GDPR (General Data Protection Regulation) is a new legislation that comes into force on the 25th of May 2018.
According to this law, if you want to collect, store, or process personal data from your EU users you must make it clear on your website how you plan to use their data and give them an explicit choice to opt-in or opt-out.
As the new regulation may seem confusing at first, we have prepared a GDPR compliance checklist for you to get familiar with the exact steps you have to make to make your business and website GDPR compliant.
What Is GDPR?
The GDPR is the strictest privacy security law anywhere in the world. The penalties for breaking GDPR can be tens of millions of Euros, so it’s a good idea to follow a GDPR compliance checklist to be sure your company doesn’t risk any penalty.
It technically only affects citizens and residents of the European Union.
However, if an American company, for instance, makes business with EU residents, it has two choices: create a different website for the EU market or, as most companies do, just apply the changes across the original website.
As a result, the GDPR standards also impact the data protection of other countries’ citizens.
GDPR Website Compliance Checklist in 12 Steps
- General company information (who you and/or your company are and what you do)
- The types of information you store and how you collect it
- Links and short descriptions of the laws like GDPR, UK data protection laws, general data laws, etc.
- Links to the 3rd party providers on your website including analytical systems like Google Analytics, Facebook pixel, targeting, retargeting services, services that track the end-user data, etc.
- Links to all the plugins, applications or software that store your user data (i.e. Woocommerce or some membership software)
- Links to the user request forms so that the user can delete or change his data
- Information about the personal information that this website collects and its purpose
- Information about the data stored via the contact forms and its purpose
- If there is a checkout page: information about the type of data being stored through the checkout page and its purpose
- Information about the website’s server, its security and protection methods
- Descriptions of the third party data processors – companies that help you make a business that also stores your customers’ data (i. e. Activecampaign, Klaviyo, Mailchimp, Google, PayPal etc.) and links to their privacy policies
- Your action plan in case the data breaches
All data breaches need to be recorded and actioned with a preventative measure within 72 hours.
- The data controller and data protection officer information.
The data controller is your official company, which developed and is the owner of this website. You need to put detailed data -official address, street, city, and name of the registered company.
The data protection officer is the main manager or officer who protect the data or will reply to user requests to update, or delete their data.
2. Cookies are a big part of GDPR website compliance
The list of cookies collected by your website from the users/customers should also be available.
3. User request forms
Users should be able to request to delete or change their data. For this, you need to create forms that your website’s visitors would be able to complete and send to you.
Here is the list of the type of user request forms you will need to provide:
- A contact form with a checkbox of consent
- User request to download their own information stored on this website with links to analytical services or other services that are used
- User request to delete any type of user data.
4. Other forms
If your website has any other types of forms, double-check them all to make sure your website stays GDPR compliant.
Two elements must appear:
5. Plugins and applications must be GDRP compliant
Make sure all the plugins and applications that you use on your website are GDPR compliant (they must have the GDPR compliance approval on their official webpage).
If some of your plugins or applications are not GDPR compliant, find a substitution.
6. GDPR website compliance can only be achieved with a GDPR compliant CMS
Make sure your CMS (i. e. WordPress, Magento, Shopify etc.) is updated and is GDPR compliant.
If not, update it manually, or add the custom code, plugins, or software.
7. Checkout pages
8. Email notification
By the 25th of May 2018, send a new email campaign to double opt-in users and check if they gave you the consent to store their private data.
Clear your lists after this campaign and delete the users that didn’t give you their consent. You can also delete the low bounces email accounts after 2-3 email campaigns.
Make sure that you don’t have more than 3 customer data backups and make sure the customer data backups are secure and only you can download them.
10. User request response
If you received a user request, you have to make sure you:
- Answer to it in 2 days maximum
- Delete or update the user data 30 days after the request.
Remove all automatic opt-ins on your site and disable the double opt-ins through the newsletters.
12. Data Access Requests Processes
A user can ask for a copy of his data. Before that happens, you have to make sure that you:
- Have a process in place for when someone is looking for a copy of their data (Subject Data Access Request)
- Have a process in place for when someone requests their personal data in a portable transferable format
Frequently Asked Questions
Under the GDPR, every website should give the opportunity to users to download and/or delete their own data. This is what the user request form is for. A user request should be responded to in two days, and any data should be deleted in 30 days after the user requested it.
GDPR standards were created to protect EU citizens online. It is a way to secure user data, by forcing any website to ask for consent while collecting any type of user data. The GDPR also impact foreign companies, since any eCommerce should make its website GDPR compliant for EU citizens.