EU General Data Protection Regulation Compliance. Rubber stamp with the text GDPR Compliant over white background. 3D illustration

GDPR Compliance Checklist: Is Your Website Compliant?

For many website owners, GDPR compliance has never really been at the top of the “to-do” list. Unfortunately, you can’t keep it on the back burner anymore. Today, we’re going to provide you with a GDPR Compliance checklist so you can do a self-audit on your sites to ensure that you’re compliant.

The European Union’s General Data Protection Regulation (GDPR) went into effect May 2018.

It applies to any company that handles personal data about EU citizens. Up to 50% of companies do not yet meet GDPR compliance requirements.

What Is GDPR?

The GDPR applies to the 28 member states of the European Union and any entity conducting business in the EU. It differs from a directive, which requires member states to draft laws to enforce its rules. The purpose is to strengthen the rights of EU citizens about their personal data.

Because of GDPR, companies must now pay significant fines if they fail to comply. Companies could pay up to €20 million, or 4% of its annual turnover.

Does GDPR Apply to Me?

GDPR compliance in the UK is mandatory. GDPR compliance applies to US companies that control or process EU residents’ data. Companies don’t have to be in the EU to be bound by the GDPR.

Note that GDPR for small business is no different. Companies of any size are subject to the regulation.

Checklist for GDPR Compliance

Your first step is to audit the information your company holds. The following information is a high-level checklist. You’ll find these topics on any GDPR audit questionnaire.

IT and Data Governance

What data do you have? Set up a list of the personal data types and sources for each type of information. Establish if you have a legal basis for collecting this data. If so, include that in your privacy policy.

How do you store and share data? Which databases store data, and what third-party storage providers do you use? Any time you change or delete data, direct any other organization to update their records.

How is data processed? You’ll need to outline your processing. Document the contact information of your data processors. Also, document transfers of personal data to allowable third parties or international organizations.

Review Customer Awareness

Next, review and update your privacy policy. Write a clear policy and make it accessible on your website. The privacy policy should state the lawful basis for data collection and processing it. Clear communication builds long-term customer trust.

Reestablish your existing customer consent. Under GDPR, pre-checked boxes or opt-outs are not acceptable. You also can’t bundle consent with other terms and conditions. Users must also be able to withdraw consent at any time.

Finally, highlight third-party processors. Allow your customers to give consent as part of your privacy policy.

Maintain Customers’ Rights

Examine your procedures. Ensure they cover the new and existing rights customers have under GDPR. This includes how your organization deletes personal data or provides data upon request.

You must fulfill people’s requests to access their data within a month at no charge to the customer. You must also have a process for correcting, erasing, or moving personal data.

Internal Accountability

Training your staff on GDPR maximizes your ability to reach compliance. It also minimizes the risk of data loss or theft. Don’t forget to train all members of staff including upper management.

Training senior staff ensures accountability and governance of the GDPR compliance processes.

You should appoint a Data Protection Officer (DPO) to oversee data protection compliance. The DPO must also receive proper training to carry out his or her duties.

Data Protection Impact Assessments (DPIA) are mandatory for organizations implementing new technology. DPIAs establish how risky select data processing activities are.

Under GDPR, You must report data breaches within 72 hours. Detail what data was lost, the consequences, and the countermeasures taken. You must also notify the data subjects involved.

The GDPR increases penalties and other legal implications of data breaches.

GDPR Compliance for 2019

The GDPR is entering its second year and gaining traction. It’s more important than ever to understand its impact on your organization. If you have any questions about GDPR compliance, please contact us today.