Blog · Développement web
GDPR-compliant website: everything you need to know
How to make your website GDPR-compliant? Scroll tells you everything
Making your website GDPR-compliant has become a priority! Failing to comply with the regulation can lead to heavy penalties! What is GDPR? Why make your website GDPR-compliant? And how to do it? We explain it all!
What is GDPR?
GDPR stands for General Data Protection Regulation. It is a European regulation adopted by the European Parliament in 2016. This regulation came into force in 2018. Its aim is to protect the personal data of European Union citizens.
GDPR applies to all websites that collect personal data. To be GDPR-compliant, a website must follow certain rules regarding the collection, processing, and protection of personal data.
GDPR applies to the personal data of any individual located within the European Union. Personal data can be collected via an online form, a cookie, or a log file.
Why make your website GDPR-compliant?
The benefits of a GDPR-compliant website for users and businesses.
GDPR compliance: what are the benefits for users?
GDPR compliance allows users to better control their personal data. Indeed, GDPR-compliant websites must inform users about how their data will be collected, used, and stored. Users can then choose to give or refuse consent for the collection and use of their data.
Additionally, GDPR compliance allows users to access their personal data and request corrections or deletions. Users can also request that their personal data no longer be processed.
GDPR compliance: what are the benefits for businesses?
GDPR compliance helps businesses build a better image with users. Users are increasingly concerned about the protection of their personal data, and companies that comply with GDPR are seen as more trustworthy.
Moreover, GDPR compliance enables businesses to better manage personal data. Indeed, they must implement procedures to securely collect, process, and store users' personal data.
The penalties for non-compliance with GDPR.
If your website is not GDPR-compliant, you risk penalties. These can be civil or criminal.
Civil penalties are imposed by the CNIL and can amount to up to €20 million or 4% of your company’s global annual turnover.
Criminal penalties are imposed by the courts and can include up to 2 years of imprisonment.
To avoid penalties, you must ensure your website is GDPR-compliant. You must also ensure that your service providers (hosting provider, e-commerce provider, etc.) are also GDPR-compliant.
How can you tell if a website is GDPR-compliant?
Mandatory information to find on a website
1- The identity of the data controller or DPO for the site
The data controller or DPO (Data Protection Officer) is a natural or legal person responsible for implementing and monitoring personal data protection measures. This controller is appointed by the data processor in accordance with Article 37 of the General Data Protection Regulation (GDPR).
2- The type of data collected
Collected data can be classified into 3 categories:
- Identification data, which allows a user to be identified.
- Contact data, which allows a user to be contacted.
- Navigation data, which tracks a user’s browsing habits.
Users must be informed about the type of data collected when visiting a GDPR-compliant website. This information must be clear and accessible so that users are aware of how their personal data is being processed.
3- The purposes of processing this data
The website must inform users about the purposes of data processing. It must specify the purposes for which data is collected and processed. These purposes must be defined at the time of data collection.
4- The legal basis justifying the processing
The GDPR allows websites to process personal data under specific cases. You must inform users of what gives you the right to collect and process the data.
5- The recipients who collect and process the data
Your website is required to inform users about all third parties that may collect and process the data.
6- Data transfers outside the European Union
The GDPR applies to data transfers outside the European Union when personal data is collected by a company or organization located within the EU. This data may then be transferred to a third country (outside the EU) for processing, such as for storage or data processing.
To comply with the GDPR, companies and organizations must take appropriate measures to ensure the protection of personal data transferred outside the EU. Without appropriate measures, data transfers outside the EU are not permitted.
7- The data retention period
The GDPR states that personal data should only be kept for as long as necessary to fulfill the purposes for which it was collected. Once these purposes are achieved, the data must be deleted or anonymized. Companies and organizations must also inform the individuals concerned about the retention period of their personal data.
8- User rights
Your website must explicitly state that users have the right to refuse data collection, as well as the right to access, rectify, and erase their data.
9- The right to lodge a complaint with the CNIL
Your website must state that users have the right to file a complaint with the CNIL regarding the collection and management of their data.
10- Cookies
To comply with GDPR, your website must inform visitors that it uses cookies and obtain their consent before installing them. This can be done, for example, via a mention in the site’s terms of use or through an information banner displayed during the user’s first visit.
The site must also allow users to withdraw their consent at any time and delete cookies already installed on their computer or mobile device.
Where can I find this information on the website?
To ensure your website complies with GDPR, you must implement a privacy and cookie policy that meets GDPR requirements. You must also ensure that your terms of use and all other legal notices on your site are GDPR-compliant. Typically, links to these pages are found in the footer of websites.
How can I make my website GDPR-compliant?
The simplest approach is to build a GDPR-compliant website from the start. If your site already exists and is not (or no longer) GDPR-compliant, don’t worry—the process remains the same! You just need to implement the necessary actions quickly.
1- Your site must inform users about the purpose for which their personal data is being collected.
2- You must obtain user consent before collecting their personal data.
3- Your site must only collect data that is necessary for the stated purpose.
4- You must process personal data lawfully, fairly, and transparently.
5- You must retain personal data only for as long as necessary to fulfill the purpose for which it was collected.
6- You must protect personal data against any risk of loss, unauthorized use, alteration, disclosure, or unauthorized access.
Remember, in all cases, if you collect personal data on your website, you must ensure that you comply with GDPR rules.
Scroll, a no-code agency specializing in GDPR-compliant website development
You need to create a website ? Scroll agency is here for you! Our team of no-code experts develops GDPR-compliant websites across all industries every day. Thanks to our mastery of Webflow, we create tailor-made solutions that meet your expectations. If you have a website creation or redesign project, don’t hesitate to contact us!
