Checklist: Make your website GDPR-friendly

All the data transfers within the European Union and from the European Union are protected by the law called GDPR (short for General Data Protection Regulation). As a creator and owner of a website, you’re also obliged to follow it and make your data collection and storage as transparent and controllable by the user as possible. It can be tricky, but this article is here to help you: it highlights the key points along the GDPR journey when creating sites with Readymag.

The GDPR was issued by the EU Government and came into effect on May 25th, 2018. GDPR obliges any individual, non-commercial or commercial enterprise collecting personal data of European citizens to restore such data back to the hands of the individual.

Put simply, the two most important ideas of GDPR are explicit consent and readily available opt-out: users should be well-informed about any activities concerning their data, and they should be able to revoke their consent to such actions at any time. Additionally, under GDPR, users can request that you provide them with all their stored data in an accessible electronic format or permanently erase all their personal data.

The definition of personal data under the GDPR is very broad; for example, some cookies are considered to be such. Therefore, the likelihood that you need to adjust your Readymag website to comply with GDPR rules and regulations is high.

OK, what do I start with?

First, identify all the types of personal data you’re collecting and processing.

GDPR puts it this way: ‘Personal data means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.’

In practice, there are three main types of personal data you might collect on your Readymag webpage:

• ‘Straightforward’ personal data (e.g. names, surnames, or e-mails of visitors), usually collected with forms.
• First-party cookies, created and used by your own code.
• Third-party cookies, used by third-party widgets.

Wait, all cookies are personal data?

Mikhail Nikolaev, head of product at Readymag: ‘Most of the cookies are personal data. Technically, some of them don’t give the opportunity to identify the user, meaning that they are not personal data from a GDPR point of view, but they’re extremely rare in Readymag projects.

The key difference here is between session cookies and persistent cookies. Session cookies expire after a user’s session ends. Persistent cookies don’t go away after the end of a session and may allow a user to be identified over a series of sessions. You might use most session cookies without explicit user consent, but not persistent cookies.’

The EU Internet Handbook states: ‘Consent is not required if the cookie is used for the sole purpose of carrying out the transmission of a communication, and strictly necessary in order for the provider of an information society service explicitly required by the user to provide that service.’

OK, I have compiled a list of personal data that I collect and work with. What does GDPR require me to do with it?

Mikhail Nikolaev, head of product at Readymag: ‘The key idea behind GDPR is to keep customers well-informed on your use of their data. Moreover, they should be able to opt out if they aren’t satisfied with your explanation. That means you must explicitly state what you plan to do with your visitors’ data and to directly and clearly request their permission: no legalese or silent consent.’

We recommend the following steps:

Put together a clear Data Governance Policy

A Data Governance Policy is a document that informs visitors and other sides that might become interested (e.g., the state), what exactly you do with their data. GDPR doesn’t offer strong regulations or formal restrictions on the data governance policy; the most important aspect is that it should be clear, without legalese or caveats. You can design such a page using Readymag and add it to any of your projects.

Create a cookie consent bar with a clear description of the opt-out procedure and a Cookie Policy

The GDPR states that implicit consent to use cookies is no longer an option. You also can’t recommend that your user block cookies in their browser if they want to opt out. That’s why you need a cookie consent if you use cookies.

Technically, the cookie banner is the typical solution, offering users the chance to opt out. That’s the important part: every cookie consent banner must have a link to an instruction explicitly stating how to opt out. Usually, this link leads to a document called Cookie Policy. A cookie consent bar might be built using internal Readymag features, or as an external widget.

Make your mail processing GDPR compliant

If you have a mail receiver, it’s important to be sure it works correctly from the GDPR point of view. Users should be able to learn where their emails are stored and for what purposes they are used (you might simply list all relevant user information before or after the form). Moreover, you should clearly state whether you plan to send users any information in the future and obtain their consent to do so.

Be ready to show your user their data or to erase it

Under GDPR users can request you show them their stored data or to erase such data permanently.

Check all third-party widgets

YouTube, Google Analytics, and other third-party widgets may collect your users’ data without their consent or knowledge. If you use one of these widgets, it’s your responsibility as the site creator to inform your visitors. A Data Governance Policy might be a good place to explain all this.

Got any GDPR-related questions or need guidance? Reach out to us at [email protected]. Also, give the original text of GDPR a read here.