Website data privacy compliance checkup

As data protection officers and privacy advisers, it’s a usual task for us to monitor the GDPR compliance of specific applications / websites and so on. 

Herewith, how does one define if some website is or is not in GDPR compliance? Well, the task also becomes more complex, if we will take into account that websites, same as regulations applied, are constantly changing. As a result, it’s possible to define GDPR risks and gaps in some specific moment. 

Methodology to define if a website is GDPR / privacy compliant

Framework: Person, who does such an audit or crash test or even pentest of a website regarding privacy compliance has to define, which regulation shall be used for the case. Let’s take GDPR in our example and move forward.

Target website: Second point shall be, of course, choosing a web-site. Now, when we have an object of our research and the respective regulation, we may proceed with the checkup procedure. 

Website privacy checkup in the details

So, what has to be checked? 

Usually, the first privacy touch point with the user is a cookie banner. You may find some really amazing but non-compliant cookie banners all over the internet. For example, some unnecessary cookies may be communicated to the user, as obligatory ones. On the other hand, cookie banners may be declarational and not impact on real cookie delivery to the equipment of the user. 

Also, the privacy user experience with the cookie banner has to be checked – if there are no prefilled fields and the text of the banner is understandable and plain.

Thus, checks regarding Cookie banners and cookies in general may be as follows:   

Cookie banner compliance check (Privacy UX):

• Check if cookie banner is displayed correctly
• Check if the banner provides clear and exhaustive information on the cookies used
• Check if the banner includes an option to accept or decline cookies and these choices impact the browser and data flows 
• Check on use of  dark patterns frowned upon by the data protection authorities

Cookie check (Cookies compliance):

• Check if cookies are used in compliance with GDPR
• Check if cookie policy includes all required information, such as the purpose of the cookie, its lifespan, and the data collected
• Check if users have an option to manage cookie settings and withdraw their consent

Ok, now, when we have already fulfilled our first privacy touch, let’s go further and take a look at a bigger picture – at privacy user experience in general. The checks might be as follows:

Privacy UX check (Transparency and understandability of privacy terms):

• Check if the website’s privacy policy is easily accessible and understandable
• Check if the policy includes all required information, such as data collected, purpose of data collection, and data retention period
• Check if the website provides easy-to-understand explanations of privacy-related terms and concepts

Next privacy pit-stop, or even privacy station, shall be privacy consent. There are many guidelines on consent – how it should be asked, provided and withdrawn. In frames of our checkup, we have to “test” the consent, to play with it – to read the wording, understand it, try to give different answers, take them back and so on. All this in order to define if consent as a legal basis of processing personal data meets all the requirements. So, we may check the following:

Consent check (GDPR compliance):

• Check if the website obtains valid consent from users before collecting and processing their personal data
• Check if the consent request is specific, clear, and unambiguous
• Check if the user has the option to withdraw their consent at any time
• Check if the company (web-site owner) can demonstrate consent

Okay, we continue our privacy journey and come to the most interesting district – Data subject requests center. A lot of cases that involve Data protection authorities and respective penalties for the companies start with one little DSR. 

The way the user can actually send such DSR matters, same as communication with user, and, for sure – as the information provided or actions conducted to such user by the Company. 

In order to get really relevant information about the state of art regarding DSR in the company, a mystery shopper tactic may help. So, possible checks are as follows:

Data subject requests check (DSR management):

• Check if the website has a process in place for managing data subject requests (DSRs) in compliance with GDPR
• Check if the website provides an easy-to-use DSR form for users to submit requests
• Check if the website responds to DSRs within the required timeframe and in compliance with GDPR

Last but not least in our list shall be evaluating privacy communication level in general. Remember all that stuff like “privacy information has to be provided in a transparent manner and in a plain language” Well, it really has to be so. You may be surprised, but here even the audience level of perception should be considered. 

Well, on the other hand, privacy compliance is not just about fulfillment of requirements of applied regulations, it’s about building trust. 

So, in frames of privacy communication check, we may take a look at the following: 

Privacy communication check (Transparency and consistency):

• Check if the website communicates privacy-related information to users in a transparent and consistent manner
• Check if the website provides clear and concise explanations of how user data is used and protected
• Check if the website communicates any changes to its privacy policy in a timely and transparent manner.

Results of website privacy checkup 

As a result of such a check, the report may be developed, stating what findings have been discovered in frames of checkout. 

It may be structured as follows: 

Structure of the deliverables: report

• Executive Summary: This section may provide a brief overview of the report’s findings and recommendations. 

• Methodology: This section describes the methodology used to conduct the web-site privacy checkout. It explains the scope of the privacy audit, the tools used, and any limitations that may have affected the results.

• Results: This section presents the findings of the privacy audit / checkup. Each finding should be clearly stated, with a description of the issue and the relevant regulation. For example: “The website uses marketing cookies without obtaining consent from users, in violation of GDPR Article 6.”

• Recommendations: This section should provide actionable recommendations for the to improve privacy program and privacy points on the studied website. Each recommendation should be specific and tailored to the case. 

How to get such a website privacy checkup? 

A report as stated above is made based on the study of the specific web-site. Case by case customized approach and use of advanced methodology assure the high quality of privacy recomendations. 

Such data privacy website checkout should be made by the privacy professional / Data protection officer and here, at Privacity you may find the assistance.