The General Data Protection Regulation (GDPR) has revolutionized the way companies handle and protect personal data of European Union citizens. For websites, it has become mandatory to be GDPR compliant.

In this article, we will explore the fundamental steps to make a website GDPR compliant, ensuring that data collection and processing practices comply with the provisions of this regulation.

What does it mean to be GDPR compliant?

Being compliant with GDPR regulations means respecting a set of specific requirements regarding the collection, use, storage and protection of personal data.

These requirements include:

  • Obtaining explicit consent from users before collecting their data.
  • Informing users about how their data will be used.
  • Allowing users to access, modify or delete their data.
  • Protecting data from unauthorized access or breaches.

So how do you make your website compliant with these regulations? Here's the checklist of essential elements you should absolutely have:

  1. Cookie banner
  2. Privacy policy
  3. Cookie policy
  4. Data request forms and modules
  5. The choice of providers

1. Cookie banner

Cookie banner su Robinson Pet Shop

The cookie banner is that rectangular window that opens as soon as we enter a new site. This banner is an important element because it informs the user that cookies are present on the site, their type (technical, statistical, marketing, etc.) and gives the user the option to accept or refuse their use.

Essentially, the cookie banner is a technical tool that performs the main function of informing the user and preventively blocking all cookies that are not technical. Therefore, if the user closes the banner window or decides not to accept cookies, the site must not release statistical, marketing, or profiling cookies, i.e., anything that is not strictly technical.

How do I get a cookie banner? There are many services that offer this opportunity. Among these is Avacy, a consent management platform that allows you to create a customizable cookie banner that perfectly adapts to your website's design and reflects your brand image. You just need to follow this guide.

2. Privacy policy

The privacy policy, on the other hand, is part of what are called "legal documents" and is a text that reports in a comprehensive, clear and transparent manner all the necessary information on how we manage and use the data collected on the website.

The privacy policy must therefore contain:

  1. Who is the data controller, i.e., the owner of the website (usually they are the data controller);
  2. What data is collected on the website;
  3. How this data is used;
  4. How long the data remains saved;
  5. For what purposes the data is collected;
  6. Who can have access to the data;
  7. How the user can request to be deleted.

The privacy notice is one of the most important documents for a website because it explains exactly what we do with users' data, both for those who simply visit the website and for those who interact more, such as online buyers or those who subscribe to services like the newsletter.

Moreover, it is important that this document is clearly visible and accessible from every page of the website and in all forms where the user is asked to enter their personal data. Often, within sites, the privacy policy is hidden among the pages, relegated to a small invisible link because "...anyway no one reads it and it only takes up space!". It's clear that privacy is not the main content of the site but, for those who want to consult it, it must be found without difficulty by everyone, especially by the privacy authority during verification.

The advice is to create a dedicated page for the privacy policy and insert the link in the footer or directly in the cookie banner, and in all data request forms.

How do I get these legal documents? As with the cookie banner, there are services that offer us the possibility to generate these documents. For example, Avacy creates the privacy policy automatically, simply by answering a series of questions. Alternatively, you can manually insert the text of the privacy policy in the dedicated space.

3. Cookie policy

The cookie policy is a document that describes how a website uses cookies and other tracking technologies to collect information about users.

Cookies are small text files that are saved on the user's device while browsing a website. These files contain data that can be used for various purposes, such as remembering user preferences, collecting statistical data, or providing personalized content.

It is important that the cookie policy contains:

  1. A general explanation of what cookies are and how they work. This includes a description of similar tracking technologies, such as tracking pixels or monitoring scripts.
  2. The types of cookies used: technical and necessary cookies (essential for the functioning of the website), performance cookies (collect information on site usage to improve performance and user experience), functionality cookies, targeting or advertising cookies, etc.
  3. Purpose of using cookies, i.e., an explanation of why the site uses cookies, for example to improve user experience, analyze site traffic, or provide personalized advertising.
  4. Information on third-party cookies: details on cookies inserted by third parties, such as advertisers or analytics providers, and how these cookies are used.
  5. Instructions on how users can manage cookie settings, for example by changing preferences in the browser or using tools provided by the site itself, such as a consent banner.
  6. Information on the duration of cookie storage, i.e., how long cookies remain active on users' devices, differentiating between temporary (session) and permanent cookies.
  7. Description of how data collected through cookies is processed in compliance with privacy laws and whether it is shared with third parties.

Presenting the cookie policy on the website is fundamental as according to the GDPR it is mandatory to inform users about the use of cookies and obtain their consent before storing or accessing cookies on their devices.

Among its features, Avacy generates a cookie policy compliant with regulations. By scanning the website, Avacy is able to analyze active cookies on the site and, in an automated manner, inserts them into the cookie policy, adapting the website to GDPR regulations.

4. Data request forms and modules

Privacy policy form dati

If your website contains sections that require personal data, such as contact forms, newsletter subscription forms or checkout forms in case of e-commerce, it is important to pay attention to these 4 points indicated in the GDPR.

  1. Request only the data strictly necessary to achieve the intended purpose. For example, requesting a phone number in a newsletter subscription form would be inappropriate as it is not necessary for achieving that specific purpose (sending marketing communications).
  2. Always include a checkbox with a link to the privacy policy and a message such as "I have read and accept the data processing methods described in the Privacy Policy".
  3. Provide a separate consent checkbox for each specific purpose, for example: one for sending marketing communications, another for consent to profiling, and perhaps a third for transferring data to other controllers.
  4. The checkboxes must not be pre-selected.

Consent archive

Attention! If you use user data collected through forms for profiling and marketing activities, it is very likely that you need a consent archive!

A consent archive is a tool that allows you to record and store the "proof" that the user has effectively consented to the processing of personal data. Keeping track of the consent provided by users is extremely important to ensure transparency and compliance with regulations.

A useful tool to easily and centrally manage consents for your data collection forms on the site is Avacy. With Avacy's consent archive, you can customize and integrate your modules and forms to collect and document consent in compliance with GDPR.

5. The choice of providers

Website providers are entities that provide services or technologies that generate and manage cookies used by the site. These providers can be both internal and external to the website and may include:

  • Analytics and tracking providers, such as Google Analytics, Tag Manager, Hotjar and others.
  • Advertising and marketing providers: Google Ads, Facebook Ads, LinkedIn Ads, etc.
  • Social media providers: Facebook, Twitter, Instagram and others.
  • Site functionality providers: such as plugins and widgets.
  • Hosting service providers.

These providers manage cookies for various purposes, such as monitoring visits, personalized advertising, improving user experience or security. It is important that, in the cookie notice, the website specifies the providers involved and their purposes.

In fact, users must be clearly informed about the providers to whom their data is sent if they decide to accept cookies.

The site's providers must also be GDPR compliant.

Site hosting

Where the site's data resides is a crucial aspect in terms of privacy. Articles 44-46 of the GDPR clearly establish that the transfer of personal data of EU residents to third countries that do not offer adequate guarantees of data security and protection always requires the explicit consent of the data subjects. In the absence of this consent, the data processing is considered illegal.

Today, many websites use hosting services based on servers located in cloud data centers distributed all over the world. It is therefore essential to know where this data is actually stored, especially if personal data is stored in third countries that do not have clear regulations on data protection, such as Russia, China and India.

It is therefore advisable to rely on cloud service providers that offer hosting in data centers located within the EU or in the United States, where the Privacy Shield exists, and that openly declare this information in their policies.

In any case, if you decide to use a non-EU hosting service, you must clearly inform your users in your privacy notice, indicating where the data is stored and whether the country offers adequate guarantees in terms of data protection. If such guarantees are not present, it is necessary to obtain the explicit consent of users for the transfer of data to non-EU countries.

Is it possible to have a 100% compliant website?

Making a website fully compliant with regulations is an ambitious but not impossible goal. However, it is important to note that 100% compliance can be difficult to guarantee in absolute terms, as regulations and guidelines can evolve over time.

To achieve compliance, follow the guidelines in this article. Following these practices can help minimize risks and maintain a high level of compliance.

Remember that every site is different, and none can be completely invulnerable. The best solution is to consult a legal expert in digital matters.

Avacy is a platform designed with the help of a team of legal experts to make your website compliant in an easy and intuitive way.

Do all websites need to be GDPR compliant?

The GDPR regulation applies mainly to websites that collect and process personal data of users.

If a website is purely informative and does not collect personal data, it might not be subject to the same obligations. However, most websites, even those that seem simple, often collect some form of personal data and therefore must comply with the regulation.

What happens if I don't comply with GDPR?

Non-compliance can lead to significant penalties, up to 4% of the company's annual global turnover, or 20 million euros, whichever is greater.

In some cases, criminal sanctions may also be imposed, depending on the severity of the violation and national laws. Moreover, companies may be obliged to compensate for damages caused to data subjects due to the violation. Finally, a temporary ban on the processing of personal data may be imposed until a condition of compliance is restored.

These measures are designed to ensure that companies take personal data protection seriously and adopt the necessary measures to comply with regulations.