The General Data Protection Regulation (GDPR) took effect on May 25, 2018. The privacy standards aim to protect the personal data and privacy of all people in the European Union. The data protection law applies to all foreign companies processing the personal data of people in the EU. The GDPR applies to your business even if you don’t have any physical presence in any country of the EU. If your website collects and processes the personal data of users from the EU, then you should work through our GDPR compliance checklist.
Is my website GDPR compliant?
Read this simple GDPR compliance checklist to ensure your website stays compliant with the GDPR.
- The right to be informed.
- The right to access.
- The right to rectification.
- The right to erasure.
- The right to restrict processing.
- The right to data portability.
- The right to object.
- The rights around automated decision-making and profiling.
2. Know the data you are holding
To know how users' personal data is controlled, you have to know what personal data you hold. The following checklist provides the framework that you need to follow to be GDPR compliant.
- What personal data do you already have?
- Does the data include sensitive personal data?
- Do you hold personal data from minors, who are below 16 years of age?
- How long do you keep personal data?
- Do you have consent to collect personal data? Where is it stored?
- Why do you collect this data?
- How is collected personal data processed?
- Where is collected personal data stored?
- Who has access to this data in your business?
- Do any third parties hold personal data you collected? If yes, how do you control their usage of this data? Do you have any agreements on this?
- Are there any third parties, holding your users' personal data, based outside the EU? If yes, are they aware of the GDPR? Do you have any agreements with them?
GDPR Article 4 defines personal data: “Personal data means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”
Personal data also includes:
- Religious views
- Ethnic origins and identities
- Genetic data
- Biometric data
- Philosophical beliefs
- Health records
- Sexual orientations
- Political opinions
IP addresses are classified as personal data if they can be used to identify a person. For example, if a user’s IP address is collected alongside their address, phone number, or email address, that would be considered personal data because the identity of the person could be linked to their address, phone number, or email address. If you're not sure if the IP addresses you collect should be classified as personal data, keep on the safe side and protect them as they are personal data.
Because the GDPR is focused on sensitive personal data protection and strictly regulates its processing, it’s important to identify sensitive data and apply adequate protection for it. Personally Identifiable Information (PII) is considered sensitive personal data and should be protected with the highest level of cybersecurity.
3. Secure your website
As a website owner, you must ensure your website is secure. This means that the data stored needs to be protected and that the website itself needs to be protected from outside attacks and data breaches.
Here are the basic steps to protect your website from hackers and other people with fraudulent intent:
- Install an SSL certificate to have HTTPS website URL, that will encrypt any information sharing between your website and the server.
- Add extra layers of protection to your server if your users share payment information on the website.
- Use strong passwords for admin accounts.
- Use anti-virus software or services.
- Apply the means for protecting your website against DdoS.
- Try not to share personal data, especially sensitive data with third parties.
- Anonymize personal data before storing them to make the user anonymous.
- Do not collect or store personal data more than what is necessary for your website, and remove it once you do not need it.
4. Use a Cookie Banner on your website
Here are the basic points you should have in mind while adding a Cookie Banner:
- Describe what kind of cookies you intend to set and why.
- Explain why you need to set cookies.
- The banner should have opt-in and opt-out options for accepting and rejecting cookies, accordingly.
- Do not drop cookies BEFORE the user gave explicit consent (opt-in option).
- Give a possibility to enable Cookie Consent based on cookie category.
- Give a possibility to withdraw or change Cookie Consent status on every page of your website.
- Document and store all user consents.
- Non-interaction with the banner or scrolling over the web page does not mean the user gave Cookie Consent.
5. Review data processors or third party contracts
6. Verify the age of your website users who consent to data processing
The GDPR permits personal data processing for persons at least 16 years of age. To lawfully collect personal data from minors younger than that age, you must receive consent from the holder of parental responsibility for the minor.
Thus, your website must have an age verification process to verify the age of users before collecting any data. If the website determines that the user's age is below 16 years, implement a separate parental consent process.
7. Get consent for emails
If you use email marketing services to send out newsletters or send emails for any other purpose to EU users, you need permission from your users to send these emails. The users have to give an opt-in consent to receive emails from you.
Users should also have the possibility to opt-out of emails at any time. Provide an unsubscribe link in your email, easily found by the user. After the user clicks on it, it should take the user to a page where he may easily unsubscribe from emails without any justification.
8. Evaluate your website forms
If your website has any kind of forms, such as contact, or subscriptions, that collect personal data, you must ensure the data is collected and processed according to the GDPR. Use this checklist to ensure that the usage of website forms is GDPR compliant:
- Inform the user how the collected data will be used.
- Inform the user that he can request to delete his collected data at any time.
- Inform the user how he can request to download his own data stored on the website.
- Use simple language that your messaging should be clear and concise.
- Explain why you’re asking for their data.
- Pre-ticked consent boxes are not allowed, use an opt-in option to get user consent to collect data.
- Give an option, such as a checkbox, for users to choose whether they want to receive correspondence from you.
9. Evaluate international data transfer
If you are transferring personal data from EU to non-EU countries, then you should take care to use international data transfer according to the law. Use this simple checklist to comply with the GDPR:
- Review agreements with processors or third parties, that are based in non-EU countries.
- Make sure that the recipient country or service provider has an adequate level of data protection system in place.
- Do the necessary risk assessments before transferring the data to any non-EU country.
10. Analyze data breach
You must be prepared in the event of a data breach, so prepare a procedure for it. Check these key points to take adequate actions in the case of a data breach:
- Inform the appropriate supervisory authority about the data breach within 72 hours. Immediate data breach notification is a mandatory GDPR requirement according to article 33 of the GDPR. Both personal data controllers and processors need to report data breaches within 72 hours.
Processors need to report data breaches to controllers, and controllers need to report to a supervisory authority. You must inform when it occurred, the data categories and the approximate number of users affected, the approximate number of personal data records affected, any action taken or planned to be taken, and the measures to mitigate its possible adverse effects.
A supervisory authority is Data Protection Association (DPA), which is responsible for monitoring and enforcing GDPR compliance. Supervisor authorities are usually located in the EU state the business is based.
- Notify the affected users if there is a pronounced risk to users’ privacy as a result of the breach, including what actions they could take to protect their data.
- Update your processes to prevent future data breaches on your website.
- Prepare an action plan for handling future data breaches.
11. Update your CMS platforms
Make sure your CMS, such as WordPress, Shopify, Weebly, etc. is updated and is GDPR compliant.
With CookieScript, we automatically generate a cookie script for each platform, which you simply copy and insert into your CMS. You can also update the CMS manually, and add your custom code or style.
12. User request response
If you received a user request regarding their personal data, be prepared to:
- Answer it no later than in 2 days.
- Delete or update the user data no later than 30 days after the request.
- Prepare a process when someone requests their personal data in a portable transferable format.
A Quick and Easy Solution for GDPR Compliance
Frequently Asked Questions
Who is responsible for compliance with GDPR?
According to the GDPR, a business or an organization is responsible for complying with all data protection requirements and GDPR compliance. If a business, being a data controller, shares users' data with data processors or third parties, both data controller and data processors are responsible for GDPR compliance.
What is GDPR compliance checklist?
A GDPR compliance checklist is a list of actions you need to check to be GDPR compliant. It could help you identify the areas of improvement for personal data protection collection and processing to be GDPR compliant.
How to be GDPR compliant?
What are the penalties for non-compliance with the GDPR?
The lower level violation could result in an administrative fine of up to €10 million, or 2% of the annual global turnover of the company of the preceding financial year, whichever is higher. The severe violation could result in an administrative fine of up to €20 million, or 4% of the annual global turnover of the company of the preceding financial year, whichever is higher. Read the article to discriminate between lower level and severe violations.
Does not complying with GDPR always lead to penalties?
Not all GDPR violation cases lead to penalties. The GDPR supervisory authority may take the following measures, with or without a fine: issue a warning, temporarily or permanently ban the activity of the company, request users' personal data deletion, or request to restrict the user's personal data transfer to a third party.
When did GDPR take effect?
The General Data Protection Regulation (GDPR) took effect on May 25, 2018, and aims to protect the personal data and privacy of all people in the European Union. The data protection law also applies to all foreign companies processing the personal data of people in the EU, even if the business don’t have any physical presence in any country of the EU.
What does it mean to be GDPR compliant?
GDPR compliance means that an organization that falls within the scope of the GDPR meets the requirements for personal data collecting and processing as defined in the law. The GDPR gives certain rights to customers and provides obligations organizations must follow when handling their website users' personal data.