Preparing your website for GDPR

1.Privacy Policy

In website’s Privacy Policy, you must describe in detail and clearly the way you collect personal information and how do you process and store the clients/visitors data. You must also report the time period you preserve the data and the way they can see, process and delete their personal data.

2.Consent

Where there are online forms for personal data collection like contact form, support, newsletter, purchase forms etc, there must be a checkbox – unselected by default. By checking the box the user gives his consent, he accepts the Terms of Services and the Privacy Policy. Terms of Services must also contain a link which leads to your Privacy policy and any other significant terms and service agreement you want to provide.

3.Data encryption with installation of SSL certification

Your website and especially your eshop must encrypt the data through an SSL. In case you don’t know, read more about what SSL certificate is. It offers more security in your transactions and in users’ data  transfer with the server. If you don’t already have one, you can purchase an SSL certification. There is also a free certificate for “smaller” websites.

4. Easy unsubscribe or consent revocation

Users must be able to unsubscribe or revoke their consent from any procedure or any processing operation of their data, either by themselves or by their provider, FREE of charge. E.g. It should be given to the users the ability to unsubscribe from the newsletter easily.

5. Cookies

In case you use cookies, the visitors should be informed about it when they enter the site and more details about cookies should refeared about them in the Privacy Policy. Moreover, they should have the ability to disable the cookies through the browser’s settings.

* If third party cookies are being used, such as google analytics, it must be mentioned in your site’s Privacy Policy. What cookies are used, why and for how long they are stored.

6. IP tracking

If you track the IP addresses of your visitors/members of your webpage, it should be mentioned in Privacy Policy, because the IP addresses are individuals’ “personal data”.

7. Advertising in social media

If you use emails from registered users of your site for advertising campaign on social media, the email owners should first get informed. They must be able also to unsubscribe from the lists if they want to.

8.Remarketing

Remarketing uses cookies for tracking webpage’s visitors to be able to adjust the advertisements according to their interests. So the visitors must be aware about these practises within your site’s Privacy Policy.

9. Payment Gateways

If you use in your e-shop payment gateways such as PayPal, Stripe etc. for customers’ transactions and their information are being saved in your site, these informations should be encrypted through an ssl certificate.

In case your eshop saves customers’ private data in the payment gateway, you should inform the users through your website’s Privacy Policy for how long the informations will be kept.

The time period is has not been set but is in your judgement a reasonable time and after that time all their data to be deleted.

Data for inactive users should be deleted after a reasonable amount of time.

If it’s requested to delete ALL their data, you have to do it.

10. Information Leak

GDPR defines as duty for the businesses that in case of violation of personal data which have being kept, to notify within 72 hours the Personal Data Protection Authority of the country they established in.

SUMMARIZING: THE ACTIONS YOU NEED TO DO FOR THE GDPR

  • Information: You have to inform your clients about the new regulation. Also you must inform them why you collect their data and for how long you will keep them saved
  • Consent: To be able to process your clients personal data, you are obliged, according to the new regulation, to ask them first their explicit consent. In case you have to deal with underages’ data gathering through social media, you must first check their age cause it’s possible for you to need to ask their parents’ consent.
  • Access and transferability: Allow to your clients to be able to process their personal data or and to transfer them in another company if they want to, by giving them access.
  • Data delition: You must provide them the “right to oblivion”, the new digital right which gives them the ability to ask for delition of their private data as long as the freedom of expressin is not violated and is not impeded any investigation.
  • Marketing: In case you use their personal data for various marketing actions (or activities) for your business, they have the right to ask their exclusion.
  • Personal sensitive data protection: To protect the personal sensitive data of your clients, all the information by reference to race or nationality, religion, political, sexual and consumer preferences etc., you need to take extra measures for their protection, cause personal sensitive data are being protected by the law with stricter regulations in relation to simple personal data.
  • Data transfer outside the EU: For the countries that haven’t receive approval from E.U., you must enter into contract with your clients to be able to transfer data in these specific countries.

Above all, what are the moves you must take to be covered by this directive, but it is advisable to get advice from a legal counsel because each case is different.

  • Was this Helpful ?
  • Yes   No