.svg)
Making your website GDPR-compliant has become a priority. Not complying with the regulation can expose you to heavy penalties. What is the GDPR? Why make your site GDPR-compliant? And how? We explain everything.
What is the GDPR?
GDPR stands for General Data Protection Regulation. It's a European regulation adopted by the European Parliament in 2016. The regulation came into force in 2018. Its goal is to protect the personal data of European Union citizens.
The GDPR applies to every website that collects personal data. To be GDPR-compliant, a website must follow certain rules about the collection, processing and protection of personal data.
The GDPR applies to the personal data of any natural person located in the European Union. Personal data can be collected via an online form, a cookie or a log file.
Why make your website GDPR-compliant?
The benefits of a GDPR-compliant website for users and businesses.
GDPR compliance: what are the benefits for users?
GDPR compliance allows users to better control their personal data. GDPR-compliant websites must inform users of how their data will be collected, used and stored. Users then have the option to give or refuse their consent for data collection and use.
In addition, GDPR compliance allows users to access their personal data and to request its correction or deletion. Users can also request that their personal data no longer be processed.
GDPR compliance: what are the benefits for businesses?
GDPR compliance lets companies benefit from a better image with users. Consumers are increasingly aware of personal data protection, and companies that respect the GDPR are seen as more trustworthy.
GDPR compliance also allows companies to manage personal data better. They must put procedures in place to collect, process and store user personal data securely.
Penalties for non-compliance with the GDPR.
If your website is not GDPR-compliant, you face penalties. Penalties can be civil or criminal.
Civil penalties are issued by the CNIL (French data protection authority); they can reach up to 20 million euros or 4% of your company's worldwide annual turnover.
Criminal penalties are handed down by the courts. Criminal penalties can reach up to 2 years of imprisonment.
To avoid penalties, you must make sure your website is GDPR-compliant. You must also make sure your service providers (host, e-commerce provider, etc.) are also GDPR-compliant.
How can you tell if a website is GDPR-compliant?
The mandatory information to find on a site
1 — The identity of the data controller on the site or of the DPO
The data controller on the site or the DPO (Data Protection Officer) is a natural or legal person in charge of implementing and monitoring measures to protect personal data. This officer is designated by the data controller under Article 37 of the General Data Protection Regulation (GDPR).
2 — The type of data collected
Collected data can be classified in 3 categories:
- identification data, which lets you identify a user.
- contact data, which lets you contact a user.
- navigation data, which lets you track a user's browsing habits.
Users must be informed of the type of data collected when they visit a GDPR-compliant website. This information must be clear and accessible so that users can be aware of the processing of their personal data.
3 — The purposes for which the data is processed
The website must inform users of the purposes for which data is processed. It must specify the purposes for which data is collected and processed. Those purposes must be defined at the moment of data collection.
4 — The legal basis that justifies processing
The GDPR allows sites to process personal data in specific cases. You must inform the user what gives you the right to collect and process the data.
5 — The recipients who collect and process the data
Your site must inform users about any third parties that may collect and process the data.
6 — Data transfers outside the European Union
The GDPR applies to data transfers outside the European Union when personal data is collected by a company or organization located in the EU. That data can then be transferred to a third country (outside the EU) for processing, for example for storage or data processing.
To comply with the GDPR, companies and organizations must take appropriate measures to ensure the protection of personal data transferred outside the EU. Without appropriate measures, data transfers outside the EU are not allowed.
7 — Data retention period
The GDPR states that personal data must only be kept for as long as necessary to achieve the purposes for which it was collected. Once those purposes are reached, the data must be deleted or anonymized. Companies and organizations must also inform the individuals concerned of the retention period of their personal data.
8 — The user's rights
Your site must mention that the user has the right to refuse collection, the right to access, correct and delete their data.
9 — The right to file a complaint with the CNIL
Your site must mention that the user has the right to file a complaint with the CNIL regarding the collection and management of their data.
10 — Cookies
To comply with the GDPR, your website must inform visitors that it uses cookies and obtain their consent to install them. This can be done, for example, via a mention in the site's terms of use or via an information banner shown on the first visit.
The site must also let users withdraw their consent at any time and delete cookies already installed on their computer or mobile device.
Where to find this information on the site?
To ensure your site's GDPR compliance, you'll need to put in place a privacy and cookie policy that meets GDPR requirements. You'll also need to make sure your terms of use and all other legal notices on your site are GDPR-compliant. In general, links to these pages are found in the footer of websites.
How do you make your website GDPR-compliant?
The simplest is to build a GDPR website from the start. If your site already exists and isn't or is no longer compliant, don't panic, the principle is the same — you simply need to implement your actions quickly.
1 — Your site must inform users of the purpose for which their personal data is being collected.
2 — You must obtain users' consent before collecting their personal data.
3 — Your site must only collect the data necessary for the purpose for which it is collected.
4 — You must process personal data in a legal, fair and transparent manner.
5 — You must keep personal data only for the period necessary for the purpose for which it is collected.
6 — You must protect personal data from any risk of loss, unlawful use, modification, disclosure or unauthorized access.
Remember, in every case, if you collect personal data on your website, you must make sure you comply with GDPR rules.
Scroll, a no-code agency building GDPR-compliant websites
Need to build a website? The Scroll agency is here for you. Our team of no-code experts builds GDPR-compliant websites daily across every type of sector. Thanks to our Webflow expertise, we create tailor-made solutions that meet your expectations. If you have a website creation or redesign project, don't hesitate to reach out.
.svg){kind=icon}
.svg)
.svg)