5 Steps to Protecting Personal Data on Your Website
Data privacy regulations such as the GDPR continue to add requirements for any organization with a website.
While technology can’t make you compliant, it does reduce unnecessary manual work and makes it easier for teams to adopt better data privacy practices. Here are five steps you can easily take with Siteimprove Data Privacy on your way to website compliance:
To protect personal data on your website, you first need to know what data you have.
No matter how long your organization has been around, it’s likely you have domains or IP addresses you aren’t aware of—which means forgotten data. Achieving website compliance begins by finding out:
- Who in your organization keeps track of your organization’s domains
- Where your IP addresses are geographically
- Which websites belong to your domains
Personal data and cookies on your website aren’t necessarily a problem, but you must have control over them to take action when necessary.
Once you have an overview of all the websites your organization owns, you need to find out what they contain. Here are some of the elements to keep an overview of:
- ID numbers, credit card numbers, full names, email addresses, and phone numbers
- Cookies set by your organization as well as third-party cookies
- Embedded videos that set cookies or HTML forms that collect data
To answer to data subjects’ requests, the right systems must be in place.
GDPR introduces new data subject rights like the right to rectification (Art.16) and the right to be forgotten (Art.17). If someone asks to have their personal data edited or removed, you must be able to do so across all websites and internal systems. To achieve this, you must implement a system that allows you to:
- Identify any instance of personal data without undue delay
- Search across all your sites, including within files and metadata
- Flag future instances of personal data you've removed upon request
GDPR is not a one-off project. Organizations are expected to ensure ongoing compliance.
Performing a one-time website audit to identify personal data will not ensure compliance in the long run.
Websites are active parts of modern organizations, and your domains and the data living there must be monitored on an ongoing basis. Properly doing so gives you a constant overview of the elements mentioned in step 2.
Meeting GDPR requirements is as important as proving it.
Every step you take towards compliance could help you show customers, prospects, and local authorities that you care about data privacy. You should:
- Keep an updated overview of the personal data living on your domains
- Document all actions you take when someone exercises their right to be forgotten