Le RGPD, tous concernés : comment mettre votre site web en conformité ?
GDPR – Back to basics & reminders
GDPR, personal data… What does that mean?
GDPR, is the abbreviation of “General Data Protection Regulation”.
Since 2018, this regulation frames the processing of personal data in all countries of the European Union.
- Its objective? To preserve the anonymity and privacy of European citizens on the web.
- Its methods? The census, the supervision and the protection of the personal data of the Internet users.
The GDPR defines a unique legal framework for organizations with a website or digital tools. Companies, local authorities… The framework defined by the GDPR allows each structure to develop its activity on the basis of users’ trust and the consenting sharing of their personal data.
What is personal data?
“Any information relating to a physical person who can be identified directly or indirectly.”CNIL (the National Commission for Information Technology and Civil Liberties,
authority on the subject)
In other words, personal data is any information that can be used to identify a person, either directly or by cross-referencing with other data.
For example, the first and last name of a user are direct identification data: a person can be found and recognized using these two pieces of information.
Instead, some data needs to be crossed or deepened to find the identity of the person to whom they correspond, such as a postal address, an IP or e-mail address, a telephone number, an identifier (of connection / serial number…).
How is personal data collected from users of a site?
Polls and surveys, customer acquisition or satisfaction forms, site traffic monitoring instruments, tracking and other marketing tools… There are many ways to collect data, and they tend to diversify with each technological evolution!
Some examples to see more clearly, in the concrete of a website :
- Direct means: contact form, account creation, registration to a service (Newsletter, Email alerts, E-commerce…)
- Indirect means: Cookies of Google Analytics, Google Tag Manager, Google Maps, Facebook Pixel, Recaptcha, etc.
Reflexes and best practices for GDPR compliance
You want to make your website GDPR compliant, but don’t know where to start? We give you some good reflexes to take in your compliance process.
The basic principles? Transparency and respect, for maximum trust!
The 3 golden rules of GDPR to remember:
- Inform users
- Ensure their consent
- Give them control over their data (rectification or anonymization, for example)
Identify and define the personal data collections on your site
First step: the inventory!
The objective is to know the data collected in the course of your activities.
On your website, identify the elements that collect personal data from your users. Take a look at your forms, services requiring registration… and your marketing tools (traffic monitoring, audience qualification, customer acquisition, tracking, etc.)!
Second step: analysis (… and questioning)! For each data collected, try to answer these 5 key questions:
Pour chaque donnée récoltée, essayez de répondre à ces 5 questions clés :
- What ? What kind of data is it? Public data? Personal, even sensitive?
- Who ? – Who manages the collection and processing of the data?
- Where ? – Where is this data processed and stored? In France (at best), in Europe… or outside the EU?
- How much time ? How long will you need this personal data?
And last but not least…
- Why ? Why do you need this data? Is it really important to your strategy?
This last question will probably allow you to sort through your data, keeping only the personal data that is most important to your business. The key idea: the less, the better! Because the best way to comply with the GDPR… is still to not collect data (or at least to limit and protect it) 😉
Inform your users about the personal data collected for your business
Have you identified and qualified the data collected in the course of your activities? Great! Now you need to be able to inform your users about the use of this data.
3 places to remember to inform your users about their data collection:
- The Cookies banner – to collect users’ consent, allowing them to accept, refuse or modify their choice easily, when visiting a web page. With a little creativity and customization, this required banner can even become a little extra design for your site!
- The page where a form is located collecting personal data (usually under the form itself).
GDPR & Consent: giving your users the choice to opt out of the collection of their personal data
Along with transparency, consent is the fundamental pillar of the GDPR. It is therefore essential to let your users exercise or remove it at any time, throughout their browsing.
How to ensure the consent of your website users?
- By informing them as clearly as possible, throughout their navigation
- By having an up-to-date cookie banner, with the ability to customize, accept but also refuse all cookies from a site, in one click!
- By offering them a means of recourse (complaint form), to exercise their right to rectification, dereferencing or deletion (or right to be forgotten) of their data.
Concrete example ?
WS recently assisted the Ministry of Transformation and Civil Service in its GDPD compliance process, on the website Safire.
Our objective : design a process that allows public service officers to practise their rights over their personal data, while maintaining quality internal statistics.
Result : a form of opposition to the use of personal data of civil servants, and a complete anonymization procedure for responding to these requests. All this while keeping the data necessary for reporting on internal training in the public service! Because respecting your users’ rights does not mean the end of your statistics.😉
And you, what are you waiting for to comply with the GDPR?