GDPR is coming on the 25th of may. It's a European regulation that has been cleared out 2 years ago and applies for Europeans and global companies that registers personal information about European citizens. Companies that aren't compliant with GDPR after the 25th of May 2018 will become take a risk to receive a fine of 4% of the annual turnover or 20 million euros, the higher amount will be the price to pay.

Don't panic, chances are big that to get that fine, you must be using illegally and/or inappropriately the personal data of your visitors and refuse every request to comply.

Even if the risk remains limited, we all should pay attention to this regulation wich protects our personal data, either as a user of a service or business owner. To help you, here are 5 quick fixes you should consider for your website to prove that you're doing something to become GDPR compliant.

Cookie Banner

1. Add a Cookie Banner

The current European e-Privacy Directive of 2002 (e-Privacy Directive) recognizes that tracking and functional cookies are necessary for the improvement and operation of a website and allows for an implied consent, but the user must be in the know.

With GDPR, at the very least, you should include a cookie banner on your website. If you use marketing cookies (Display Ad Networks, Remarketing, Marketing Automation etc.) on your website, these may only be set after the user has given consent.

Example of a valid mention in a cookie banner: "This website uses cookies to ensure you get the best experience, learn more". And a button: 'I accept cookies'.

Example of a valid mention in a cookie banner if you collect personal data for digital marketing purposes: "This website uses cookies to ensure you get the best experience. The data collected are being used for our own marketing purposes. Learn more". And 2 buttons : 'I accept cookies' & 'I refuse cookies'.

Ideally, you should give the user an opportunity to decide what kind of cookies he wishes to allow. Also its worthy of note that withdrawing consent must be just as easy as giving it. In the example above, this is guaranteed by a link to the cookie settings in the footer of each page.

2. Adapting Forms

Each form field should only exist if it is clearly necessary. If this is not the case, explain the necessity or remove unnecessary fields. Take a minimalist approach and collect only what is absolutely necessary.

For all forms, ensure that it includes a link directly to the Privacy Policy.

The user must be able to find out what happens to his or her data before submitting the form, including why, where and for how long the data is stored.

Forms containing personal information may only be transmitted in encrypted form. Avoid the GET method, as it maps the form contained in the URL and thus saves it in Analytics Tools and log files.

The information collected by means of a form may only be used for the purpose agreed to by the user when filling in the form. For example, you may not automatically use the e-mail address for e-mail marketing if it was included in an order form.

Alternatively, you can also completely remove the form and replace it with an e-mail link and/or a telephone number.

Google anonymizeIP

3. IP Address Anonymization in Analytics Tools

Activate IP anonymization in your analytics suites. In Google Analytics, you cannot see the IP address of a visitor, but it is stored on the Google servers during tracking. This can be prevented if you enable IP anonymization.

In Google Analytics, this can be set up in the tracking code with the addition of ga(' set',' anonymizeIp', true).

Code:

ga(' set',' anonymizeIp', true)

4. Update Privacy Policy

The data controller has to provide information clearly and unambiguously in a language comprehensible to the user about the storage and use of any personal information that is collected.

Among other things, the following points must be reported:

  • What information is collected?
  • Who collects this data?
  • How is this data collected?
  • Why is this data collected?
  • How is the data used/processed?
  • With which third-party entities and for what purpose is the data shared?
  • Is the data leaving the country?

5. Review/Remove Third-Party Content

Content that is loaded externally in the browser when rendering the website informs the source of the visitor's IP address. For pages that use cookies, additional information can also be sent to the third party server.

As the website owner and data controller, it is your responsibility to determine which third-party entities have access to personal information.

Any sources that are kept need to be included in the data protection agreement and in some cases, when collecting information for targeting by the third party provider, explicit user consent is also required.

Wrapping up

Nobody can be certain about the impacts of GDPR at the moment we're writing these lines. However, we all agree that it's not something to ignore. Should you need some help to push these quick fixes to your website, please let us know.