GDPR (General Data Protection Regulation) is a new legislation which comes into force on the 25th of May 2018. According to this law, if you want to collect, store, or process personal data from your EU users you must make it clear on your website how you plan to use their data and give them an explicit choice to opt in or opt out.
As the new regulation may seem confusing at first, we have prepared the checklist for you to get familiar with the exact steps you have to make to make your business and website GDPR compliant.
- General company information (who you and/or your company are and what you do);
- The types of information you store and how you collect it;
- Links and short descriptions of the laws like GDPR, UK data protection laws, general data laws etc;
- Links to the 3rd party providers on your website including the analytical systems like Google Analytics, Facebook pixel, targeting, retargeting services, services that track the end user data, etc;
- Links to all the plugins, applications or software that store your user data (i.e. Woocommerce or some membership software);
- Links to the user request forms:
- contact form with a checkbox of consent;
- user request to download their own information stored on this website and provide links to analytical, other services that we use;
- user request to delete any type of the user data.
- Information about the personal information that this website collects the its purpose;
- Information about the data stored via the contact forms and its purpose;
- If the data is collected for the email newsletter purposes:
- information about the person collected through the email marketing process;
- If there is a checkout page:
- information about the type of data being stored through the checkout page and its purpose;
- Information about the website’s server, its security and protection methods;
- Descriptions of the third party data processors – companies that help you make business that also store your customers data (i. e. Activecampaign, Klaviyo, Mailchimp, Google, PayPal etc.) and links to their privacy policies.
- Your action plan in case the data breaches; All data breaches need to be recorded and actioned with a preventative measure within 72 hours;
- The data controller and data protection officer information.
Data controller is your official company, who developed and is the owner of this website. You need to put detailed data -official address, street, City, and name of registered company. Data protection officer is the main manager, or officer who protect the data, or will reply to user requests to update, or delete their data.
- The list of cookies collected by your website from the users/customers;
3. User request forms
- a form allowing a user to delete his data;
- a form allowing a user to change her data.
4. Other forms
- double check all the forms on the website to be GDPR compliant;
5. Plugins and applications
- Make sure all the plugins and applications that you use on your website are GDPR compliant (they must have the GDPR compliance approval on their official webpage);
- If some of your plugins or applications are not GDPR compliant, find the substitution.
- Make sure your CMS (i. e. WordPress, Magento, Shopify etc.) is updated and is GDPR compliant;
- If not, update it manually, or add the custom code, plugins, or software.
7. Checkout pages
8. Email notification
- By the 25th of May 2018, send a new email campaign to double opt-in the user and check if he gave you the consent to store his private data;
- Clear your lists after this campaign;
- Delete the users that didn’t give you their consent;
- Delete the low bounces email accounts after 2-3 email campaigns.
- Make sure that you don’t have more than 3 customer data backups;
- Make sure the customer data backups are secure and only you can download them.
10. User request response
- Answer to user requests in not more than 2 days;
- Delete or update the user data during 30 days after the request.
- Remove all automatic opt-ins on your site;
- Disable the double opt-ins through the newsletters.
12. Data Access Requests Processes
- Have a process in place for when someone is looking for a copy of their data. (Subject Data Access Request)
- Have a process in place for when someone requests for their personal data in a portable transferable format.