The General Data Protection Regulation (GDPR) took effect on May 25, 2018. The privacy standards aim to protect the personal data and privacy of all people in the European Union. The data protection law applies to all foreign companies processing the personal data of people in the EU. The GDPR applies to your business even if you don’t have any physical presence in any country of the EU. If your website collects and processes the personal data of users from the EU, then you should work through our GDPR compliance checklist.
What Is a GDPR Compliance Checklist?
A GDPR compliance checklist is a list of actions you need to check to be GDPR compliant. It could help you identify the areas of improvement for personal data protection collection and processing to be GDPR compliant.
Under the GDPR, data controller, i.e. a website owner, is responsible for GDPR compliance. This means the controller must ensure, and also be able to prove, that its third-party processors meet all relevant GDPR requirements.
Is my website GDPR compliant?
Find out a summarized GDPR compliance checklist or read more details below to ensure your website stays compliant with the GDPR.
1. Make a GDPR-compliant Privacy Policy
The main purpose of a Privacy Policy is to inform your website visitors about how you collect, process, and/ or share their personal data. It should explain the user’s rights and your business obligations to the users. Under the GDPR, the users have the following rights:
- The right to be informed.
- The right to access.
- The right to rectification.
- The right to erasure.
- The right to restrict processing.
- The right to data portability.
- The right to object.
- The rights around automated decision-making and profiling.
The Privacy Policy must be easily accessible on every page of your website. It could be accessible via a link or through a cookie. It must also be written in clear language that is understandable by people.
You can use CookieScript Privacy Policy Generator, which helps you to create your unique Privacy Policy which has pre-defined choices to pick from and is available in 9 languages.
2. Know the data you are holding
To know how users' personal data is controlled, you have to know what personal data you hold. The following checklist provides the framework that you need to follow to be GDPR compliant.
- What personal data do you already have?
- Does the data include sensitive personal data?
- Do you hold personal data from minors, who are below 16 years of age?
- How long do you keep personal data?
- Do you have consent to collect personal data? Where is it stored?
- Why do you collect this data?
- How is collected personal data processed?
- Where is collected personal data stored?
- Who has access to this data in your business?
- Do any third parties hold personal data you collected? If yes, how do you control their usage of this data? Do you have any agreements on this?
- Are there any third parties, holding your users' personal data, based outside the EU? If yes, are they aware of the GDPR? Do you have any agreements with them?
GDPR Article 4 defines personal data: “Personal data means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”
Personal data also includes:
- Religious views
- Ethnic origins and identities
- Genetic data
- Biometric data
- Philosophical beliefs
- Health records
- Sexual orientations
- Political opinions
- Memberships.
IP addresses are classified as personal data if they can be used to identify a person. For example, if a user’s IP address is collected alongside their address, phone number, or email address, that would be considered personal data because the identity of the person could be linked to their address, phone number, or email address. If you're not sure if the IP addresses you collect should be classified as personal data, keep on the safe side and protect them as they are personal data.
Because the GDPR is focused on sensitive personal data protection and strictly regulates its processing, it’s important to identify sensitive data and apply adequate protection for it. Personally Identifiable Information (PII) is considered sensitive personal data and should be protected with the highest level of cybersecurity.
3. Secure your website
As a website owner, you must ensure your website is secure. This means that the data stored needs to be protected and that the website itself needs to be protected from outside attacks and data breaches.
Here are the basic steps to protect your website from hackers and other people with fraudulent intent:
- Install an SSL certificate to have HTTPS website URL, that will encrypt any information sharing between your website and the server.
- Add extra layers of protection to your server if your users share payment information on the website.
- Use strong passwords for admin accounts.
- Use anti-virus software or services.
- Apply the means for protecting your website against DdoS.
- Try not to share personal data, especially sensitive data with third parties.
- Anonymize personal data before storing them to make the user anonymous.
- Do not collect or store personal data more than what is necessary for your website, and remove it once you do not need it.
4. Use a Cookie Banner on your website
If your website collects data from users based in the EU and uses non-necessary cookies, then you should use a Cookie Banner to get cookie consent from users to store cookies on their devices. The banner should inform website users that the website uses cookies and what information they collect. It also should inform users about their right to refuse the usage of cookies and their personal data collection, as well as the right to request to delete users' personal data already collected.
Here are the basic points you should have in mind while adding a Cookie Banner:
- Describe what kind of cookies you intend to set and why.
- Explain why you need to set cookies.
- The banner should have opt-in and opt-out options for accepting and rejecting cookies, accordingly.
- Do not drop cookies BEFORE the user gave explicit consent (opt-in option).
- Give a possibility to enable Cookie Consent based on cookie category.
- Include information about your Privacy Policy and a link to it.
- Give a possibility to withdraw or change Cookie Consent status on every page of your website.
- Document and store all user consents.
- Make your website accessible even if the user did not allow to use cookies.
- Non-interaction with the banner or scrolling over the web page does not mean the user gave Cookie Consent.
5. Review data processors or third party contracts
If data processors or third parties are performing some functions on behalf of your business then you should ensure they align with your Privacy Policy. They should take all actions to be GDPR compliant as well.
6. Verify the age of your website users who consent to data processing
The GDPR permits personal data processing for persons at least 16 years of age. To lawfully collect personal data from minors younger than that age, you must receive consent from the holder of parental responsibility for the minor.
Thus, your website must have an age verification process to verify the age of users before collecting any data. If the website determines that the user's age is below 16 years, implement a separate parental consent process.
7. Get consent for emails
If you use email marketing services to send out newsletters or send emails for any other purpose to EU users, you need permission from your users to send these emails. The users have to give an opt-in consent to receive emails from you.
Users should also have the possibility to opt-out of emails at any time. Provide an unsubscribe link in your email, easily found by the user. After the user clicks on it, it should take the user to a page where he may easily unsubscribe from emails without any justification.
8. Evaluate your website forms
If your website has any kind of forms, such as contact, or subscriptions, that collect personal data, you must ensure the data is collected and processed according to the GDPR. Use this checklist to ensure that the usage of website forms is GDPR compliant:
- Provide a checkbox with a link to your Privacy Policy page, with a text like “I have read and accept the Privacy Policy of the website”.
- Inform the user how the collected data will be used.
- Inform the user that he can request to delete his collected data at any time.
- Inform the user how he can request to download his own data stored on the website.
- Use simple language that your messaging should be clear and concise.
- Explain why you’re asking for their data.
- Pre-ticked consent boxes are not allowed, use an opt-in option to get user consent to collect data.
- Give an option, such as a checkbox, for users to choose whether they want to receive correspondence from you.
9. Evaluate international data transfer
If you are transferring personal data from EU to non-EU countries, then you should take care to use international data transfer according to the law. Use this simple checklist to comply with the GDPR:
- Ensure that the privacy policy of your data processors or third parties, based in non-EU countries, corresponds to your privacy policy.
- Review agreements with processors or third parties, that are based in non-EU countries.
- Make sure that the recipient country or service provider has an adequate level of data protection system in place.
- Do the necessary risk assessments before transferring the data to any non-EU country.
10. Analyze data breach
In your GDPR compliance checklist, you must be prepared in the event of a data breach, so prepare a procedure for it. Check these key points to take adequate actions in the case of a data breach:
- Inform the appropriate supervisory authority about the data breach within 72 hours. Immediate data breach notification is a mandatory GDPR requirement according to article 33 of the GDPR. Both personal data controllers and processors need to report data breaches within 72 hours.
Processors need to report data breaches to controllers, and controllers need to report to a supervisory authority. You must inform when it occurred, the data categories and the approximate number of users affected, the approximate number of personal data records affected, any action taken or planned to be taken, and the measures to mitigate its possible adverse effects.
A supervisory authority is Data Protection Association (DPA), which is responsible for monitoring and enforcing GDPR compliance. Supervisor authorities are usually located in the EU state the business is based.
- Notify the affected users if there is a pronounced risk to users’ privacy as a result of the breach, including what actions they could take to protect their data.
- Update your processes to prevent future data breaches on your website.
- Prepare an action plan for handling future data breaches.
11. Update your CMS platforms
Make sure your CMS, such as WordPress, Shopify, Weebly, etc. is updated and is GDPR compliant.
With CookieScript, we automatically generate a cookie script for each platform, which you simply copy and insert into your CMS. You can also update the CMS manually, and add your custom code or style.
12. Respond to user request
If you received a user request regarding their personal data, be prepared to:
- Answer it no later than in 2 days.
- Delete or update the user data no later than 30 days after the request.
- Prepare a process when someone requests their personal data in a portable transferable format.
A Quick and Easy Solution for GDPR Compliance
Not sure if your website is GDPR compliant? Use CookieScript Consent Management Platform, which automatically creates your custom GDPR-compliant Cookie Consent banners and Privacy Policy in one place. CookieScript regularly scans your website for cookies and automatically updates your Cookie Declaration Table, so you can be sure your website is GDPR-compliant. We also provide hints about the Cookie Banner options' compliance with GDPR, when you are setting your cookie banner.
Frequently Asked Questions
Who is responsible for compliance with GDPR?
According to the GDPR, a business or an organization is responsible for complying with all data protection requirements and GDPR compliance. If a business, being a data controller, shares users' data with data processors or third parties, both data controller and data processors are responsible for GDPR compliance.
What is GDPR compliance checklist?
A GDPR compliance checklist is a list of actions you need to check to be GDPR compliant. It could help you identify the areas of improvement for personal data protection collection and processing to be GDPR compliant.
How to be GDPR compliant?
If you want to make sure that your business is fully GDPR compliant, use a GDPR compliance checklist, provided by the CookieScript.
What are the penalties for non-compliance with the GDPR?
The lower level violation could result in an administrative fine of up to €10 million, or 2% of the annual global turnover of the company of the preceding financial year, whichever is higher. The severe violation could result in an administrative fine of up to €20 million, or 4% of the annual global turnover of the company of the preceding financial year, whichever is higher. Read the article to discriminate between lower level and severe violations.
Does not complying with GDPR always lead to penalties?
Not all GDPR violation cases lead to penalties. The GDPR supervisory authority may take the following measures, with or without a fine: issue a warning, temporarily or permanently ban the activity of the company, request users' personal data deletion, or request to restrict the user's personal data transfer to a third party.
When did GDPR take effect?
The General Data Protection Regulation (GDPR) took effect on May 25, 2018, and aims to protect the personal data and privacy of all people in the European Union. The data protection law also applies to all foreign companies processing the personal data of people in the EU, even if the business don’t have any physical presence in any country of the EU.
What does it mean to be GDPR compliant?
GDPR compliance means that an organization that falls within the scope of the GDPR meets the requirements for personal data collecting and processing as defined in the law. The GDPR gives certain rights to customers and provides obligations organizations must follow when handling their website users' personal data.