How to clean up your website from common GDPR violations in 5 steps

Avatar
Privacybunker.IO Founder

An open-source developer that helps companies and startups to solve data security and privacy challenges.

Summary

Are you looking to ensure GDPR compliance for your website without the hassle? We’ve got you covered! This step-by-step guide is designed specifically for developers like you, offering a straightforward methodology that you can implement on your own.

As founders of Privacybunker, a privacy startup, we’ll provide you with practical insights and reference implementations using our own tools. If you prefer, you can also create your own HTML code following our guidance.

In this post, we’ll address common GDPR violations and offer simple steps to prevent them. Our aim is to equip you with the necessary knowledge and resources to safeguard user data effectively and ensure compliance with GDPR regulations.

Why should I care about GDPR?

If your target market is Europe you are obliged to work by GDPR standards. Following GDPR rules allows you to satisfy more customers that creates you more business opportunities.

If you work directly with the end-users, GDPR compliance will increase your sales. As per CISCO report “From Privacy to Profit”, people are asking more questions about how their personal data is being used, and they now view privacy as an important component of a company’s brand.

Why is GDPR relevant for small companies?

Non-compliance can result in meaningful fines. Not only Facebook and Google are getting hefty fines. Small companies many times turn to be a target of privacy authorities too.

For example take a look at the following decision against PACKLINK SHIPPING. They had to pay €1,200 for cookies violations. The Spanish Data Privacy Authority (DPA) fined a website for placing Google Analytics cookies without user consent.

The 1st step is cleaning websites from Google Fonts and similar services.

I wish regulators didn’t go that far. These days, regulators have begun to give fines to companies running websites that download resources from third-party services. For example, when downloading font files from Google Fonts. The problem here is that internet browsers expose users' IP addresses to the US internet giant. The visitor does not give explicit permission to share the IP address.

For example, to fix a GDPR violation with Google Fonts, you’ll need to host font files on your website.

You can use the Google Fonts website to download the required fonts files and upload the files to the ‘/fonts’ directory of your website. After that, you will need to modify your website’s HTML files to use the correct font URLs. To do this, you need to know a little HTML kung-fu.

These GDPR problems are common and exist on many websites.

For Privacybunker, our first tool was a simple cookie banner. The first version had only the “Accept” button. After some Google research, it turned out that one button is illegal for GDPR. Companies were getting fines for that. Displaying a cookie banner with only one button like “Accept” or “Got it” is not legal. The point here is that a single button does not give your users the option to opt-out of unnecessary cookies.

So, we released a new version. This time with two buttons. One was “Accept” and another was “Reject”.

From the beginning, our cookie banner was calling external JavaScript only after the user was pressing on “Accept” button. External JavaScrip here can be a Google Analytics script or another external script. When working on our GDPR scanner tool - we found that most cookie banners are implemented incorrectly. Most websites load external JavaScripts on page load - making the “Accept” button to be worthless. Many companies are getting fines because of that.

Due to customer requests, we added a cookie settings screen. This screen allows the end-user to specify a group of cookies the user is ok with. For example to allow advertising cookies. These optional groups of cookies must be not pre-checked and it is a strict GDPR requirement.

The 3rd step is to be prepared to execute user data access requests.

Some of your customers can send you personal information requests. In GDPR they are called Data Subject Access Request - DSAR. So, when getting DSAR, at first, you need to check your user identity. You must have a procedure in place to retrieve customer personal records from your internal database and from external cloud services. You then need to create a personal data report and send that report back to the user.

For example, when receiving a forget-me request from a customer, you need a way to validate the user identity. You need to be ready to remove or anonymize your customer’s personal records from your internal databases. You need to be prepared to remove user records from cloud services like HubSpot, MailChimp, GetResponse, etc…

At Privacybunker we built a special service to execute data-subject (user) requests. It is a part of our privacy automation service. Our system knows to extract personal records from cloud services and from SQL and NoSQL databases and execute other user requests. The system works by using an API provided by many cloud vendors. We provide an easy-to-use UI for the end-user to execute their requests. A company admin or Data Privacy Offices can also use this tool to execute data-subject requests.

Privacybunker diagram

Interested to save money with privacy automation?

According to GDPR, it should be easy to give and withdraw users' consent. Your users must have a simple way to reset cookie consent choice and as a result, reset tracking cookies. To do this, you will need to add a button or a link on your website that, when clicked, will call a special JavaScript function. This JavaScript function should clear all tracking cookies.

As an example, I can give you a short review of what we have implemented at Privacybunker. Our system generates a GDPR badge to display on our client website.

When the user clicks on this badge, the user gets a list of operations the user can execute as part of his GDPR and privacy rights. One of the operations is “Clear all cookies”.

To see a life DEMO, you are welcome to click on the GDPR badge ;-)

👉  
GDPR badge

When a user clicks on “Clear all cookies” we call a special JavaScript function that removes all cookies.

User menu

The 5th step is to maintain website compliance.

The world of privacy is changing. GDPR rules do not change once approved. Over time, the privacy regulators have begun to enforce more and more restrictive measures. Thus, you need to stay up to date with the latest privacy news and follow the legal rulings of the GDPR. Pay special attention to the technical details of the GDPR fines.

At Privacybunker, we follow the GDPR topic. We even created a tool to find common GDPR violations for our clients' websites. We maintain a database of violation signatures.

Report example:

Example of GDPR report

What’s next

To avoid GDPR fines and to stay compliant we advise you to implement our recommendations on your websites immediately.

If you need results today, you are welcome to choose one of our business or enterprise plans. We will be happy to assist you.

Let's Chat!