How to make a website RGPD compliant

RGPD + website... Does the combination of these two words send shivers down your spine?
In fact, you can't have missed this information: the RGPD, the General Regulation on the Protection of Personal Data, requires your tools to be compliant, so that you can best process the information you collect from your customers, prospects and other users (partners, employees, etc.).
In this article, we focus on the RGPD as applied to websites.

Whether your web platform is simply your shop window, or you are selling online, you have obligations. Your customers' satisfaction and your e-reputation are at stake.

The good news is that we have some recommendations and tools for you. Let's take stock!

See all software General Data Protection Regulation (GDPR)

RGPD and website, what you need to know

Here's a video that summarises what the RGPD is and why it was introduced:

☞ Do you have a showcase or e-commerce site?
☞ Do you use cookies, the advertising trackers deposited on users' smartphones, computers and tablets?
☞ Do you offer contact forms or send out a subscription newsletter?
☞ Are you a private or public company, large or small, located in the European Union or whose activity concerns European residents?

You are ALL concerned by compliance, because you collect, use and store personal data.

Why make your website compliant?

☞ To comply with the CNIL's Data Protection Act and its extension: the RGPD ;
☞ To protect your customers and prospects;
☞ To ensure a flawless e-reputation;
☞ To avoid administrative and criminal penalties, which can go as far as prison (5 years) and the payment of astronomical sums (300,000and up to 4% of the company's worldwide annual turnover in N-1, which can represent several tens of millions of euros).

The showcase site

A showcase site is a website that presents your business but, despite having a commercial objective, does not offer online sales.
It offers a number of benefits:

• your company builds its reputation online, in the face of your existing competitors;
• you cultivate a brand image to help you stand out from the crowd;
• you communicate about your products and services;
• you acquire contacts, prospects who may one day become customers, thanks to :
  • a contact form,
  • subscribing to your newsletter;
• you maintain a relationship with your customers by keeping them informed, via a news section for example, or an integrated customer area.

The information collected thanks to the showcase site is generally email addresses, surnames and first names, possibly address or geographical area (department), sometimes age and gender, company, etc.

Your obligations:

• you display the legal notices (usually in the footer) so that you can be identified as the site publisher and inform visitors of their rights;
• you collect only the information you need and can justify this;

• you inform the user of the purpose for which the information is collected, the intended processing, the retention period and any recipients (CNIL notices);

According to article 6 of the RGPD :

Processing is only lawful if the data subject has consented to the processing of his or her personal data for one or more specific purposes.

• you obtain the user 's consent explicitly and actively, without ticking any boxes;
• you keep proof of their consent;
• you give them the means to contact you to modify their information, delete it or withdraw their consent easily,
• you inform them of your confidentiality policy (link to a dedicated page on your site).

Article 17 of the European General Data Protection Regulation (GDPR) on the "right to erasure", or "right to be forgotten", allows individuals to request the deletion of their personal data from the companies that hold it.

RGPD formulaire de contact exemple 1

The e-commerce site

This is an online sales site, a platform enabling a retailer or service provider to sell their products or services over the Internet, regardless of their geographical location. As well as generating sales, and therefore revenue, you can enhance your customer knowledge.

Like the showcase site, it gives visibility to your company and its activity, develops its brand image, and aims to collect key information about :

• customers who make purchases (favourite products, address, age, bank details, etc.) ;
• but also visitors who may create an account, ask to receive promotional information and share their contact details and preferences, without going through the shopping basket.

Your duties:

• you will carry out the necessary technical updates and regularly monitor the security of your site:
  • https access throughout,
  • complex password required,
  • secure transactions and storage of bank details via a trusted third party (see payment gateway and recurring payment);
• as with the showcase site, you only collect the information needed to process the transaction, and possibly the resulting customer relationship (birthday, so that you can give them a present later, etc.);
• the sales process also involves providing information on data processing, obtaining consent and giving the customer the right to inspect the data;
• you create a "privacy" page or "confidentiality policy" on your site, which you systematically communicate and keep up to date.

Cookies

You can place advertising trackers when you receive a visit, on users' devices, such as their smartphone or computer.
These strategic tools enable you to analyse their browsing and consultation or consumption habits, to give you ideas for improving your offering and the structure of your site (type of audience, pages consulted, time spent per page, etc.) and also to enable you to send targeted advertising.

Beware of the various ancillary services on your site, such as Google Analytics, which collect and process personal data:

• IP address
• identity
• contact details
• geolocation, etc.

Be sure to deactivate them until you have received clear consent from the user.

Your obligations:

• Depending on the purpose of the tracker (facilitating the sales process, sending targeted advertising), you must obtain the consent of or at least inform your visitor before placing it on their terminal;
• if there are several (marketing, analytical, etc.), give the option of ticking them off in a list and explain which ones are compulsory and why.

💡 Good to know: Consent is valid for a maximum of 13 months for a cookie. After that, you must ask for permission again.

How do you comply with the RGPD?

The actions to take are well summarised in this infographic:

Plezi

▶︎ Training

Ideally, you should start by training your various data controllers (CEOs, managers, people in charge of marketing, sales, IT, etc.) so that they all have a sound grounding in technical and legal knowledge, and are familiar with best practice.
In addition to lawyers and digital experts, the CNIL is offering a free MOOC workshop.

▶︎ Privacy by design

If you are creating your site after the RGPD comes into force, you must take into account the obligations to secure and respect data right from the design stage. This is known as Privacy by design. This also applies to CRM tools.

But for anyone with a site dating from the pre-RGPD era, there are several elements to consider and to combine: here is our RGPD checklist.

▶︎ Appointing a DPO and carrying out an audit

According to Article 37 of the General Data Protection Regulation (GDPR), you must appoint a DPO if you meet at least one of these criteria:

• you are a public authority or public body;
• the data you process :
  • requires regular and systematic monitoring due to its scope and/or purpose;
  • is sensitive (health data, religious data, etc.).

Whether you use an external service provider (recommended because it is more neutral) or your IT manager, carry out an audit of your website.
You will soon have a set of specifications including :

• an inventory of the various data processing operations in all your departments,
• improvements to be made, categorised according to urgency and sensitivity.

▶︎ Updating your website

Be careful: whether you use WordPress, Joomla, Drupal, Wix or any other CMS, these use plug-ins that are not necessarily up to date with European regulations.
As for videos, players and interactive maps, make sure you manage requests for consent, as these services also collect data, sometimes without consent.

Before RGPD

1. Create or update your ' Privacy Policy' page;
2. Adapt your forms to include compulsory information;
3. Adapt your cookie banner: tools exist to create a compliant cookie banner (cookiesecure, cookiebot, etc.);
4. Set up a model for managing Internet user preferences if you are sending out several newsletters or thematic notifications;
5. Check the compliance of all your site's ancillary tools (plug-ins, etc.).

💡 Good to know: For mandatory information, it is possible to indicate this on each page individually or on a dedicated page that is clearly visible and easy to consult.

▶︎ Using software to manage compliance

A tool can make your life a lot easier when it comes to managing and monitoring compliance.
These tools do not guarantee that your site will be compliant, but rather that you will have a guideline for organising yourself better, centralising your documentation, seeing the work in progress and working in collaboration with all your HR, accounting and marketing teams.

Such is the case with Data Legal Drive.

The RGPD compliance governance software enables you to :

• centralise the documents proving your company's accountability,
• list the personal data processing operations you carry out,
• compile a data processing register,
• carry out an interactive diagnostic of your company,
• view your website's compliance projects and their progress, in real time,
• record requests from people affected by the processing of their information,
• monitor breaches identified internally or reported by a subcontractor,
• benefit from the publisher's expertise in IT and data law.
  What's more, a success manager and a legal expert are on hand to answer your questions and determine whether you need an in-house service.
  

Another notable solution: Captain DPO

The solution offers :

• collaborative compliance management,
• report generation in just a few clicks,
• a dynamic dashboard,
• the ability for your DPO to keep several registers,
• management of rectification requests,
• integration of CNIL software,
• direct connection of your subcontractors to the platform,
• a directory of subcontractors using your data, etc.

Other software exists: Smart Global Compliance Booster, myDPO, Axeptio, etc.
Don't hesitate to ask for several demonstrations or evaluation versions.
In addition to functionality, ease of use, price and responsive support can be decisive factors in your choice.

See all software General Data Protection Regulation (GDPR)

See the RGPD as an opportunity, not a constraint

We are living in an age of ethics, quality consumption and respect for privacy. Your involvement will be rewarded with quality information about your customers or prospects, in a spirit of mutual respect and full knowledge of the facts. The antithesis of GAFA, in short.

If your site complies with the RGPD, there is less risk of hacking or data leaks (remember 'FacebookGate', the scandal involving the data recovered by the Cambridge Analytica company): your online reputation is preserved and your customers can feel confident!

The other key benefit is that, despite the financial and organisational effort initially required, the return on investment is guaranteed thanks to more meticulous and better-targeted data collection: your newsletters and notifications are sent to people who are interested and willing, and the buying process is more friendly and reassuring.

One last piece of advice: make your new forms and preference management settings (newsletters or notifications) more wink-wink and user-friendly. Internet users are under a lot of pressure these days, and are tempted to answer in the negative. Make them want to follow you with original catchphrases, set yourself apart, now's the time!

seen on @blogduwebdesign (left) and © maddyness (right)

→ Loyalty is at the end of the tunnel! And best of all, you're not an outlaw. 🤠