2

I am working for a high traffic website developed in codeigniter. Can someone please help how to start working to make website GDPR compliant?

Till now, I was able to identify the potential cookies being used containing user personal details.

What should be the next step? Only showing a prominent consent form is sufficient?

Arun Jain
  • 153
  • 1
  • 1
  • 8
  • 1
    Please note that proper cookie handling does not make a site "GDPR compliant". There are many other aspects to a site that need to be considered. – schroeder Jan 23 '19 at 09:05
  • 1
    Refer to this article by [cookieyes GDPR solutions](https://www.cookielawinfo.com/how-do-you-ensure-your-website-is-gdpr-compliant/) – mujuonly Oct 16 '19 at 07:05

1 Answers1

5

There is no binary answer to be 'GDPR compliant'. There are however some steps you can take to be compliant to some extend. Key element to the GDPR is that you need either explicit permission from your users (or visitors) to collect, store and use their data or another legal basis (such as required by law). The request to use their data must use clear language, you cannot hide it somewhere in a lengthy Terms and Conditions disclaimer.

There are a couple of things to consider. First of all, all users have the right to access, change or remove their data. The GDPR requires everyone to provide mechanisms for anyone to receive any previously provided personal data in a commonly used and machine-readable format.

You must also follow privacy by design principles. This means you cannot check 'I accept your terms and conditions' by default, for example.

The first step is to conduct a Privacy Impact Assessment (PIA by GDPR) which basically means you should ask yourself the following questions:

  • What data am I collecting
  • Do I need this data or is it just 'nice to have'
  • What is my legal basis (in most cases this will be consent) to store and process this data
  • How long am I going to store this data
  • Am I going to share this data with others

Then you need to answer all these questions in a privacy agreement of some sort. There are many templates on the internet, for example this one by SEQ Legal (which I am not affiliated with).

Cookies are only mentioned once in the GDPR, but the consequences for anyone tracking users and their browser activity are significant. Recital 30 of the GDPR states the following:

Natural persons may be associated with online identifiers […] such as internet protocol addresses, cookie identifiers or other identifiers […]. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.

Which means that when a cookie can identify an individual via their device, it is considered personal data. This supports Recital 26, which states that any data that can be used to identify an individual either directly or indirectly (whether on its own or in conjunction with other information) is personal data.

To become compliant, you must stop collecting these cookies or find a lawful ground to collect and process that data. The most simple way for doing this is by consent. There are some things to consider (as can be found here):

  • Implied consent is no longer sufficient. Consent must be given through a clear affirmative action, such as clicking an opt-in box or choosing settings or preferences on a settings menu. Simply visiting a site doesn’t count as consent.

  • ‘By using this site, you accept cookies’ messages are also not sufficient for the same reasons. If there is no genuine and free choice, then there is no valid consent. You must make it possible to both accept or reject cookies. This means:

  • It must be as easy to withdraw consent as it is to give it. If organisations want to tell people to block cookies if they don’t give their consent, they must make them accept cookies first.
  • Sites will need to provide an opt-out option. Even after getting valid consent, sites must give people the option to change their mind. If you ask for consent through opt-in boxes in a settings menu, users must always be able to return to that menu to adjust their preferences.

For cookies this means a simple opt-in notification or consent form is sufficient however you should still have a privacy policy in place that covers the above questions when it comes down to personal data, which most cookies are.

Kevin
  • 1,643
  • 9
  • 20
  • 3
    IMPORTANT NOTE: while this answer focuses on cookies, GDPR is a holistic look at how and why ***any*** personal data is collected and processed, even on the back end, and where and why any personal data is passed on to others. Accounts, tracking, logging, data that people upload or save, etc. Just because your cookies comply with GDPR does not mean that your site is compliant. – schroeder Jan 23 '19 at 09:03
  • Got it. But is there any key point that can help us in ensuring the compliance of website to maximum extent? – Arun Jain Jan 23 '19 at 09:08
  • @schroeder Indeed, the second part of the answer only focuses on cookies while GDPR is way broader then just cookies (they are only mentioned once in GDPR). I focused on this because general GDPR advice is better suited for law.stackexchange.com. – Kevin Jan 23 '19 at 15:11
  • 1
    @ArunJain Well the best thing you can do right now is do a Privacy Impact Analysis (PIA) which focuses on what data you process, why you do this and what the potential impact to your customers can be when you suffer from a data breach. Make sure your privacy policy covers all the aspects I mentioned as well as all the rights of your customers (view, edit and remove data). I think your question about GDPR in general (and not just cookies) fits better at law.stackexchange.com. – Kevin Jan 23 '19 at 15:14