Website Compliance Audit for a GDPR Compliant Website

 
A compliance audit for your website can help determine whether the organization is GDPR compliant or needs to conduct additional data protection impact assessments, enter into more data sharing agreements, or change its privacy disclosures. The Clarip website risk intelligence scanner is a Hybrid AI software-as-a-service that helps identify weaknesses in GDPR compliance and provides actionable intelligence in order to decrease your data privacy risks.

Privacy Policy Risks

Most privacy policies have gaps. Because the privacy policy is treated by the Federal Trade Commission (FTC) as a promise to the organization’s website visitors and customers, a gap in a privacy disclosure may have severe consequences. It may ultimately be declared an unfair or deceptive trade practice by the FTC and require a consent order with years of privacy audits in the future.

The GDPR also greatly increases the potential cost of these gaps. The GDPR authorizes potential fines of the higher of 20 million euros or four percent of the organization’s annual revenue.

There are a lot of points where the drafting of a privacy policy can go bad. All of the information necessary for an accurate privacy policy may not have been communicated to the person in charge of writing it. For example, third-parties may be using technology that implicates the privacy of the website visitors without anyone at the company realizing what was going on.

Even if the person receives all of the information, they may not have understood all of the implications of the latest technology or they may not have communicated it in an easy to comprehend manner for the website users.

The privacy policy also could become outdated. Websites change much more frequently than privacy policies are reviewed. So information collection and sharing may have changed since the privacy policy was last updated.

Most privacy policies are written in broad language in order to help minimize the impact of these problems. However, the broad language makes them more difficult to understand with respect to specific situations. During the Congressional hearings, Facebook was repeatedly criticized for not having a privacy policy that clearly communicated the specifics of its data collection, usage and sharing. The GDPR requirement for concise privacy policies in plain English will only further weaken the ability to rely on broad legalese to cover the variety of situations

Website audits can help detect these compliance gaps. Websites are frequently the main point of data collection and an important one in data sharing. By auditing the flow of data in and out of an organization’s website, additional information can be discovered about the privacy policy that helps to close these gaps.

Third-Party Data Sharing

Data sharing between organizations is increasingly automated. Data that is collected through a website may be immediately passed on to a third-party via a beacon/tracker or made available for their access through an application program interface (API). It no longer needs to be manually touched by an employee of the business to send it externally.

This creates a potential compliance nightmare as the programmer that adds a third-party tool with the capability of collecting data is unlikely to be the same person as is responsible for ensuring that the appropriate data sharing agreements with third-parties are in place under the GDPR. This is one of the reasons that the GDPR requires the involvement of and consultation with privacy professionals throughout the development of technology, systems and processes at an organization.

Few organizations are building software from scratch. Nearly everyone is using third-party or open source software in their servers, websites and other electronic systems. So the risk that there is third-party data sharing that has not been the focus of the compliance team’s efforts yet is high.

Third-Party Vendor Management

The GDPR requires that organizations only share data with responsible processors. However, if an organization is not aware of all of the places that it is sharing data, then it cannot take the right steps to make sure that its partners are acting responsibly. Once it does have a complete inventory of third-parties receiving data, then the organization can proceed with fulfilling the vendor management requirements of GDPR through additional due diligence. Tools

Consent Disclosures and Methodology

Getting user consent on the website at the point of data collection is a critical aspect of ensuring GDPR compliance. GDPR Article 13 requires that certain information be provided to the data subject when personal data is collected by the organization. Article 7 further requires that certain methodologies are used in the collection of consent in order for it to be valid. These are two of the most critical compliance areas for websites as they form the basis for the processing and sharing of data downstream within the organization and externally.

Websites can’t expect to be considered compliant if they don’t comply with these terms of the GDPR. They must be using opt-in boxes that are clearly filled in by user action rather than opt-out or pre-checked opt-in boxes. There also must be a manner to unsubscribe that makes it as easy to unsubscribe as it is to subscribe in the first place. GDPR requirements like these are essential to ensuring that informed, valid consent has been obtained and processing is, as a result, lawful.

Documentation and Recordkeeping

The above steps are important to ensure a website is GDPR compliant. However, compliance also necessitates that adequate records are kept about what data is being collected and where it is being shared. If records are not kept of what is flowing into and out of the website, then additional steps need to be taken to move towards compliance.

Data Risk Intelligence

The importance of website audits for data issues goes beyond GDPR compliance and can help protect an organizations competitive advantage by ensuring that there are no data leaks to competitors or other third-parties.

Website Data Risk Scanner

Clarip has built a powerful website scanner with Hybrid AI technology to help companies fulfill some of the GDPR requirements with respect to websites. It works well in conjunction with a website compliance audit for GDPR. For a demo of Clarip’s software, call 1-888-252-5653.

Contact Clarip for CCPA and GDPR Software

The Clarip privacy management software is ready to help improve your organization’s privacy practices. Click here to contact us (return messages within 24 hours) or call 1-888-252-5653 to schedule a demo with a member of the Clarip team.

If your immediate need is California Consumer Privacy Act compliance, take a look at our CCPA software. From consent management to powerful DSAR Software, Clarip offers enterprise privacy management at an affordable price.

Still working on GDPR compliance? We understand! Our GDPR software tools offers a range of options from data mapping software, DPIA automation, and cookie management for ePrivacy.

Click here to contact us (return messages within 24 hours) or call 1-888-252-5653 to schedule a demo and speak to a member of the Clarip team.