Important Information - This article does not constitute legal advice, but is intended as a practical guide.
GDPR Checklist – Especially in Europe, every website has to inform its visitors about how it collects and processes data. I have written this article because I have received many questions on this subject. Understandably, it may sound overwhelming, but if you take it step by step, you can make your website compliant with the GPDR laws. I choose one of the strictest GPDR laws, which comes from Germany – the Datenschutzgrundverordnung (DSGVO). It should cover all the important data protection measures so that you can present your website to your international visitors without any problems (until they change the laws again, or misinterpret their own laws).
Let’s take your site as internationally legal as possible!
The GPDR List
Here is a list of the most important elements that should be included in every website. They are arranged according to implementation steps. Each step includes a brief definition of the element.
- SSL (Secure Sockets Layer)
- Changes the web address from http to https. It allows user data to be transmitted in encrypted form. It is also an important factor for Google ranking.
- A working(!) Cookie Banner
- Legal Notice / Imprint page
- Basic legal and publication information that tells visitors who the owner of the website is and how they can be contacted.
- A legal document outlining how a website collects, uses, stores and protects the personal information of its users.
- Terms and Conditions page (especially for online merchants and service providers)
- A set of rules and guidelines that govern the relationship between a website or online platform and its users or customers. It provides a framework for conducting business or using the website’s services.
Other GPDR Elements to consider
Now you got most important ones covered. Of course, I will give you some further tips because the GPDR topic is like a jungle and I am giving you a map to survive. There are some other areas which should also be covered.
When using CMS platforms such as WordPress, follow the golden design rule: less but better. Fewer plugins can actually make data protection easier and it will also speed up the website.
Be aware of pre-installed Google Fonts. They are connected to Google’s servers, so you are sending data to them. Try to install the fonts locally, this will also make the website load faster.
If you are redesigning a website for a larger company in Europe, I suggest that you or your client go through it with the lawyer. So many little things can go wrong because of unclear rules that are open to wide interpretation. The same goes for the use of T&Cs.
In Germany, which has one of the strictest data protection laws, you need to make sure that you have anonymised the IP address. The IP address is like a street address. It uniquely identifies a user’s physical location. Google Analytics is the most popular analytics tool. To be on the safe side of data usage, you can choose to use Matomo and store the data on your own server instead of Google’s.
Credits for images and graphics
Not really a GDPR issue, but I think it should be mentioned here. All images/graphics that you have obtained for free from platforms such as pexels / unsplash should always be credited to the photographer. This can all be done in the imprint/legal notice. It is also advisable to mention the photographer you or your client hired for the website.
Cookie Banner Tool
If you are using a cookie banner, depending on what structure you are building – WordPress or HTML – you can go to Tarteaucitron.io, Osano or Complianz for starters. Otherwise, do your own research and find one that suits you.
The Golden Nugget to speed up Web Development
Before publishing the site, you can use one of the free cookie scanners (look it up). But if you already know how to use the browser’s inspector. You can check if any cookies appear in the Network tab.
It’s a long list, but it’s worth it, and you should also know that the GDPR legislation is still a work in progress. The GDPR is a set of rules that govern how personal data should be protected in the EU. However, because the rules are broad and open to interpretation, there may be differences in how they are understood and applied by different countries and authorities. Some areas are not covered by the GDPR, and this can lead to confusion and disagreements between businesses.
In short, you need to let your visitors know who owns the site, how they can contact the site owner, and what the site will do with their information. You also need to block any element that collects data until the user has given consent. Try to collect only the data you really need and nothing more, just to be on the safe side.
If you have any further questions, feel free to drop me a line.