Nos expertises
GDPR in short:
The GDPR is a European privacy law that sets out detailed regulations for companies and organisations about collecting, storing and managing personal data.
The rules detailed in the GDPR apply to all companies and organisations that process data of people in the EU, whether these companies are based in the EU or somewhere else.
The GDPR’s goal is to give European citizens more control over their personal data and allow them to protect their privacy better.
The GDPR means, among other things, that you must demonstrate that you collect, request, store or destroy personal data in an ethical (and legal) way as a company.
That’s why you must map out the different ways in which your company processes personal data.
If you don’t meet the requirements stipulated in the GDPR, you are at risk of being fined: the DPA can fine rulebreakers with a sum of a maximum of 20 million euros or 4% of the global revenue.
Digital consequences of the GDPR
When you process data that can be traced back to a natural person, either directly or indirectly, you have to deal with the GDPR. That includes names, addresses, locations, images, email addresses or medical data.
GDPR and your website
What does this all mean for your website? We’ll discuss a couple of things to remember to give you an image of the GDPR’s impact on your website and show you the steps you can take to align your website with the GDPR.
1. Does your website have a privacy statement/policy?
According to the GDPR, you have to inform your visitors about what happens to their personal data and why. Transparent and complete privacy and cookie statements are a vital part of this. These statements need to be easily accessible to the user at all times (preferably in the so-called footer of the web page).
In the privacy statement (article in Dutch), you need to mention the following:
The name and contact information of the organisation that determines why and how personal data are used (responsible for processing data);
The basis on which personal data are processed;
The third parties that have access to personal data, like when you use an e-marketing tool;
Whether you’ll be passing on personal data to someone outside of the EU;
How long you’ll be storing personal data;
What the rights of the person in question are and where they can file a complaint;
Whether and why the person in question is required to pass on their personal data;
Whether you use automated decision-making (in Dutch) and how you use it;
Whether you have retrieved personal data from another organisation.
Has the person in question given you permission to process their personal data? Then you need to give them the option to revoke that permission just as easily: people can always ask you to have their data removed.
Don’t forget: in general, data can only be processed when a specific goal has been set in advance. The data you request can also not be used for different purposes than what was stated. You can find more information on this here.
In addition, you cannot:
1) Process more data than you need to achieve a certain goal;
2) Store data longer than you need for the set goal.
2. Is your cookie statement correct/up to date?
When it comes to cookies, two regulations apply – the GDPR and the ePrivacy Regulation.
Because of the ePrivacy Regulation, you are required to ask for permission to place a cookie. The ePrivacy Regulation is more specific than the GDPR and determines, among other things, when placing a cookie is or isn’t authorised:
A cookie wall isn’t allowed: visitors need to be able to use your website if they don’t agree to you placing cookies.
For necessary or functional cookies, you don’t need to request a user’s permission: they don’t store personal data.
Analytical cookies also don’t require permission, because the collected data are anonymous. You need to inform your visitors, though, and you cannot share this information with any third parties.
You do, however, need permission for tracking cookies, which track your site visitors’ browsing behaviour.
3. Does your website have an SSL certificate?
Processing personal data also means you need to protect them. Neglecting this part can result in steep fines. Also, you need to report any data leaks. So, don’t forget to keep your CMS up to date and manage your web server. You are obligated to secure any page that collects personal data with HTTPS (an SSL certificate). This ensures that all your website visitors’ data are encrypted before they are sent. In the case of, say, a quote or a (newsletter) subscription, this is very important.
4. Have you made processing agreements?
Is someone else processing data for your company? Does an SEO (Search Engine Optimisation) specialist manage your website or does a cloud service provide your back-ups? They could also have access to personal data, which is why you need to set data processing terms with them. A data processing agreement details, among other things, non-disclosure, security and data leaks terms, and how you will handle confidential data.
You also need to sign a processing agreement when you use Google Analytics. These steps can help you get started.
5. Are there any forms on your website?
You are only permitted to process personal data that are absolutely necessary for the goal you’re trying to reach. That also applies to forms on your website, like the contact form or the subscription form for your newsletter. The standard settings of these forms need to be as privacy-friendly as possible. That means no boxes can be automatically ticked. And do you really need an address if someone is only subscribing to the newsletter? The more data you want, the more work and (legal) obligations that come with it. Keep it simple.
6. Which other digital systems use personal data?
Besides your website, you will inevitably use other systems to process personal data. Like your email marketing software or your CRM system. For that reason, you should map out your data processing in a processing register: document the personal data you process, the purpose they serve and how long you store them, where the data comes from and who you share them with. This will give you insight into how you can align your existing procedures and processes with the requirements of the GDPR.
Want to know more about the GDPR?
Throughout this article, we have covered only a fraction of how the GDPR affects your website or web platform. This overview doesn’t cover everything. The guidelines go beyond your website. On the website of the Autoriteit Persoonsgegevens, you can learn everything there is to know about the GDPR. Are you unsure about one of the GDPR aspects we’ve mentioned here? Don’t hesitate to contact us!
Privacy by Design & Privacy by Default
When designing and creating your website or application, iO takes the latest privacy regulations into account. Using both design (Privacy by Design) and technique (Privacy by Default) to ensure careful handling of personal data. Which personal data you can and cannot process – and what that means for your website – depends on the situation. Our experts can make sure your existing or new website or application is completely aligned with the GDPR’s requirements and adjust aspects when needed.