What to do
Preparing your website for the GDPR
1. Privacy Policy
In website’s Privacy Policy, you must describe in detail and clearly the way you collect personal information and how do you process and store the clients/visitors data. You must also report the time period you preserve the data and the way they can see, process and delete their personal data.
2. Consent
Where there are online forms for personal data collection like contact form, support, newsletter, purchase forms etc, there must be a checkbox – unselected by default. By checking the box the user gives his consent, he accepts the Terms of Services and the Privacy Policy. Terms of Services must also contain a link which leads to your Privacy policy and any other significant terms and service agreement you want to provide.
3. Data encryption with installation of SSL certification
Your website and especially your eshop must encrypt the data through an SSL. In case you don’t know, read more about what SSL certificate is. It offers more security in your transactions and in users’ data transfer with the server. If you don’t already have one, you can purchase an SSL certification. There is also a free certificate for “smaller” websites.
4. Easy unsubscribe or consent revocation
Users must be able to unsubscribe or revoke their consent from any procedure or any processing operation of their data, either by themselves or by their provider, FREE of charge. E.g. It should be given to the users the ability to unsubscribe from the newsletter easily.
5. Cookies
In case you use cookies, the visitors should be informed about it when they enter the site and more details about cookies should refeared about them in the Privacy Policy. Moreover, they should have the ability to disable the cookies through the browser’s settings.
* If third party cookies are being used, such as Google Analytics, it must be mentioned in your site’s Privacy Policy. What cookies are used, why and for how long they are stored.
6. IP tracking
If you track the IP addresses of your visitors/members of your webpage, it should be mentioned in Privacy Policy, because the IP addresses are individuals’ “personal data”.
7. Advertising in social media
If you use emails from registered users of your site for advertising campaign on social media, the email owners should first get informed. They must be able also to unsubscribe from the lists if they want to.
8.Remarketing
Remarketing uses cookies for tracking webpage’s visitors to be able to adjust the advertisements according to their interests. So the visitors must be aware about these practises within your site’s Privacy Policy.
9. Payment Gateways
If you use in your e-shop payment gateways such as PayPal, Stripe etc. for customers’ transactions and their information are being saved in your site, these informations should be encrypted through an ssl certificate.
In case your eshop saves customers’ private data in the payment gateway, you should inform the users through your website’s Privacy Policy for how long the informations will be kept.
The time period is has not been set but is in your judgement a reasonable time and after that time all their data to be deleted.
Data for inactive users should be deleted after a reasonable amount of time.
If it’s requested to delete ALL their data, you have to do it.
10. Information Leak
GDPR defines as duty for the businesses that in case of violation of personal data which have being kept, to notify within 72 hours the Personal Data Protection Authority of the country they established in.
SUMMARIZING
The GDPR compliance requirements
Consent: To be able to process your clients personal data, you are obliged, according to the new regulation, to first ask them their explicit consent. In case you have to deal with underages’ data gathering through social media, you must first check their age cause it’s possible for you to need to ask their parents’ consent.
Access and transferability: Allow your clients to be able to process their personal data or/and to transfer them in another company if they want to, by giving them access.
Data deletion: You must provide them the “right to oblivion”, the new digital right which gives them the ability to ask for deletion of their private data as long as the freedom of expression is not violated and is not impeded any investigation.
Marketing: In case you use their personal data for various marketing actions (or activities) for your business, they have the right to ask for their exclusion.
Information Box
The above generally states what moves you need to make to be covered by this directive, but it is advisable to seek the advice of a legal counsel because each case is different.
Subscribe to our Newsletter
Stay tuned for the latest Internet & Technology news, how-to guides and exclusive offers!
