The privacy law AVG (General Data Protection Regulation) is a very hot topic right now. All websites must comply with the guidelines of the AVG. How exactly does this affect your website? What should you change or add now to meet the requirements of the AVG with your website?

The tightening of the rules of the Privacy Act and the associated high fines are making many companies uneasy. We are therefore increasingly being asked how the AVG will affect your website. This is a logical question because your website is often the starting point for collecting personal data. It is therefore very important that your website meets the requirements set by the AVG.

In this blog we focus on the impact the AVG has on websites but it is very important to know that the AVG goes much further than just the website and that all processes and departments within an organization that process personal data have to deal with it. For example, in some cases it is mandatory for your company to appoint a privacy officer. If you want to know more about this, the website of the Authority for Personal Data is a good starting point.

How do you AVG-proof your website?

The AVG focuses on accountability and transparency. You must clearly let visitors know what you are doing with their personal data that you collect. Which other organizations have access to this data? And do you handle this responsibly? The rules of the AVG principle apply to all websites containing forms or websites where people can log in. In both cases, you are requesting or storing personal data in your website's database.

During the introduction period of the AVG, a more lenient approach was taken toward small business owners and associations than toward large organizations. Since May 2018, all businesses must officially operate in compliance with the AVG. Are you curious if your organization complies with the guidelines of the AVG? Using the steps below, you can check your compliance with the AVG. In this example, we have used a standard that applies to most websites, namely the newsletter subscription. This seems like a simple form but has some snags.

1. What do you collect personal data for?

In the case of a newsletter sign-up form, it must be clear to the visitor that he or she is going to receive a newsletter after signing up. So you have to make it clear why you are asking for the data of the person filling out the form. In some cases, for example, you may also want to collect a first and last name to make the newsletter more personal. According to the AVG, you are not allowed to use requested data for any other purpose than stated during the request. Suppose you would also like to call the people who sign up. This is only allowed if you have also indicated this. If you do not indicate this, you cannot call these people.

2. Provide a clear privacy statement

The privacy notice should tell you what you do with the personal data and which third parties have access to it. When sending a newsletter, for example, you probably use an e-marketing tool such as MailChimp, Copernica or CampaignMonitor, and you should mention this in the privacy statement. In addition, include the contact information of your organization or the data protection officer (or Data Protection Officer) so that individuals who want insight into their personal data get to the right person. This also applies to the case of unsubscribing to a newsletter. In addition to the well-known rights of objection, inspection and rectification, individuals also have the right to be forgotten.

3. Ensure secure storage of personal data

If you store personal data, as a company you are responsible for this data. If a data breach occurs, you are obliged to report it. Does it turn out that you have been negligent? Then the fines are sky-high, which is why it is very important to store the data securely. Think of a CMS that is up-to-date, a web server that is properly maintained or a website that can only be accessed via HTTPS. You can also always use a security checklist to see if the security of your website is in order.

4. Processor Agreements

It is mandatory to enter into a processor agreement with all parties who have access to or process your collected personal data. The issue here is who is responsible for the processing. For example, you do not have to enter into a processing agreement with the organization behind your CMS, but you do have to enter into one with the party that processes or has access to it on your behalf. Think of the hosting provider or Internet agency. In the processor agreement it is recorded, among other things, what the party you commission to process will do, how they will do it and how long the agreement will last.

5. Enter into a processor agreement with a company in the U.S.

Entering into a processor agreement with an organization outside the EU will be difficult or even impossible. What you can do is check to see if these organizations have joined the Privacy Shield. This is an agreement between America and the European Union on how personal data is processed and secured. Organizations such as Google, Amazon, Mailchimp and Pantheon are members of this.

6. Don't ask for too much information

It is no longer allowed to request data that is not necessary for the purpose. For example, many organizations also want to request a phone number when subscribing to the newsletter and the registration form. With the purpose of calling these people after. This is allowed, but it must also be made clear at the time of newsletter subscription.

7. Don't store data longer than necessary

Suppose a person unsubscribes from your newsletter, you must delete that person's data. The same goes for any personal data stored in the website that is no longer relevant. Think of a user account of an employee who is no longer employed. Or the data of people who filled out an application form for a vacancy that has been filled.

8. Unsubscribe

Just as easily as people can subscribe to your newsletter, they should also be able to unsubscribe again. You can do this with a specific link in the newsletter or you can create an extra form for this.

9. Cookies

Cookie laws are also going to change but before that, the ePrivacy Regulation has to come into effect. This is an addition to the AVG and deals with other issues, such as the placement of cookies. The new ePrivacy Regulation may have implications for your website and especially your marketing activities. However, this depends on the type of cookies you place. Basically, there are three types of cookies:

1. Functional cookies: These are necessary for the operation of your website. They do not store personal data and you do not need approval for them before or after the entry into force of the AVG and ePrivacy Regulation.
2. Analytical cookies: These are needed for statistics systems such as Piwik and Google Analytics. As long as these systems anonymize the personal data and you have a processing agreement with Google and they are not shared with third parties, you no longer need approval for them as of May 25.
   See also the guide: How to make sure your Google Analytics account is AVG-proof.
3. Tracking cookies: These are used to build user profiles. Many organizations don't think about user profiling or tracking but as soon as you do remarketing through Google Adwords (remarketing is showing ads to people who have once been to your website.), show YouTube videos or use social sharing services like Addthis, your website places tracking cookies.

You have to seek approval under the cookie law and AVG before posting them. A notification is not enough. Hence, some websites place a cookie wall. You then cannot go to a website without agreeing to place the tracking cookies. From the moment the ePrivacy Regulation comes into force, websites are no longer allowed to place a cookie wall and the preferences of the visitor's browser settings must be looked at. Has the visitor indicated that cookies may be placed? Then no approval needs to be given for this. Has the visitor set that no tracking cookies may be placed? Then this should not and cannot happen.