GDPR affects how all websites targeting Europe must behave. Everyone involved in a Europe-oriented project must understand the core tenets of GDPR and help to keep our clients our of trouble.
Here's our basic structure for each client/project:
- Together with a lawyer (also known as a DPO)
- Website details - We meet with you and give you a tour of the full websites(s), what they do, what they store, and where - Cantilever will fill in the details around the website and how data is stored/transported within the website.
- Downstream Audit - Meet with Client and Cantilever and you to determine and document what the client does with the data after the data is stored on the website
- The lawyer provides a consolidated punch list of requirements for each site to be compliant. They send to us and the client.
The lawyer will in most cases be a lawyer that we hire for the task. The client might choose to work with a different lawyer and work with them separately.
Key questions to answer
Who the company / organization is (client’s contact details, and those of client’s DPO if any);
Why the company/organisation will be using their personal data (purposes);
Whether the data will be used for other purposes – if yes, then state them;
The legal justification for processing their data; the client’s company must collect and process only the personal data that is necessary to full that purpose;
The types of personal data that will be collected;
For how long the data will be kept;
Who else might receive it;
Whether their personal data will be transferred to a recipient outside the EU; if yes, where will it be transferred to;
What this means for the users of the website / product:
- Website visitors need to be able to read a privacy statement that clearly what personal information is stored and how long it will be held as well as who can view the data.
- The website needs to indicate how users can make a request for their information to be edited / removed.
- Any forms inviting users to share information must actively require opt-in. This rule applies to cookie consent and subscriptions to mailing lists or notifications.
- Consent to store personal information must not be bundled with other options.
- In this case, separate tick boxes must be provided for different types of consent. Suppose the client needs permission to contact a user by phone and or email. In that case, each communication method requires a separate confirmation. In the case the client passes data to third parties, each of those parties must be listed for separate consent.
- GDPR does not explicitly require an SSL certificate. However, GDPR does state that websites should take appropriate technical measures to ensure the security of personal data. So, broader security requirements of the legislation will be met by implementing an SSL certificate.
Data might get collected through:
- Enquiry forms
- Newsletter signups
- User account registration
- Comment boxes
- Social media integrations
The best examples here are Hubspot or Salesforce.
Overview of the process
- We provide an estimate for items that affect the website and get it approved.
- We do the work.
- We walk through the changes with the client and show them how things have changed or what has been added. In case of a new website, this happens during step 1.
- The lawyer provides a letter of assurance that to the best of their knowledge, the site is in compliance with EU privacy laws.
Because being compliant is a process which changes as a company grows and modifies its operations, the website needs to be updated accordingly. The lawyer can work with clients on how they manage the data once it reaches their own computers / databases.
If the client wants us to work with a different lawyer than our own, we assume that the lawyer will charge the client separately. As a general rule, we would bill separately while we would be the lead with each client.
More information on the best GDPR practices can be found here 👉 https://gdpr-info.eu