The GDPR, or General Data Protection Regulation, is a piece of data privacy legislation that most businesses are well aware of but don’t fully understand how it applies to their business. And unless you’ve gone knee in deep in GDPR implementation, there’s a good chance you’re missing some essential requirements. Without those requirements in place, you could face penalties and a hit to your brand reputation.
So, how do you make sure you are compliant with GDPR? The exact steps depend on what you’ve already implemented, but here are eight steps to make your website GDPR compliant.
1. Find a baseline
If you feel overwhelmed with getting started, here’s some good news: it’s easier to get started than you may think. Getting started consists of finding a baseline of where you’re at. Which requirements do you meet currently and what do you still have to do? The easiest way is to use data privacy compliance software.
A compliance software tool will scan your site and give you a heads up on where you’re at and what you still need to do.
2. Gain permission where necessary
One of the biggest changes GDPR created was switching from implied consent (you’re on my site, therefore you consent) to specified consent (you must opt-in for us to collect your data). This means that anytime you’re collecting data, you need to provide the user an option to consent to it.
If you’re using cookies or any other type of data collection that users don’t specifically provide, you need to gain consent with a banner as soon as they land on your site. And if you use data from any other pages such as forms or surveys where users put in their information manually, you’ll still need to gain consent to use that data.
3. Be transparent about what you collect
Another key addition GDPR adds is transparency. You’re required to share what data you’re collecting, what you’re using it for, how you’re processing it, who else is using it, and so on. Because of this, it’s important to add this information to your terms of service or privacy policy pages.
4. Check out any third-party apps, plug-ins, or tools
Many websites use third-party apps and tools. Whether it be Google Analytics or FB pixel, you need to take action. If your tool collects, stores uses, or process any data from users, you need to make sure it is GDPR-compliant.
5. Make it easy to get in touch
Among other requirements, GDPR guarantees users new rights regarding their data. This includes the right to request access or deletion of the personal data you have on them. To accomplish this, they need a way to reach the right person. To remain GDPR-compliant, make sure you include the relevant contact information to ensure users can make requests to the right person.
6. Update your data security
GDPR is largely on how you collect and use data, but it doesn’t end there. There are also requirements to protect users’ data and keep unauthorized eyes away from it. With this, you’ll need to implement certain data security measures. This probably won’t look the same for every company but can include precautions such as firewalls, specific access, and other security measures.
7. Develop policies for GDPR
GDPR gives users certain rights and you need ways to comply with users’ requests. This can include access, corrections, even deletions of their data. To remain GDPR-compliant, your GDPR plan needs to have detailed instructions on how to handle these requests.
But you’ll need safeguards in place as well. You’ll need a plan for potential data breaches, including how you’ll alert users if their data was compromised. You’ll also need to monitor site changes to ensure you stay in compliance. Using a simple tool like Adzapier Consent Management Platform can make it easy.
8. Verify and document your compliance
If you’ve followed the steps above and acted from your initial automation scan, your website should now be GDPR compliant. You’ll need to verify and document compliance though. The easiest way to verify is to simply rerun your scan. This verifies and documents each component of GDPR so you can rest easy knowing you are protecting your users’ rights.