| > Stop collecting any data you don't need. If you don't collect it, it's not an issue! That's trickier than it sounds. If you embed a copy of jQuery on your page hosted by a CDN, you're collecting and sending personal data to the CDN. Do you have consent for that? Same with web fonts, icon fonts, javascript libraries, social media follow/share buttons, analytics tags, etc you embed in the tags. Every time your page is loaded, you're sending personal data to all those third parties, most of them not even located in the EU, which means you're sharing with a third party and doing a cross-border transfer. You need more than just consent to do that, they're sub-processors for you, and you likely need signed Data Processing Addendums with each of those companies, and they need to have adequate protections for cross-border data transfers, like participation in the EU-US Privacy Shield Framework. Have you signed those agreements? You can easily be sharing more data than you meant to, too. Let's say you send a newsletter for your website and you host a copy of phpList or similar software to manage and send it. In each mail you send out, you include an unsubscribe link, which has the address to unsubscribe embedded in the link. When someone clicks that link, their email address will be part of the HTTP referrer header sent to all those third party scripts on your page. Now you're transferring email addresses to a half dozen third parties with no legitimate business reason to do so. Do you have consent to do that? |
You're not collecting anything there, so it's nothing to do with the GDPR - it might impact the CDN, but it's unlikely without them tying your IP to other personally identifying information. Analytics would be, because that's personal data you are collecting, so you'd need to ask permission for that.