more information on 'Age Checks', click here. Delete Data that are No Longer Needed You should explicitly mention the amount of time that the user’s personal data will be stored in your site and delete the same after the time period. If you are an e commerce site owner, then you should create a cron job to anonymise the order information, once the delivery is complete. Technical and Security Measures Audit logs should be kept and you should be careful about potential data misuses such as employee logins, unprotected servers and insecure connections. You should ensure that the access permissions given to a user is correct and he is not authorized to access sensitive information. As an additional note, we would like to highlight the part that you don’t have to include everything which is mentioned above unless you are processing personal data of EU citizens. To know more, get in touch with us References ‘French Data Protection Authority Issues Guidance On Cookie Consent And Expiration’, blog, published December 18, 2013, Hunton Andrews Kurth, accessed May 2018. Heather Burns, ‘How GDPR Will Change The Way You Develop’, blog, published February 27, 2018, Smashing Magazine, accessed May 2018. Bozho, ’GDPR- A practical Guide For Developers’, blog, published November 29, 2017, Bozho’s Tech Blog, accessed May 2018. Neal Dyer, ’GDPR: B2B vs B2C-Can you still email your database?‘, blog, published December 19th, Marketing Eye, accessed May 2018. GDPR Leave a reply Your email address will not be published. Required fields are marker *
Leave a reply
Your email address will not be published. Required fields are marker *

Filtered HTML

  • Web page addresses and email addresses turn into links automatically.
  • Allowed HTML tags: <a href hreflang> <em> <strong> <cite> <blockquote cite> <code> <ul type> <ol start type='1 A I'> <li> <dl> <dt> <dd> <h2 id='jump-*'> <h3 id> <h4 id> <h5 id> <h6 id>
  • Lines and paragraphs break automatically.
The content of this field is kept private and will not be shown publicly.
CAPTCHA This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.