“External compliance,” or your website = your face

A GDPR-compliant website does not equal compliance. But it is the most visible aspect.

A request for legal assistance alongside the word GDPR often sounds like “tidying up the documents on the website.” This is indeed the face of compliance. Often, partners or consumers do not look beyond this outer layer. It is enough for them that everything looks nice.

But if they take a closer look, risks cannot be avoided. A regulator may investigate a complaint from an unhappy consumer. Or a partner may simply walk away, having realized that they are being fooled by appearances. Therefore, it is still worth approaching compliance in a comprehensive manner — starting with risk assessment and then working with them, gradually prioritizing them.

But the most important task will often be updating the Terms of Use and Privacy Policy on the website. So why not go to a lawyer with this request right away?

No problem at all. If you understand that you still have work to do and that this is only the beginning, we are on the same page on this issue.

How to make your website GDPR-compliant?

In short:

It’s not just about Terms of Use + Privacy Policy. It’s important to consider every step a consumer or partner takes on your website where you collect personal data:

• What is written when registering an account?
• What is stated in the field for subscribing to marketing newsletters?
• Is there a banner on the website warning that you use cookies and similar technologies?

In more detail:

1) Policies and rules on the website

These documents must be drawn up in accordance with applicable law – whether it is GDPR, CCPA, Ukrainian data protection legislation, or all of these at once.

Rules/offer on the website exist to explain who is entering into a contract with whom, what the terms of the contract are, and when the contract is concluded. This will help explain in the privacy policy why we use the contract as the legal basis for processing certain personal data (such as the delivery address = a mandatory element for an online store to fulfill the contract). We have previously written about how to write an offer.

Privacy policy is a place where a person who leaves you their data can read what you do with their data and why.

No matter what market we are targeting, it is highly desirable to write in clear and simple language. This is a new standard of quality for documents on the website, not only from the regulator, but also from consumers in conscious and developed markets. So the more confusing you write, the worse it is.

Regardless of the applicable law, your privacy policy should include the following: If the policy is complex, very long, and confusing, or if it does not contain references to sections, tables, or an abridged version and full version when expanded, or the date and content of the latest updates, an experienced EU user will immediately understand that it is not GDPR-compliant.

• Who is the data controller (determines the purpose of processing);
• What data you collect;
• For what purpose and on what legal basis;
• To whom do you provide access to the data (employees do not count, but contractors, partners, external storage services, and cloud providers do);
• What rights does the website user have and how to exercise them;
• How to contact you.

2) Cookie banner

The banner is straightforward—let all the questions be answered with “yes.” Here is our old article about cookies, which almost outlived the GDPR (in case you want to check whether we understood anything about the GDPR a long time ago).

• Do you give the user the choice of which types of cookies (a trendy synonym for “cookies”) to accept and which to reject?
• Does the user have the option to not only accept but also reject everything?
• Can you go from the banner to a section of the site where you can read more?
• Are the functions of cookies and their storage periods explained?
• Does the user understand how to change their choice, and can they do so at any time?
• Are the colors of the agree and disagree buttons the same? In other words, are you pressuring the user and hinting at which choice they should make by displaying a large green “agree” button and a small colorless “decline” button next to it?

3) Texts on the website and checkboxes next to them

The fact that you have an offer and a policy on your website should be visible not only in the footer of the website, but also in all places where you collect data. If you have an account, the user must familiarize themselves with the offer and policy when registering. If you have a field for commenting on articles where people leave their impressions, the rule is the same.

If you have a field for subscribing to unobtrusive advertising of the company in emails, SMS messages, and messengers, do not forget to add a link to the documents under this field and explain that by subscribing, the user agrees to receive mailings through the relevant channels.

Simple ways to look good = automation

What if you don’t want to go to lawyers because lawyers complicate everything? Or what if you just believe in AI, generation, and automation? Then you need services that allow you to generate rules and policies, place a cookie banner, and configure everything automatically. Or maybe even collect requests from users simply through a widget. All this is possible with a variety of new-generation services that will outperform most lawyers. Or that will simplify the work of your lawyer 🙂

For our part, we tested at least the following paid services:

CookieYes. This is a convenient way to collect and manage user consent. It provides a banner with a control panel and the ability to customize it for different legal requirements (US, EU separately or together). There are additional features such as Do not sell my personal information buttons and even Do-Not-Track settings for the US market.

Clym.io. A widget with the ability to not only post rules and policies but also develop a compliant cookie banner. The service allows you to configure accessibility and receive requests from users about their data in a single unified location and work with such requests through the account.

Iubenda: A service for generating rules and policies. It contains a very detailed constructor with the ability to comply with the rules of many countries at the same time. Their policies also look cool — you can read a shortened version in the form of tables/diagrams or a long text version if you have a lot of time/a lawyer on staff or outsourced.

How can we help you if you choose automation? For example, we can correctly generate or adapt documents for you. Or customize the service for you. Or process requests that come through the widget. It all depends on your needs and wishes. So please contact us 🙂