This step-by-step blog post will help you make your website GDPR compliant. This document follows the do-it-yourself method. In this article, as a founder of a privacy startup, I will use tools we built at Privacybunker as a reference implementation. Instead, you can create your own HTML code.
In this post, I will talk about different GDPR violations and how simple steps can prevent them.
If your target market is Europe you are obliged to work by GDPR standards. Following GDPR rules allows you to satisfy more customers that brings you more business opportunities.
If you work directly with the end-users, GDPR compliance will increase your sales. As per CISCO report “From Privacy to Profit”, people are asking more questions about how their personal data is being used, and they now view privacy as an important component of a company’s brand.
Non-compliance can result in meaningful fines. Not only Facebook and Google are getting hefty fines. Small companies many times turn to be a target of privacy authorities too.
For example take a look at the following decision against PACKLINK SHIPPING. They had to pay €1,200 for cookies violations. The Spanish Data Privacy Authority (DPA) fined a website for placing Google Analytics cookies without user consent.
I wish regulators didn’t go that far. These days, regulators have begun to give fines to companies running websites that download resources from third-party services. For example, when downloading font files from Google Fonts. The problem here is that internet browsers expose users’ IP addresses to the US internet giant. The visitor does not give explicit permission to share the IP address.
For example, to fix a GDPR violation with Google Fonts, you’ll need to host font files on your website.
You can use the Google Fonts website to download the required fonts files and upload the files to the ‘/fonts’ directory of your website. After that, you will need to modify your website’s HTML files to use the correct font URLs. To do this, you need to know a little HTML kung-fu.
These GDPR problems are common and exist on many websites.
For Privacybunker, our first step was creating a cookie banner. It was a simple cookie popup. The first version had only the “Accept” button. After some Google research, it turned out that one button is illegal for GDPR. Companies were getting fines for that. Displaying a cookie banner with only one button like “Accept” or “Got it” is not legal. The point here is that a single button does not give your users the option to opt-out of unnecessary cookies.
So, I released a new version. This time with two buttons. One was “Accept” and another was “Reject”.
Due to customer requests, we added a cookie settings screen. This screen allows the end-user to specify a group of cookies the user is ok with. For example to allow advertising cookies. These optional groups of cookies must not be pre-checked and it is a strict GDPR requirement.
Some of your customers can send you personal information requests. In GDPR they are called Data Subject Access Request - DSAR. So, when getting DSAR, at first, you need to check your user identity. You must have a procedure in place to retrieve customer personal records from your internal database and from external cloud services. You then need to create a personal data report and send that report back to the user.
For example, when receiving a forget-me request from a customer, you need a way to validate the user identity. You need to be ready to remove or anonymize your customer’s personal records from your internal databases. You need to be prepared to remove user records from cloud services like HubSpot, MailChimp, GetResponse, etc…
At Privacybunker we built a special service to execute data-subject (user) requests. It is a part of our privacy automation service. Our system knows to extract personal records from cloud services and from SQL and NoSQL databases and execute other user requests. The system works by using an API provided by many cloud vendors. We provide an easy-to-use UI for the end-user to execute their requests. A company admin or Data Privacy Offices can also use this tool to execute data-subject requests.
As an example, I can give you a short review of what we have implemented at Privacybunker. Our system generates a GDPR badge to display on our client website.
When the user clicks on this badge, the user gets a list of operations the user can execute as part of his GDPR and privacy rights. One of the operations is “Clear all cookies”.
To see a life DEMO, you are welcome to click on the GDPR badge ;-)
The world of privacy is changing. GDPR rules do not change once approved. Over time, the privacy regulators have begun to enforce more and more restrictive measures. Thus, you need to stay up to date with the latest privacy news and follow the legal rulings of the GDPR. Pay special attention to the technical details of the GDPR fines.
At Privacybunker, we follow the GDPR topic. We even created a tool to find common GDPR violations for our clients’ websites. We maintain a database of violation signatures.
To avoid GDPR fines and to stay compliant we advise you to implement our recommendations on your websites immediately.
If you need results today, you are welcome to choose one of our business or enterprise plans. We will be happy to assist you.
Get an in-depth GDPR violation report for your website.
A special offer is available for the next 24 hours.
No credit card is required.