Does my company's website comply with the General Data Protection Regulation?
As you know, the General Data Protection Regulation (GDPR) applies to all companies that process any type of personal data that identifies or allows the identification of an individual (such as name, address, email, telephone, IP address, online identifier, bank card number... and so on). Generally, companies use websites to give visibility to their business, or even to offer or provide their services.
Websites often collect personal data through several channels, such as forms or cookies. Therefore, whether your business uses a website only to give visibility to products or services or if you offer them through it (e-commerce), you must ensure that it complies with both data protection regulations (GDPR and OLDPGDR) and the Law on Information Society Services (LISS).
Some keys to avoid possible sanctions.
Although the adaptation of your website may have different needs depending on the case, here are some keys that you should not forget when adapting your website and avoid possible sanctions, which are increasing and are becoming more and more frequent.
The Spanish Data Protection Agency (SDPA) facilitates compliance with the level of information through this Guide to comply with the duty to provide information. It is quite specific and contains very useful examples.
It is highly recommended that you consider the Spanish Data Protection Agency's guide on cookies. Like the guide on how to comply with the duty to provide information, it explains in detail the specific information that must be provided and how, with some practical examples.
- Information in layers.
Once these points have been drafted, in order to make them clearer and more visible to the user, it will be essential to introduce notifications on the website to correctly implement the duty to provide information. This is related to the AEPD's recommendation to offer the information in layers so that it is more convenient for the user to know the basic and most relevant information in a first layer, being able to access a second layer to expand this information.
- Technical and organisational actions.
In addition to these formal requirements, it will be necessary to ensure that all data processing reflected in the policies is carried out with all the legal guarantees, which implies implementing some technical and organisational actions (such as having a security certificate (SSL) and security plugins installed, knowing how to exercise the rights you may receive and how to process them, or having mechanisms that allow you to have visibility of whether your website suffers a security breach, assess its impact and how to act on it).