How to Make Your Website Compliant with the GDPR – Step 2: Conduct a Site-wide Profiling Analysis
As we get closer to the looming GDPR deadline, we’re continuing our series of blog posts on how to get your website compliant with the consent requirement.
If you’re already familiar with the GDPR, then you know that the law is a massive piece of legislation that sets guidelines for how the personal information of individuals within the EU is collected, processed, utilized, and stored.
The law applies to all companies regardless of where they are located or headquartered, if they market their products or services to residents of the EU. If even a small percentage of their web traffic comes from the EU, then they must comply.
In our last post, we covered step 1, which is to map your digital supply chain.
Step two is to conduct a site-wide profiling analysis. Because companies are responsible for not only the personal data they’re directly collecting, but also the data their vendors (and their vendors’ partners) have access to, getting a 360-degree view is vital.
Personal data is anything that could be used to reasonably identify an individual. This may include device identification numbers, IP addresses, cookies and non-cookie tracking technologies, and location data collection. Anything that can be used to identify an individual is considered personal data under the GDPR.
Now, start making a list of all the vendors that have access to your web visitors’ personal data. You can use Trackermap® to help build your list.
Once you have the list compiled, determine what type of visitor profiling activities each vendor is doing on your website. Remember that these vendors got access because at one point your marketing or IT team likely added a tag to your website that enabled a third-party technology (or a partner they work with) to perform a business need. So, most of these vendors are likely fulfilling a duty you contracted them for that requires monitoring some aspect of your site users’ behavior.
Among the questions you need to ask are:
- What type of tracking are they doing?
- What’s data is being collected?
- Where and how is the data being stored?
- How is the data being used?
Then, evaluate the level of data sensitivity involved and rank it to determine the associated risks. Is it high, medium, or low? For everything you label medium or high, determine what you can do to reduce jeopardizing the individuals’ privacy and implement controls. Do you need to remove the tag from your site entirely, or find some means to monitor it more closely, for example?
Make sure you also analyze what submissions are saved to your site database. The GDPR’s requirement of understanding and creating processes for data is why the law is about data governance as much or more than it is about data protection.
To get all five steps on “How to Make Your Website Compliant with the GDPR”, download the eBook.