The GDPR impact on websites has been sometimes underestimated. Many business operators have thought that the drafting of a simple privacy policy could, somehow, be enough to make the website compliant to the GDPR. The compliance process of a website, runs through the detailed analysis of the site, of its technical component which is composed by and of its data which are recollected and processed.
The first consideration that we need to make is connected to which and how data are recollected. A website recollects a lot of types of data, by using forms that the user can fill and also by an automatically way only for browsing purposes of pages that compose it.
In addition, all the websites released cookies, small text files saved on the computer which need the website operation or in order to recollect information about the same user.
Once identified which data the Data Controller recollects with the website, it is important to define how these are recollected, for which aims, how long they will be stored and to whom are communicated.
It will be necessary draw up, for every form included into the website and for each aim for which data are recollected, a specific policy according to the article 13 of the European Regulation n. 679/2016. We will have to prevent the recollection of the consent for each processing activity which asked it as a licity condition and draw up a particular storage system.
Another principle included into the Regulation which will affect the realization and the managing of websites will be the minimization one. The GDPR requires that personal data are adequate, relevant and limited to what is necessary compared to aims for which they have been processed. This principle involves that forms need to be realized by keeping in mind the only data necessary to reach the aims that have been declared into the policy.
The user needs to be informed about data that the website recollect automatically as the IP address and the visited pages by each user. In this regard, the Privacy Policy has the aim to describe the mood of processing of personal data of users who visit the website and must include the required information into the article n. 13 of the GDPR.
Talking about the cookies management, the entrance in force of the European Regulation brings along with it a great change in banner management. According to principles established into the GDPR about the consent, the user needs to choose which cookies categories accept and he/she should do it before hey are downloaded in its own device.
In addition, needing to be informed, free and specific, the consent related to cookies need to be distinct for each category (marketing, statistic, profiling, etc.) and not selected.
In conclusion, the activity necessary to make a website compliant with the Gdpr cannot be limited to the preparation of standard information but must go through an in-depth analysis of the processes involved in the processing of personal data collected through the site. This analysis can only be carried out by a team with transversal skills (technical, organisational and legal).
SOURCE: FEDERPRIVACY