Here’s the idea that is getting people really nervous:
First, take a deep breath, get some coffee and take ten minutes to read our suggestions below. You do not need a lawyer to do this for you.
Step 1: Encryption
Step 2: Changes to website content/plugins
The second step is to consider where in your website data is collected/sent (automatically or by a person). Typically, forms, plugins, tracking tools and cookies do this. The general rule is:
‘You must tell your visitors what is being tracked/collected. Ideally, you get their consent. But at least you have to give them an option to opt out.’
It does not matter what type of form you will be using or its purpose. Only ask the things you really need in order to provide the service you are offering. For instance, if it’s a newsletter registration make the email address a required field and keep all other fields as optional.
For your social media plugins, add something like Shariff to give users more control over being tracked. For videos, Youtube has a data protection mode (https://support.google.com/youtube/answer/171780?hl=de). Unfortunately, Vimeo does not support that yet and should not be embedded anymore on your website.
Like most websites, you probably use Google Analytics. Make sure you take these steps:
- Anonymize IP addresses before you send them to Google (https://support.google.com/analytics/answer/2763052?hl=de)
- Tell your customers about it (see Step 3)
- Offer an opt-out (https://developers.google.com/analytics/devguides/collection/gajs/?hl=de#disable)
Tell people that you are collecting cookies and give an option to opt-out. Hopefully, your website system has that built in otherwise you need to add it yourself. Below is a good example of cookie consent.
- Contact information of your organization,
- List of data categories (‘name’, ‘visitor behavior’, …) that you collect and the purposes for that this data is collected,
- Legal basis for this processing (ideally, either ‘consent’ or ‘performance of a contract’),
- how long you plan to save the data,
- A possibility for the customer to limit the processing (contact you?)
- The email address of your Data Protection Officer (if you have one), like ‘firstname.lastname@example.org’.
- Where a customer can reach you for a complaint
There are some conditionals:
- Do you use Google Analytics? Do mention it and try to offer an opt-out.
- Do you set cookies? Mention it!
- Do you use automated processes? You have to mention that too.
- Do you use a company like Mailchimp to send your newsletters? Mention it, especially that you share your visitors’ email addresses or other information with them.
As you can see there is no 1-click solution for this (although we are working on one!). Doing it by hand is also not prohibited. In about a day, you should be able to cover most of this.
4 - The rights of Users
This is another part you need to add. Here’s an example for you:
“In particular, Users have the right to do the following:
Withdraw their consent at any time. Users have the right to withdraw consent where they have previously given their consent to the processing of their Personal Data.
Object to processing of their Data. Users have the right to object to the processing of their Data if the processing is carried out on a legal basis other than consent. Further details are provided in the dedicated section below.
Access their Data. Users have the right to learn if Data is being processed by the Owner, obtain disclosure regarding certain aspects of the processing and obtain a copy of the Data undergoing processing.
Verify and seek rectification. Users have the right to verify the accuracy of their Data and ask for it to be updated or corrected.
Restrict the processing of their Data. Users have the right, under certain circumstances, to restrict the processing of their Data. In this case, the Owner will not process their Data for any purpose other than storing it.
Have their Personal Data deleted or otherwise removed. Users have the right, under certain circumstances, to obtain the erasure of their Data from the Owner.
Receive their Data and have it transferred to another controller. Users have the right to receive their Data in a structured, commonly used and machine-readable format and, if technically feasible, to have it transmitted to another controller without any hindrance. This provision is applicable provided that the Data is processed by automated means and that the processing is based on the User's consent, on a contract which the User is part of or on pre-contractual obligations thereof.
Lodge a complaint. Users have the right to bring a claim before their competent data protection authority.
Details about the right to object to the processing
Where Personal Data is processed for a public interest, in the exercise of an official authority vested in the Owner or for the purposes of the legitimate interests pursued by the Owner, Users may object to such processing by providing a ground related to their particular situation to justify the objection.
Users must know that, however, should their Personal Data be processed for direct marketing purposes, they can object to that processing at any time without providing any justification. To learn, whether the Owner is processing Personal Data for direct marketing purposes, Users may refer to the relevant sections of this document.
How to exercise these rights
Any requests to exercise User rights can be directed to the Owner through the contact details provided in this document. These requests can be exercised free of charge and will be addressed by the Owner as early as possible and always within one month.”
Text credit: Iubenda.com
Image credit: http://thebusinessecoach.com/