6 min read

The Ultimate 12-Step GDPR Compliance Checklist

Written by
6 min read
Table of Contents

    GDPR (General Data Protection Regulation) is a new legislation that comes into force on the 25th of May 2018.

    According to this law, if you want to collect, store, or process personal data from your EU users you must make it clear on your website how you plan to use their data and give them an explicit choice to opt-in or opt-out.

    As the new regulation may seem confusing at first, we have prepared a GDPR compliance checklist for you to get familiar with the exact steps you have to make to make your business and website GDPR compliant.

    What Is GDPR?

    The GDPR is the strictest privacy security law anywhere in the world. The penalties for breaking GDPR can be tens of millions of Euros, so it’s a good idea to follow a GDPR compliance checklist to be sure your company doesn’t risk any penalty.

    It technically only affects citizens and residents of the European Union.

    However, if an American company, for instance, makes business with EU residents, it has two choices: create a different website for the EU market or, as most companies do, just apply the changes across the original website.

    As a result, the GDPR standards also impact the data protection of other countries’ citizens.

    GDPR Website Compliance Checklist in 12 Steps

    1. Make a GDPR Compliant Privacy Policy

    The Privacy Policy section of your website must contain the following information:

    • General company information (who you and/or your company are and what you do)
    • The types of information you store and how you collect it
    • Links and short descriptions of the laws like GDPR, UK data protection laws, general data laws, etc.
    • Links to the 3rd party providers on your website including analytical systems like Google Analytics, Facebook pixel, targeting, retargeting services, services that track the end-user data, etc.
    • Links to all the plugins, applications or software that store your user data (i.e. Woocommerce or some membership software)
    • Links to the user request forms so that the user can delete or change his data
    • Information about the personal information that this website collects and its purpose
    • Information about the data stored via the contact forms and its purpose
    • If the data is collected for the email newsletter purposes: links to the privacy policy of the email service provider and information about the person collected through the email marketing process
    • If there is a checkout page: information about the type of data being stored through the checkout page and its purpose
    • Information about the website’s server, its security and protection methods
    • Descriptions of the third party data processors – companies that help you make a business that also stores your customers’ data (i. e. Activecampaign, Klaviyo, Mailchimp, Google, PayPal etc.) and links to their privacy policies
    • Your action plan in case the data breaches
      All data breaches need to be recorded and actioned with a preventative measure within 72 hours.
    • The data controller and data protection officer information.
      The data controller is your official company, which developed and is the owner of this website. You need to put detailed data -official address, street, city, and name of the registered company.
      The data protection officer is the main manager or officer who protect the data or will reply to user requests to update, or delete their data.

    2. Cookies are a big part of GDPR website compliance

    First of all, you should set up a cookies notification on your website: a pop up offering a user to read and agree with the privacy policy.

    The list of cookies collected by your website from the users/customers should also be available.

    3. User request forms

    Users should be able to request to delete or change their data. For this, you need to create forms that your website’s visitors would be able to complete and send to you.

    Here is the list of the type of user request forms you will need to provide:

    • A contact form with a checkbox of consent
    • User request to download their own information stored on this website with links to analytical services or other services that are used
    • User request to delete any type of user data.

    4. Other forms

    If your website has any other types of forms, double-check them all to make sure your website stays GDPR compliant.

    Two elements must appear:

    • Checkboxes with a link to the privacy policy page, with a text like “I have read and accept the Privacy & Policy of the “Website name””
    • The Privacy Policy link of the mailing service provider that you use.

    5. Plugins and applications must be GDRP compliant

    Make sure all the plugins and applications that you use on your website are GDPR compliant (they must have the GDPR compliance approval on their official webpage).

    If some of your plugins or applications are not GDPR compliant, find a substitution.

    6. GDPR website compliance can only be achieved with a GDPR compliant CMS

    Make sure your CMS (i. e. WordPress, Magento, Shopify etc.) is updated and is GDPR compliant.

    If not, update it manually, or add the custom code, plugins, or software.

    7. Checkout pages

    Make all the checkout pages GDPR compliant by adding the checkboxes for the user consent and the Privacy Policy link.

    8. Email notification

    By the 25th of May 2018, send a new email campaign to double opt-in users and check if they gave you the consent to store their private data.

    Clear your lists after this campaign and delete the users that didn’t give you their consent. You can also delete the low bounces email accounts after 2-3 email campaigns.

    9. Backups

    Make sure that you don’t have more than 3 customer data backups and make sure the customer data backups are secure and only you can download them.

    10. User request response

    If you received a user request, you have to make sure you:

    • Answer to it in 2 days maximum
    • Delete or update the user data 30 days after the request.

    11. Opt-ins

    Remove all automatic opt-ins on your site and disable the double opt-ins through the newsletters.

    12. Data Access Requests Processes

    A user can ask for a copy of his data. Before that happens, you have to make sure that you:

    • Have a process in place for when someone is looking for a copy of their data (Subject Data Access Request)
    • Have a process in place for when someone requests their personal data in a portable transferable format

    Frequently Asked Questions

    What is a user request form?

    Under the GDPR, every website should give the opportunity to users to download and/or delete their own data. This is what the user request form is for. A user request should be responded to in two days, and any data should be deleted in 30 days after the user requested it.

    What is the GDPR for?

    GDPR standards were created to protect EU citizens online. It is a way to secure user data, by forcing any website to ask for consent while collecting any type of user data. The GDPR also impact foreign companies, since any eCommerce should make its website GDPR compliant for EU citizens.

    How to make a website GDPR compliant?

    Basically, a GDPR compliant website has to be transparent. It has to have a clear privacy policy, links to third-party providers, user request forms, among other information easily accessible on the website. It also has to ask for permission to collect any data or cookies before the user starts to navigate the website. You can read our 12-step guide to make sure your website is GDPR compliant.

    Talk email strategy with an expert
    Request free email marketing audit from our experts!