As of May 25, 2018, the European Union (EU) implemented the General Data Protection Regulation (GDPR).
GDPR is an EU law that protects the personal data of EU citizens and impacts any business or website with users in the EU.
All websites must comply with GDPR if they collect, store, or process the personal data of EU citizens. But ensuring your clients' websites meet all of the GDPR requirements can be confusing—you probably aren't a lawyer, and you probably aren't a data privacy expert.
To help you get started, here's a checklist of the essential items that must be in place for your clients' websites to be GDPR-compliant and how a website building platform like Duda can help you with that.
But let's first spend some time answering basic questions like what is GDPR, why is it important, what does it include and more.
The General Data Protection Regulation (GDPR) is an EU privacy law that regulates how companies process and store the personal data of EU citizens. It applies to any business or website with users in the EU, regardless of where it’s located.
Data Protection Authorities (DPAs) from the 27 EU countries are responsible for enforcing GDPR regulations. They are independent entities that investigate complaints, offer advice about data protection concerns, and decide whether or not the rules of GDPR have been violated.
The main purpose of the GDPR was to replace outdated national laws to protect personal data and give EU citizens more control over it. Under GDPR regulations, the individual (or data subject) has the right to know what personal information is being collected, how it’s being used, and who it’s shared with. And across the entire EU, the law remains the same.
GDPR is very strict—organizations must obtain explicit user consent before collecting their data and rigorously maintain its security. Organizations that fail to comply with GDPR could face fines ofup to €20 million or 4 percent of annual global turnover, whichever is greater.
As previously mentioned, GDPR is a strict law, and organizations that fail to comply with it could face hefty fines. But beyond the legal ramifications, having a GDPR-compliant website also shows your clients' customers that they value their privacy and are taking steps to protect their data.
There are several reasons that businesses should value and respect GDPR regulations:
Beyond the ability to operate legally and avoid massive fines associated with non-compliance, data privacy is important to customers. People want to know that they can trust a business and feel certain that their personal data is secure, not up for grabs.
For agency owners working with multiple clients' websites and ad strategies, compliance with data protection laws is exponentially critical—the number of potential lawsuits, fines, and data breaches is multiplied by the number of websites they work with.
According to the
GDPR website, "personal data" includes any information that could identify a person. This covers a wide range of items, including but not limited to:
Given that these regulations are vague, yet stringent, it's best to interpret the GDPR's definition as broadly as possible when making decisions for yourself or your clients.
Updated for 2023
Since its implementation in 2018, GDPR has continued to evolve with the introduction of new rules and regulations.
Here are some important updates agency owners should be aware of:
Ensuring compliance might seem confusing, but the reality is that a company's GDPR compliance requirements depend on the types of data it collects, processes, and stores.
Here is a complete website GDPR compliance checklist to help you make sure your clients' websites are compliant.
Just one thing, though - this checklist does not replace consulting with a legal representative with GDPR expertise.
The first step is understanding the complete customer data collection process. To do this, you have to map out and audit all customer data points that are collected, processed, and stored by the website.
You can begin by going down the following checklist and answering each question.
Depending on your client's specific industry, you may have a list of other topics to answer, but auditing your client's website's data points based on these questions will help you decide which data is necessary and how to store it securely.
Aside from the fact that it increases risk of non-compliance, excessive data processing makes it hard for you and your clients to use the data you actually need in any meaningful way. It also makes it difficult to respond quickly when users request their data be deleted or modified.
You might not know which is needed and which data is not right off the bat, but as you map out data processes and audit the data collected, you should get a better understanding of which information is critical.
Provide more personalized communications across marketing and sales channels
Keep a record of your clients' customers’ interactions with the business for tax, audit, or liability purposes
If the data your client's website collects doesn't serve a legitimate purpose or contradicts GDPR principles (e.g., the right to be forgotten or data minimization), it's best to let it go. And if it makes your client potentially vulnerable to cybersecurity risks, you should definitely delete it.
Small companies and individuals might not need an in-house data controller, but if your client's website collects a lot of data or operates in multiple countries, appointing a Data Protection Officer (DPO) is essential.
The DPO's job is to ensure that the company follows all GDPR requirements, including protecting customer data and responding quickly to any data requests or complaints from customers. They can also provide legal advice in the event of a website compliance discrepancy.
Once you have the internal infrastructure set up, you need to secure your client's website.
A few elements go into this:
With Duda's website builder, you can take your website’s protection to the next level with our advanced security measures. SSL encryption is built into our website architecture, so you don’t have to worry about hosting a secure site.
Privacy policies are important because they inform users of their data use. GDPR requires privacy policies to be written in plain language, with clear and transparent information about what data you’re collecting, why you’re collecting it, and how it's processed.
A Privacy Policy probably includes some information relevant to GDPR, but updating it to explicitly cover how you collect and use EU citizens' data is essential. This should include:
You should also double-check your clients’ Terms and Conditions to see if they cover any GDPR-related topics, such as data transfer and storage. For instance, if they store data on servers in countries outside of the EU, they could a clause outlining the security measures they take to protect this data.
Pro tip: Make sure your website builder allows to easily create a Privacy page. Just for reference, Duda provides you with a privacy page template that you can add to every site.
Email newsletters and marketing campaigns are excellent ways to communicate with potential customers, promote your client's products or services, and deliver value right to their inboxes. But they can also be invasive (just think about all the times you've seen spammy emails), so it's important to make sure you or your client get explicit user consent before adding them to the list.
The GDPR states that individuals must give their “freely given, specific, informed and unambiguous” consent if they are going to be added to an email list. What this means is that you need to have a clear opt-in form on your client's website, with an unequivocal statement about the type of emails they will receive.
Some companies use small checkboxes that automatically opt users in for marketing emails, which is a bit deceptive. Avoid tricking website visitors into signing up for marketing material when they're filling out a checkout or contact form on your client's website.
When sending out promotional emails, always remember to add an unsubscribe link.
There are a few different forms they might have on their site:
Use an active opt-in or a double opt-in form to ensure that their customers don't find your content spammy or unauthorized. This will allow them to confirm their interest before being added to your mailing list.
If you transfer data from the EU to another country, that country must have an adequate level of protection for personal data.
The GDPR sets out a few ways for international transfers to take place:
If you're transferring data from the EU to another country, make sure you and your clients both understand how those countries' laws apply to your activities and what measures you can put in place to protect that data.
Auditing and updating your client's site for GDPR compliance is the perfect time to clean up their mailing list—you want to make sure they are only sending emails to people who actually want them.
Look at who is on the list, identify inactive subscribers based on individual open and engagement rates, and consider removing those contacts who have not interacted with any of the emails in the past 6 months.
If you aren't sure who to remove, you could send an email to those who haven't interacted with your client's content in a while and ask them to confirm that they want to stay on the list. Those who don't respond (or respond negatively) can then be removed.
Have you ever noticed a banner at the bottom of a website that says something like “By continuing to use this site, you consent to our use of cookies”?
This is called a cookie notice or cookie banner. It informs users that the website uses cookies, small text files stored on their devices that store information about their browsing and search engine habits.
Under the GDPR, website owners must provide users with information about their use of cookies and give them the option to opt-out.
It's important to note that cookie walls—pages that require users to accept cookies before they view the content—are not allowed under the GDPR. The cookie notice or banner should be presented in a way that allows users to reject cookies without any penalty.
It's important to make sure that any third-party data processors you or your client use—such as analytics or advertising platforms—are GDPR compliant. Most people sign up for these types of services without even thinking about the implications of GDPR, but agency owners who use these platforms for client reporting and progress tracking need to keep a close eye on all their data.
Look into their policies and procedures on data protection, and review the contracts you have with them. You should also be aware of any additional data processing activities they may carry out on your behalf, such as collecting and profiling user data.
Both you and your clients probably collect online payments, so it's important to ensure that your payment process—whether you're using PayPal, Stripe, or any other payment platform—is GDPR compliant.
Payment processing platforms all do their part to ensure that they meet the GDPR requirements. But you still have the responsibility of making sure your online payment process is secure. This means ensuring that your checkout process is properly secured and encrypted, as well as making sure that the credit card information of customers is not stored anywhere after processing payments.
Pro tip: Mentioning that payment information isn't stored anywhere post-purchase, you might see an increase in sales.
The GDPR gives individuals the right to access, rectify, and erase their personal data. As an organization or website owner processing personal data, you must make sure that your customers are aware of these rights and how to exercise them.
You should provide users with a way to view their data and request any changes they need made—this could be as simple as providing a contact email address or offering a specific form on your client's website.
Once a request is received, you or your client must act on it within 30 days and provide the user with an answer. You should also have processes in place for erasure upon request and make sure that no copies are stored anywhere else.
Keeping a record of user interaction, including what they consent to and when is beneficial for numerous reasons:
Keeping a record doesn't mean that your clients need to store all the data themselves, either—there are tools and platforms that can help them keep a secure, compliant record of user interactions.
The right to be forgotten, also known as "data erasure" and "right to erasure," is an important component of GDPR. It guarantees individuals the right to have their personal data erased from any online databases or digital systems when they no longer wish for it to be stored there.
A situation like this can occur when a customer cancels their account, or when they revoke their consent for data processing. When this happens, your clients must erase the customer’s personal data from their systems and any third-party systems that may be storing it.
Your clients can also set up an automated process to ensure that no sensitive information is kept on record after a certain amount of time (e.g., deleting customer data after six months of inactivity).
Customers and site visitors may make a data subject access request or any GDPR-related requests, including but not limited to:
Implementing request response allows to collect and process requests easily, ensuring customers promptly get the answers they need.
At Duda, we take GDPR compliance seriously.
Our website builder offers the ultimate package of website protection and security with a privacy page template, customizable cookie notification, and free SSL certificate.
Click here to learn more about our commitment to GDPR compliance.
A lot goes into GDPR compliance, and for global business owners unfamiliar with the law and its regulations, it can be a confusing process. Taking a proactive approach to compliance is the best way to protect your agency, clients and their customers.
By implementing the 16 steps outlined in this article, you are well on your way to ensure that your clients' sites are GDPR-compliant and secure (but again, be sure to be sure to contact a law representative for a full GDPR-compliant plan). And by using a website builder with GDPR features built-in, you can make the process easier and more efficient.
