Inspiration

How to prepare your website for GDPR

15 minutes

Article content

  1. What is GDPR?
  2. Processing of personal data
  3. How does GDPR affect web design?

What is GDPR?

GDPR (General Data Protection Regulation) is the General Data Protection Regulation. It comes into effect on 25 May 2018 and applies not only to entities based in the European Union, but to all entities that process personal data of EU citizens. The GDPR unifies the legal framework for the protection of personal data in the EU environment and extends the principles and principles of personal data protection with new rights and obligations.

Processing of personal data

Personal data is, for the purposes of the GDPR, any information that leads to the identification of a specific person. In addition to data such as name, gender or email, this includes information such as IP address, pages visited or goods purchased in the e-shop.

In order to process personal data, you must fulfil at least one of the legal titles. The most commonly used titles include:

  • legitimate interest, where the law allows, in a certain situation (for example, after the conclusion of a purchase contract), to assume that the person consents to the use of personal data,
  • performance of a contract where the processing of personal data is necessary for the performance of contractual obligations,
  • the consent of the visitor whose personal data you are processing.

If you are authorised to process personal data on the basis of legitimate interest or performance of a contract, obtaining consent is unnecessary. It is sufficient to inform the visitor about the processing of personal data. You should only request the data you need and for a period of time that is appropriate to the purpose of the processing.

How does GDPR affect web design?

Privacy Policy page

For every website, you need to set up a page that informs visitors how you handle their personal data. The page must contain all the information listed in Articles 13 and 14 of the GDPR. It should describe all instances in which personal data is processed, for example the use of cookies and the processing of data from web forms for websites.

The information on the processing of personal data must be written in clear and understandable language, without legalese, and be easily traceable. This means that a link to the Privacy Policy must be part of the cookie bar and all forms. The visitor should receive the information no later than the moment you collect their personal data, so you must refer to it when:

  • contract negotiation or order confirmation,
  • consent to the collection of cookies,
  • consent to the processing of personal data,
  • in the Terms and Conditions (the Privacy Policy must be outside the Terms and Conditions, but include a provision in the Terms and Conditions that the processing of personal data is governed by the Privacy Policy).

In order to be able to prove what information the visitor has had the opportunity to see, you need to keep the version of the consent that the visitor has agreed to. For example, if you change the period for which you keep personal data on a contact form, you must record the period of time for which a particular visitor has consented to the processing of the data.

Cookie notifications in "opt-in" mode

Cookies are short text files that describe visitor behaviour on a website. The server sends them to the user's computer when the website is loaded. Until now, it has been sufficient for the visitor to receive clear and complete information about the purposes of the processing and to have the option to refuse. The GDPR requires a switch from opt-out to opt-in mode, meaning that the user must first agree to the use of cookies on the website before cookies can be collected and used. At the same time, it is not possible to pre-fill the checkboxes for requests for consent to the use of cookies.

Only functional cookies that are necessary for the basic functions of the website and make it easier to navigate the site can be collected without consent. In this case, the use of cookies can be classified as a legitimate interest of the administrator and therefore no consent is required. Users must also be informed of this use in the Privacy Policy. Cookies for analytical and marketing purposes and cookies for linking the user to social networks must remain optional.

Consent to collect cookies must be:

  • freely given: the visitor must not be forced to consent and the fields must not be pre-filled,
  • unambiguous and specific: consent must be given separately for each separable purpose,
  • informed: at the time of giving consent, the visitor should have all relevant information in a clear and understandable form.

You must be able to change your cookie settings at any time. You can do this, for example, by using the link in the footer to bring up the cookie bar again.

Example of a GDPR-compliant cookie bar. Remember that the texts must always be adapted for your purposes.

Tip: Recommendations for discussion from the Data Protection Authority

On Tuesday 22 May 2018, the Office for Personal Data Protection issued its recommendation. In its benevolent interpretation, it states that the user determines in the settings of his/her PC, or in the browser settings, whether the browser should allow the website to store cookies on the end device. This setting can be regarded as consent to the processing of personal data. 

In such a case, the administrator fulfils an information obligation, i.e. provides information on the extent to which and for what purpose the personal data will be processed, who will process the personal data and in what way, and to whom the personal data may be made directly accessible. The use of a pop-up window or bar only cannot always be recommended as it annoys the user. More information can be found on the website of the The Office for Personal Data Protection.

Working with GDPR compliant forms

For forms, it is necessary to distinguish for which purposes the data from the form is used.

Order forms

In this case, you use the personal data for the performance of the contract. You need to obtain the visitor's consent to the terms and conditions and inform them about the processing of personal data by referring to the Privacy Policy page. However, it is illegal to obtain consent that cannot be withheld, so it is not possible to include the Privacy Policy in the Terms and Conditions.

The creation of an order also creates a legitimate interest. This enables you to use the contacts thus obtained to send marketing communications.

Sample order form in accordance with GDPR. Remember that the text must always be adapted for your purposes.

Contact form

You need the personal data on the contact form to process the visitor's enquiry, so it is not possible to request consent, but you must inform the visitor about the processing of personal data and refer them to the Privacy Policy. If you want to use the contact to send marketing communications afterwards, you must first obtain consent.

Sample GDPR compliant contact form. Remember that the text should always be adapted for your purposes.

Newsletter

If it is clear from the context that the primary purpose of the newsletter sign-up form is to receive the newsletter, filling out the email may be considered consent. The GDPR does not explicitly specify how a visitor expresses consent.

According to the GDPR, the administrator is obliged to sufficiently verify the identity of the visitor. The appropriate and recommended form is a double opt-in confirmation. Compared to a single opt-in confirmation, it involves sending a confirmation email. The contact is only added to the database after confirmation, by clicking on the link in the confirmation email. If a user subscribes but does not confirm the email, their details should be deleted from the database within hours. Services like MailChimp and Smart Emailing support the double confirmation feature and have prepared their own instructions for these cases.
Example of a GDPR-compliant newsletter subscription. Remember that texts should always be adapted for your purposes.

Other forms

Web forms that collect personal data about website visitors must include a mandatory confirmation of consent to the processing of personal data. As with the newsletter, it is always necessary to clearly specify for which purpose the information will be processed and to obtain consent for each purpose.

As with cookies, consent to data processing must be freely given, unambiguous and specific and must be informed. In addition, it is necessary to record when and how consent was given.

Consent database and its management

The administrator must be able to demonstrate and prove the subject's consent to the processing of his or her personal data at any time during the period for which the processing takes place. Each website, or its administration system, should be equipped with a database and a module in which data on users and the exact wording of consent are clearly stored. Thanks to such a module, it is possible to provide evidence of the consent given or, on the contrary, to delete the personal data and withdraw the consent at the user's request.

Access to personal data must be restricted so that each employee has access only to the personal data he needs for his work. For example, an article editor or translator should not have access to the personal data database. Therefore, the system must have user rights that allow different levels of access to be set for different roles.

Period for the retention of personal data

For all cases of processing of personal data, it is necessary to determine the period of time for which you will keep and work with the personal data. Data must not be processed for an indefinite period of time. The storage period is determined by its purpose, if it is not possible to determine it specifically, you must specify the factors you will use to determine it. A week is sufficient to answer an enquiry, for an order you need to keep personal data for up to several years for possible claims or litigation.

Current contact database

If you are processing personal data on the basis of consent that does not meet the described GDPR conditions, you must obtain consent again. If you are unable to obtain this consent, you must delete all of the personal data. Sending newsletters to current customers can be classified as a legitimate interest, so in this case it is not necessary to obtain consent, but it is necessary, for example, to allow the customer to unsubscribe from the newsletter and add a link to the Privacy Policy in the header of the email.

Data security

In addition to the obligations explicitly specified by the GDPR, the GDPR also requires the application of general data protection principles. Data should be protected by adequate means, taking into account the specific context of the data processing, so that the risks of data leakage are minimal. Examples of appropriate security methods are encryption, pseudonymisation or the use of SSL certificates.

Control of third-party services

If the data you collect is processed by a third party, called a processor, you are also responsible for ensuring that your processor complies with the GDPR guidelines. This includes exports to third-party tools such as Google Analytics, Mailchimp or Raynet. Each case of personal data processing must be covered by a written contract or current processing contracts must be updated according to the new conditions. Most of these tools will modify their terms and conditions and will inform you of this.

Experience solidpixels for yourself

Find out how you can attract more clients online, present your business on a world-class level, and still optimize the cost of running a world-class website.

Number of employees

By submitting this form, you give your consent to Breezy, s.r.o. to process your data in order to respond to your enquiry. Along with this, we will introduce you via email and phone how solidpixels could be useful to you. You can withdraw your consent at any time.