The General Data Protection Regulation (GDPR) is a European privacy law that imposes obligations on organizations that collect and process EU citizens’ personal data. It applies to all companies processing data of EU residents, regardless of the company’s location. GDPR aims to give people more control over their personal data and impose strict rules on those hosting and ‘processing’ this data anywhere in the world. With fines of up to €20 million or 4% of global turnover, companies need to take GDPR seriously.
What is GDPR?
The GDPR is a regulation that requires businesses to protect the personal data and privacy of EU citizens for transactions that occur within EU member states. It also regulates the exportation of personal data outside the EU. The GDPR was designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens’ data privacy, and to reshape how organizations approach data privacy.
The GDPR came into effect on 25 May 2018, replacing the 1995 EU Data Protection Directive. Its key requirements include:
- Getting explicit consent from users before collecting their data
- Anonymizing collected data to protect privacy
- Providing data breach notifications within 72 hours
- Allowing EU citizens to access their data and delete it
- Requiring certain companies to appoint a Data Protection Officer (DPO) to oversee GDPR compliance
The regulation applies to any website or organization that processes EU citizens’ personal data, regardless of where the website or organization itself is located. Fines for non-compliance can be up to €20 million or 4% of global turnover.
What constitutes personal data under GDPR?
The GDPR applies to ‘personal data’, meaning any information relating to an identifiable person who can be directly or indirectly identified. This includes:
- Names
- Email addresses
- Postal addresses
- IP addresses
- Location data
- Online identifiers
It can also include sensitive personal data such as:
- Genetic data
- Biometric data
- Data concerning health
- Data concerning a person’s sex life or sexual orientation
Even anonymized data can fall under GDPR if the anonymization could be reversed to identify individuals. The regulation applies to automated personal data as well as manual filing systems where personal data is accessible.
How to check if a website is compliant with GDPR
Here are eight key ways to check if a website complies with GDPR regulations:
1. Review the privacy policy and cookie consent
Websites must clearly explain their privacy practices and use of cookies and tracking technologies in an easily accessible privacy policy. There should be:
- Details on what data is collected and why
- Retention periods for holding data
- A lawful basis for processing data
- Opt-in consent checkboxes for data sharing and cookies
Visitors from the EU must give consent before non-essential cookies and trackers can be placed on their devices. Look for a clear cookie consent notice.
2. Check for a GDPR compliance statement
Many websites now include a statement declaring their GDPR compliance. Look for evidence they have implemented GDPR requirements like:
- Lawful processing of data
- International data transfers using approved mechanisms
- Data protection protocols and security standards
- Breach notification procedures
- Privacy by design initiatives
- Data Protection Officer designation
- Procedures for satisfying data rights requests
3. Review how they obtain consent
Websites must get unambiguous, opt-in consent before collecting non-essential user data. Consent requests should:
- Be clear, specific and separate from other Terms & Conditions
- Explain purposes for data collection
- Use clear, affirmative opt-in checkboxes
- Make consent easy to withdraw
Pre-checked boxes, implied consent, or vague purposes don’t comply.
4. Check for data processing transparency
Websites must provide information about:
- What personal data they collect
- Where they source it from
- Why they need it
- How they use, share and store it
- Who they share it with
- How long they retain it
This should all be outlined in their privacy policy.
5. Look for data protection rights information
The GDPR grants individuals rights over their data. Websites should explain how users can:
- Access their data
- Correct inaccuracies
- Delete it
- Transfer it
- Object to processing
They may provide forms or contact details to facilitate data rights requests.
6. Check their basis for processing data
Websites must have a lawful basis for processing personal data. Common grounds include:
- Consent
- Contractual necessity
- Legal obligation
- Vital interests
- Public interest
- Legitimate business interests
The reason should be stated in their privacy policy or consent forms.
7. Review their international data transfer mechanisms
Websites transferring data outside the EU must use approved transfer mechanisms like:
- Privacy Shield
- EU Model Clauses
- Binding Corporate Rules
This should be outlined if they process data internationally.
8. Check for a Data Protection Officer
Some organizations must designate a DPO to monitor GDPR compliance. Check if they provide DPO contact details.
How to report non-compliant websites
If a website seems non-compliant, here’s how to report them:
- Gather evidence of non-compliance
- Contact the website owner directly
- File a complaint with your national Data Protection Authority
- Consult a privacy lawyer for additional legal options
DPAs are empowered to investigate complaints and sanction organizations. Fines can be up to €20 million or 4% of global turnover for serious violations.
Conclusion
Checking for GDPR website compliance involves reviewing privacy policies, consent flows, data rights support, lawful processing, and data transfer mechanisms. Report non-compliant sites to DPAs who can impose hefty fines. With privacy and data protection only growing in importance, it’s crucial for websites to adhere to GDPR principles and give users more control over their personal data.