Home //Blog //GDPR //DPO //4 steps to make your website GDPR compliant

As a company’s online shop window, it is now practically unthinkable to do without a website, given the importance of the business stakes involved. But while these sites offer companies unique visibility and are so practical, we should not forget that they are first and foremost dedicated to users, and to achieve most objectives, particularly marketing objectives, companies need to use as much information as possible about traffic and site use, and consequently process personal data.

With tracking, advertising, cookies, tracers, and pixels being deposited on websites and many players able to capture data, websites are one of the primary sources of risk when it comes to privacy breaches. The stakes are all the higher because websites can be used as a benchmark by their future customers and users to assess the compliance of the organization that publishes them and can even be directly inspected by the data protection authorities to verify compliance (particularly on cookie management).

To ensure that a website complies with data protection rules and with the General Data Protection Regulation (or GDPR), the publisher must, in particular, ensure that :

  • It provides a framework for the deposit of cookies and tracers by obtaining the consent of users and providing specific information on the subject
  • It provides complete information on how personal data collected on the site are processed using a confidentiality policy and specific information notices
  • It provides a framework for data collection forms and obtains user consent for data processing based on these forms
  • It implements appropriate security measures to ensure adequate security for personal data

In this article, our experts in personal data law discuss the essential steps you need to take to ensure that your website complies with the GDPR. And as a bonus, receive a model privacy policy specially drafted by our experts for the occasion!

The management of cookies and trackers

Cookies (or trackers, pixels, etc.) are the lifeblood of online privacy protection. The CNIL’s work on the subject (deliberations, guidelines, controls, etc.) bears witness to this.

Cookies are small files deposited on visitors’ terminals (computer, smartphone, tablet, etc.) when visiting a website or mobile application. These cookies can measure the site’s audience, record information such as the language used, the shopping basket, or the user’s login details, track the user’s browsing habits, provide targeted advertising, or geolocate the user.

It is essential to pay particular attention to this and to ensure that you are technically and legally in control of their use.

All website users must be informed that cookies are being stored on their terminals and give their prior consent to their storage where this requirement applies.

Informing the user of the deposit of cookies

All legal notices must be provided in compliance with the obligations relating to the form in which the information is presented, i.e., in a concise, transparent, understandable, and easily accessible manner, using clear and straightforward terms.

To ensure compliance with these requirements, the CNIL recommends that information be provided on two levels.

Firstly, through succinct information, often in the form of a “banner” or pop-up, for example, specifying at the very least the identity of the data controller, the purposes for depositing cookies, the possibility of accepting or rejecting their deposit, and a link to the cookie policy.

Secondly, via a cookie policy that indicates for each cookie :

  • Its owner (cookie publisher/third party)
  • Its name
  • Its purpose (what it enables and the information it provides)
  • How long it is kept
  • Its qualification to determine whether or not the visitor’s consent is required for it to be deposited

Obtaining prior consent to the deposit of cookies

The cookies “banner” mentioned above should serve two purposes: the first is to provide initial information to website users, and the second is to allow them to choose whether or not to accept the deposit of cookies on their terminal or even to select the categories of cookies they accept and those they reject.

According to the CNIL, the french data protection authority, cookies are divided into two categories: those that require the user’s prior consent to be deposited and those that are exempt (cookies that are strictly necessary for the operation of the site or the provision of the service).

Exempted cookies and trackers Cookies and tracers subject to prior consent
  • Retain the choice expressed by users on the deposit of cookies
  • Authenticate the user to a service (including those intended to ensure the security of the authentication mechanism)
  • Remember the contents of a shopping basket
  • Customize the user interface (e.g., choice of language or presentation of service) when this customization is an intrinsic and expected element of the service
  • Allow load balancing of the equipment involved in the communication service
  • Allow paying sites to limit free access to a sample of content requested by users
  • Allow audience measurement (under certain conditions)
  • Allow personalized or non-personalized advertising
  • Allow sharing functionalities on social networks

When first connecting to the website, users should see the banner appear, and be able, with one click, to choose to accept or refuse all of them or to choose on a case-by-case basis. Since any consent collection must be proven at the authority’s request, the CNIL considers it good practice to keep this proof for 6 months.

Finally, you will need to check the tools you use that are likely to deposit cookies on your site to ensure that they enable you to comply with the applicable regulations.

Information management through a confidentiality policy

Because personal data is now a priority and intrinsically linked to every individual browsing the Internet, awareness of the need to protect it has, at the same time, made it imperative for website publishers to ensure that all mandatory information is transmitted.

So if your website is to respect the personal data and privacy of Internet users, it must provide, via simple and permanent access, information that is as transparent as possible about how the data is used.

In most cases, using your website involves collecting personal data from visitors or users, for example, by collecting their login details when they create an account or their contact details if they subscribe to a newsletter.

This information must be specific and distinct, i.e., it must not be presented via a page listing other elements, on the general terms and conditions, for example. Therefore, It can be transmitted via a prominent privacy policy on the site. This policy must be easily accessible, with one click, from all the website pages so visitors can access it anytime. It must be written concisely and in simple, clear terms. Legal jargon should not be used, and the presentation should be adapted to the target audience.

The GDPR requires data subjects to be informed of the following:

  • The identity of the data controller and the contact details of your DPO if one has been appointed
  • The legal basis for data processing
  • The purposes and objectives of data collection and processing
  • The recipients or categories of recipients of the data (data controller, subcontractor, technical service providers, etc.)
  • Transfers or the absence of transfers of data outside the European Union
  • Data retention periods
  • The rights of the persons concerned (such as access, rectification, deletion, opposition, erasure) and the effective means of exercising them (by e-mail, by post, or via integrated functionalities)
  • The right to complain with the supervisory authority (in France, the CNIL)
  • Whether or not the provision of personal data is compulsory, and the possible consequences of not providing this data.

Other information must be provided in the event of indirect collection. This covers:

  • The categories of personal data concerned
  • The source of the data

These disclosures must be reviewed and updated whenever there is any change in how personal data is processed. Such updates may require new information to be provided to individuals or new consent to be obtained where this legal basis applies.

Learn more

Supervision of data collection forms and collection of user consent for processing on this basis

In addition to collecting data by depositing cookies, your website may collect data directly from the user in various ways depending on the use, mainly via a contact form, an account creation form, a newsletter registration form, etc.

In these cases, specific rules must be respected to ensure compliance with the GDPR.

  • Only information that is strictly necessary to achieve the purpose of the collection should be requested: for example, to subscribe to a newsletter, the only information required is the user’s e-mail address.
  • To obtain more information, you must specify which information is compulsory and which is optional, using an asterisk.
  • Suppose certain information is collected via a free-field box. In that case, you must warn the user not to provide sensitive information to spare you from certain additional obligations and to limit your need to moderate the information in your databases.

Furthermore, to comply with the formalities required by the GDPR, each data collection must be accompanied by specific information specifying the processing methods. In other words, in addition to having a privacy policy that describes all the processing carried out, each point at which personal data is collected must display an information notice.

Each data collection must also offer a means of obtaining the user’s consent where this legal basis applies. This consent must be obtained in an accessible, specific, informed, and unambiguous manner, and there must be no doubt as to the individual’s true intention to consent to the processing of their data.

Don’t worry. To make your task easier and avoid confusion, these information notices can have reduced content, and refer to the privacy policy, which will be more comprehensive.

This is referred to as two-tier information:

  • Level 1: a short information notice indicating only the purpose of the data collection and the data controller’s identity, accompanied by a link “to find out more” to the privacy policy.
  • Level 2: the privacy policy

Implementation of appropriate security measures

All website publishers must ensure that the data they collect and transmit is secure. This involves implementing appropriate security measures that take account of the risks involved.

The CNIL recommends several actions to be taken, including:

  • Implement the TLS protocol
  • Use TLS for all authentication pages, forms, and all pages for displaying and transmitting personal data
  • Restrict the communication ports strictly necessary for the correct operation of the applications
  • Restrict access to interfaces and tools to authorized persons only
  • Restrict the number of components used and update them regularly.

In addition to these recommendations, the CNIL draws attention to the need not to transmit personal data in a URL, to use secure services, not to use servers as workstations, not to use generic accounts, and above all, not to place databases on a server that can be accessed directly via the Internet.

By complying with these obligations, you are meeting the requirements of the GDPR and the directives of the CNIL in terms of transparency and security, and you are instilling confidence in the visitors and users of your site, which can only be beneficial to your business.

Read More