The new general data protection regulation (GDPR), that was introduced in 2016, is one of the most important reforms of the privacy regulations in Europe in the last 20 years. The ultimate goal of the GDPR is to unionize the data privacy laws in Europe, protect the private date of European citizens and give them more rights and control over their own data.

Online businesses have a need for a constant stream of data, to improve the user experiences on the website, to retarget website visitors and customers or generate personalised ads. However, under the new GDPR website users need to give their clear consent, before the data can be collected. The user needs to be now informed, how the data is collected and handled. Thus, the privacy policy needs to be for the user accessible and easy to understand. Website users need to gain an idea of what kind of data will be collected and for which purpose, before they agree to the terms of the service, as a failure to comply with the GDPR can result in heavy fines and even trials.

There are a lot of different aspects of the law that needs to be taken into account by website hosts across Europe, which can quite complicated. But not everyone can afford a GDPR specialist in the company. Thus, the following tips will give you a first impression, how your business and website can become more compliant with the European data protection law on an ongoing basis. This guide will not contain legal advice but tries to establish a basic understanding of the GDPR requirements.

1. Know the terminology

Before you try to make your website GDPR compliant, you should have a basic understanding of the terminology.

Personal data

Personal data describes the information, that can identify a person, either directly or through a combination of the collected data. Data that can identify a person can be among others the e-mail address, the IP-address (That can predict the exact location of a user), names, the income, the religion or personal pictures. Furthermore, is the overall behaviour on the website personal data, as Cookies can track the browsing activities throughout multiple websites (E.g. Which content the users scroll over or which content the user clicks on).

Privacy policy

The privacy policy describes which kind of date you are collection of our users and how that data is being further handled. Additionally, should the privacy policy contain a description of how the personal data will be kept private or who will have access to the data. The privacy policy should be easily understandable and accessible for the users on the website.

Data processor and controller

The data controller is the individual or software, that determines the purpose of the data and how it will be further processed. The data processor, on the other hand, is the individual or software that processes and analyses the data on behalf of the data controller.

GDPR Compliance

What does it actually mean to be GDPR compliant? Being compliant with the current GDPR can have a different meaning, depending on the business, the organisation, its users and the quality of the data. However, to be compliant with the GDPR in general, the company or individual, that collects personal data must implement specific measures to ensure that it will be safely handled, processed and stored by default.

2. Modify our website after the current data protection regulations

When the law came into effect in 2016, most website operators had the same question: How can I make my website compliant with the GDPR? The following steps will make your website more compliant with the general data protection regulation.

Have an opt-in and opt-out form on your website.

Have a form on your website, that is clearly visible for the user and that informs them over the data collection and processing activities on the website. Most websites use cookie popups, that includes a user content form. It also needs to be easy for the individual to withdraw their permission to collect personal data. It is also commonly known as the “opt-out” option.

List all third-party tracking software

Many websites use third-party programs to analyse the collected data more efficiently. Have a section in your privacy policy or on your cookie popup-banner, that lists and describes the third-party tracking software, that is used on the website. Additionally, must the website clearly state, for which party the consent is being granted, or if there are exceptions.

Make it easy for your user to withdraw the given permission – especially in e-mail Marketing

Withdrawing the permission for the given data processing rights can be difficult to implement on the website, without disrupting the user experience on the website. However, under the GDPR it must be as easy removable as it was previously granted. One-way companies tackled this challenge, is to list specific areas the data will potentially be used for, that the user can agree on or decline (E.g. personalised ads, behaviour tracking, personalised user experience on the website). This is mostly done through Cookies. Additionally, should it be easy for your newsletters subscribers to opt-out any time from your mail list. If it is not clearly marked in your email or there is no option at all to opted out, then it can result in heavy fines.

3. GDPR compliant use of Google Analytics

Google Analytics is by far the most used and the most popular website tracking tool, that gives its users a unique inside in the behaviour of its website visitors. But is Google Analytics compliant with the GDPR?

There are some simple steps you can take, to make the usage of Google Analytics for your website compliant. Google Analytics registers every user with a unique user ID, in order to show the total number of visitors on the website (E.g. New or returning customers), the behaviour (E.g. Through which websites the customer is converting; Bounce rate) and interaction on the website. Additionally, can Analytics segment users after age, gender and sometimes even income. All of the mentioned information is considered as personal data under GDPR, that can potentially identify an individual. However, the full extent of the collected data through Google Analytics is difficult to establish, as Google constantly develops and improves the tool.

Googles stats under their EU consent policy, that the website owners have the responsibility to disclose, that Google Analytics is used on the website. Additionally, they need to obtain consent from the end users of the website in the European Union and specify the exact reason for collecting the personal data. Thus, Google Analytics shifts the responsibility of the data protection requirement towards the website owner. The following tips help you to control compliance with the GDPR while using Google Analytics.

Turn on the IP Anonymization

The IP address counts under the GDPR to personal data. Google uses the IP address of the users to generate a geographical report. Anonymization will thus reduce the accuracy of your user tracking through Google Analytics. You can archive an anonymization of the IP-address by adding the following variable to the Google Analytics tracking code script:

{ ‘anonymize_ip’: true }

Once the function is added to the Google Analytics tracking code, the IP address will be anonymized at the point of collection.

2. Check through the pseudofiction settings of Google Analytics

Google Analytics already has implemented measures to prevent the identification of a single user. However, you should check, if the following pseudofiction settings are active and functioning.

User ID: Make sure that the users are identified through numbers or letters and not through specific email addresses or usernames in plain text.

Transaction ID: Combining the transaction ID to other data sources in the account can potentially identify an individual. Thus, make sure that the ID is a random alphanumeric identifier.

Encrypted data: Encrypted data can include email addresses or personal phone numbers. Thus, it is recommended to avoid collect encrypted data through Google Analytics. Google Analytics has a minimum hashing requirement of SHA256 and recommends the use of salt with a minimum of 8 characters.

3. Check the URLs page title

When the URL contains “email= querystring” as a parameter, then it is likely that you are transmitting personal data to other marketing tools on your website. Check through your page titles and URLs to ensure that no personal data is collected.

4. Other measures for ongoing compliance

Next to the technical aspects are the following measurements important to establish ongoing compliance with the GDPR.

• Find someone in the company, that will be responsible for the data protection and a regular check-up of the GDPR compliance.
• Document and record all your GDPR complaints measures and secure all of the filled-out consent forms
• Assess regularly your data protection measures
• Train employees, to foster and aid an understanding for GDPR-compliant use and collection of personal data

Summary

Even though the hype around GDPR decreased significantly since the introduction of the bill in 2016, it should not be forgotten or ignored. There are different measures of compliance that can be conducted in a company, that generated different levels of compliance. It is up to the individual website owner, how compliant with the GDPR requirements they want to be. However, following the proposed tips gets you one step closer to being GDPR compliant.