How to assess privacy risks in regard to your organisation's website

Dec 18, 2020 12:00:00 AM | How to assess privacy risks in regard to your organisation's website

So, you have a website, or maybe you want to have one for yourself or for your company.
Of course you want to make sure you are sticking to the law and protect the privacy of your visitors - you want to make sure your website is GDPR compliant. But you don’t want to read a book (or, god forbid - the Law!) on the matter. We’ve got your back. This is what you need to know.

Consent: Cookies

To use analytics software such as Google Analytics, you most times need to place cookies. In the pre-GDPR era, businesses that used websites aimed at EU visitors were required to simply give notice about the website using cookies. Since the enforcement of GDPR, this has changed.

So what is needed to make sure your website is compliant? It needs to:

Inform visitors about what tracking technologies are used through the website, what data it collects, and for which purposes. You should inform visitors about their rights. 

Alternatively, you can include this information in your privacy policy on your site, with a  link shown to visitors immediately upon entering your website.

Only load strictly necessary cookies loading until the visitor has given consent.

Only positive action counts as consent, sentences like “continue to use the site as normal if you agree to the use of cookies” or already checked boxes do not.
‘Strictly necessary’ means essential to provide a service explicitly requested by the visitor and does not mean essential for your own purposes, like analytics.

Enable visitors to reject all but strictly necessary cookies and still use the website.
Enable visitors to withdraw their consent at any moment.
Include a log, with all given consents.

Other opt-ins

You might need consent at other places on your website, such as when asking contact information, sending newsletters or making a purchase. Again, only positive opt-in counts.

Here, you need to:

Make sure you only ask for the minimum of personal data for providing the service. (I’ve seen some strange forms in my days. Please don't ask for race, age etc. when sending a parcel of pens. That’s weird. And illegal.)
Have a link with your terms and conditions, privacy notice and other legal documents.
Have customers positively opt-in to these legal documents when making a purchase.
When sending newsletters, recipients must be able to opt-out of their subscription at any moment. (You’ll see a link at the bottom of most newsletters for this purpose)
Have a log, with all given opt-ins (and opt-outs!).


Privacy policy

With the enforcement of the GDPR and the EU ePrivacy directive, a proper privacy policy is obligatory for websites in the EU and websites that have EU-citizens amongst their users. Other countries worldwide have similar rules. There are specific requirements as to what must be included in a privacy policy in the GDPR, among other things, yours should have:

The name and contact details of your organisation (and representative/DPO).
The purposes of the processing.
The lawful basis for the processing.

The legitimate interests for the processing (if applicable).

The categories of personal data obtained (if the personal data is not obtained from the individual it relates to).
The recipients or categories of recipients of the personal data.
The details of transfers of the personal data to any third countries (if applicable).
The retention periods for the personal data (when are you going to delete it?)
The rights available to individuals in respect of the processing (access, deletion, etc)
The right to withdraw consent (for instance, for cookies).
The right to lodge a complaint with a supervisory authority.
The source of the personal data (if personal data is not obtained from the individual).
The details of the existence of automated decision-making, including profiling (if applicable).


Hosting, Analytics, CMS, CRM, Payments

First, you need to store and run the files that constitute your website somewhere, don’t you?

You might also need analytical software so your business can collect information for optimizing your website. A Content Managements System (CMS) is an application with which you can manage and publish web content without having to ask a developer. A Customer Relationship Management (CRM) system helps you manage customer data. Payment software helps you manage… payments. What do these have in common? They are operated by someone else, possibly somewhere else (outside the EEA).

So please be mindful of: 

Would the supplier get access to personal data?
If so, how will they use this personal data?
Which types of personal data do they have access to?
Which personal data would they get access to if integrated with other, currently used tools?
In which country are they from? And where do they store said personal data? 
Will other third parties (such as subcontractors: “subprocessors”) get access to this data?
If so, where are the third parties from? Where do they store the data?
If any data is handled, stored or accessed outside the EEA, do the terms and conditions include the EC Standard Contractual Clauses and other measures or is it free to send the data based on an Adequacy Decision?


Found this blog useful? You might be interested in Privacy for Retailers, or our more in-depth pieces on Cookies or our comparison of popular CMS software.