search
Where Thought Leaders go for Growth
Reference a solution

How to make a website RGPD compliant

How to make a website RGPD compliant

By Nathalie Pouillard

Published: October 28, 2024

RGPD + website... Does the combination of these two words send shivers down your spine?
Indeed, you can't have missed this information: the RGPD, General Regulation on the Protection of Personal Data, imposes compliance on your tools, in order to best handle the information you collect from your customers, prospects and other users (partners, employees, etc.).
In this article we therefore focus on the RGPD as applied to websites.

Whether your web platform simply serves as your shop window, or you're selling online, you have obligations. Your customers' satisfaction and your e-reputation are at stake.

Good news: we've got some recommendations and tools for you. Let's take stock!

RGPD and website, what you need to know

Here's a video that summarizes what RGPD is and why it was implemented:

☞ Do you have a showcase or e-commerce site?
☞ Do you use cookies, those advertising tracers deposited on users' smartphones, computers and tablets?
☞ Do you offer contact forms, send a subscription-based newsletter?
☞ Are you a private or public company, large or small, located in the European Union or whose activity concerns European residents?

You are ALL concerned by compliance, as you are required to collect, use and store personal data.

Why bring your website into compliance?

☞ To comply with the CNIL Data Protection Act and its extension: the RGPD ;
☞ To protect your customers and prospects ;
☞ To ensure a flawless e-reputation ;
☞ To avoid administrative and criminal penalties, which can go as far as prison (5 years) and the payment of astronomical sums (300,000euros and up to 4% of the company's worldwide annual sales in N-1, which can represent several tens of millions of euros).

The showcase site

A showcase site is a website that presents your business but, despite a commercial objective, does not offer online sales.
The benefits are manifold:

  • your company builds its reputation online, in the face of existing competitors;
  • you cultivate a brand image that sets you apart;
  • you communicate about your products and services;
  • you acquire contacts and prospects who may one day become customers, thanks to :
    • a contact form,
    • subscribing to your newsletter;
  • you maintain a relationship with your customers by keeping them informed, via a news section for example, or an integrated customer area.

The information collected thanks to the showcase site is generally email addresses, surnames and first names, possibly address or geographical area (department), sometimes age and gender, company, etc.

Your obligations :

  • display legal notices (usually in the footer) to identify you as the site's publisher and inform visitors of their rights;
  • you collect only the information you need and can justify this;
  • you inform the user of the purpose of collecting his or her information, the intended processing, the retention period and any recipients (CNIL notices) ;

According to Article 6 of the RGPD:

Processing is only lawful if the data subject has consented to the processing of his/her personal data for one or more specific purposes.

  • you collect the user's consent explicitly and actively, without ticking any boxes;
  • you keep proof of consent;
  • you give them the means to contact you to modify their information, delete it or withdraw their consent easily,
  • inform them of your privacy policy (link to a dedicated page on your site).

Article 17 of the European General Data Protection Regulation (GDPR) on the "right to erasure", or "right to be forgotten", allows individuals to request the deletion of their personal data from the companies that hold it.

RGPD formulaire de contact exemple 1

The e-commerce site

This is an online sales site, a platform enabling a merchant or service provider to sell their products or services over the Internet, regardless of their geographical location. In addition to generating sales, you also enhance your customer knowledge.

Like the showcase site, it gives visibility to your company and its activity, develops its brand image, and aims to collect key information on :

  • customers who make purchases (favorite products, address, age, bank details, etc.) ;
  • but also visitors who eventually create an account, ask to receive promotional information and share their contact details and preferences, without going through the shopping cart.

Your duties :

  • you must carry out the necessary technical updates and regularly monitor the security of your site:
    • full https access,
    • complex password,
    • secure transactions and storage of bank details via a trusted third party (cf. payment gateway and recurring payment);
  • as with the storefront site, you collect only the information needed to process the transaction, and possibly to maintain customer relations (birthday, for example, so that you can send a gift later, etc.);
  • the sales process also involves providing information on data processing, obtaining consent and giving the customer the right to inspect data;
  • you set up a "privacy" or "confidentiality policy" page on your site, which you systematically communicate and keep up to date.

Cookies

When you receive a visit to your site, you may place advertising trackers on users' devices, such as their smartphones or computers.
These strategic tools enable you to analyze users' browsing, viewing and consumption habits, so you can improve your offering and site structure (type of audience, pages viewed, time spent per page, etc.) and send targeted advertising.

Beware of the various ancillary services on your site, such as Google Analytics, which collect and process personal data:

  • IP address,
  • identity
  • contact details,
  • geolocation, etc.

Be sure to deactivate them until you receive clear consent from the user.

Your obligations :

  • depending on the purpose of the tracker (facilitating the sales process, sending targeted advertising), you must obtain your visitor's consent or, at the very least, inform them of this, before placing it on their terminal;
  • if there is more than one tracker (marketing, analytical, etc.), give the option of checking them off in a list, and explain which ones are mandatory and why.

💡 Good to know: Consent is valid for a maximum of 13 months for a cookie. After that, you need to ask for permission again.

How do you get up to RGPD standards?

The actions to take are well summarized in this infographic:

© Plezi

▶︎ Training

Ideally, you should start by training your various data controllers (CEOs, managers, people in charge of marketing, sales, IT, etc.) so that they all have a grounding in technical and legal knowledge, and are familiar with best practices.
In addition to lawyers and digital experts, the CNIL offers a free MOOC workshop.

▶︎ Privacy by design

If you're creating your site after the RGPD comes into force, you must take into account the obligations to secure and respect data right from the design stage. This is known as Privacy by design. This also applies to CRM tools.

But for anyone with a site dating from the pre-RGPD era, there are several elements to consider and add up: here's our RGPD checklist.

▶︎ Appointing a DPO and carrying out an audit

According to Article 37 of the General Data Protection Regulation (RGPD), you must appoint a DPO if you meet at least one of these criteria:

  • you are a public authority or public body;
  • the data you process :
    • requires regular and systematic monitoring due to its scope and/or purpose;
    • is sensitive (health data, religious data, etc.).

Read also: RGPD essentials

Whether you go through an external service provider (recommended as more neutral) or your IT manager, carry out an audit of your website.
You'll soon have a set of specifications including:

  • an inventory of the various data processing operations in all your departments,
  • improvements to be made, categorized according to urgency and sensitivity.

▶︎ Updating your website

Be careful: whether you use WordPress, Joomla, Drupal, Wix or any other CMS, these use plug-ins that are not necessarily up to date with European regulations.
As for videos, players, interactive maps, manage consent requests well because these services also collect data, sometimes without consent.

Before RGPD

  1. Create or update your ' Privacy Policy' page;
  2. Adapt your forms to include mandatory information;
  3. Adapt your cookie banner: tools exist to create a compliant cookie banner (cookiesecure, cookiebot, etc.);
  4. Set up a template for managing web-user preferences, if you send out several newsletters or thematic notifications;
  5. Check the compliance of all your site's ancillary tools (plug-ins, etc.).

💡 Good to know: For compulsory information, it is possible to indicate them on each page individually or on a dedicated page that is clearly visible and easy to consult.

▶︎ Using software to manage compliance

A tool can make your life a lot easier when it comes to managing and monitoring compliance.
These do not guarantee your site's compliance, but rather provide you with a guideline for better organization, centralizing your documentation, viewing work in progress and working in collaboration with all your HR, accounting and marketing teams.

Such is the case with Data Legal Drive.

RGPD compliance governance software allows you to:

  • centralize the documents proving your company's accountability,
  • list the personal data processing operations you carry out,
  • compile a data processing register,
  • carry out an interactive diagnosis of your company,
  • view your website's compliance projects and their progress, in real time,
  • record requests from people concerned by the processing of their information,
  • monitor violations identified internally or reported by a subcontractor,
  • benefit from the editor's expertise in IT and data law.
    What's more, a success manager and a legal expert are on hand to answer any questions you may have, and to determine whether you require in-house services.

Another notable solution: Captain DPO

The solution offers :

  • collaborative compliance management,
  • report generation in just a few clicks,
  • a dynamic dashboard,
  • the possibility for your DPO to keep several registers,
  • management of rectification requests,
  • integration of CNIL software,
  • direct connection of your subcontractors to the platform,
  • a directory of subcontractors using your data, etc.

Other software products include Smart Global Compliance Booster, myDPO and Axeptio.
Don't hesitate to ask for several demonstrations or evaluation versions.
In addition to functionalities, ease of use, price and support responsiveness can be decisive in your choice.

See the RGPD as an opportunity, not a constraint

We're in an era of ethics, quality consumption and respect for privacy. Your involvement will be rewarded with qualitative information about your customers or prospects, with mutual respect and full knowledge of the facts. The antithesis of GAFA, in short.

If your site is RGPD-compliant, there's less risk of hacking or data leaks (remember 'FacebookGate', the scandal of data recovered by the Cambridge Analytica company): your online reputation is preserved and your customers are confident!

And, despite the financial and organizational efforts initially required, the return on investment is guaranteed thanks to more meticulous and better-targeted data collection: your newsletters and notifications are sent to interested and willing parties, and the purchasing process is more benevolent and reassuring.

A final tip: make your new forms and preferences (newsletters or notifications) as user-friendly as possible. Internet users are being asked a lot these days, and are tempted to answer in the negative. Make them want to follow you with original catchphrases, set yourself apart - now's the time!

seen on @blogduwebdesign (left) and © maddyness (right)

Loyalty is at the end of the tunnel! And best of all, you're not an outlaw. 🤠

Article translated from French