Back in May, 2018, the General Data Protection Regulation (GDPR) Act came into force. The main purpose of this legislation was to protect personal data and privacy of all European Union citizens and ensure that all information is used fairly, lawfully and transparently. If your website collects and handles personal data from EU users, you should review our GDPR compliance checklist.
Is my website GDPR ready?
Read this quick GDPR compliance checklist to guarantee your website remains GDPR compliant.
- The right to be informed.
- The right to access.
- The right to rectification.
- The right to erasure.
- The right to restrict processing.
- The right to data portability.
- The right to object.
- The rights around automated decision-making and profiling.
Understand the information you have.
To understand how users’ personal data is managed, you first have to understand what personal data you have. The checklist below outlines the structure that you must adhere to in order to be GDPR compliant.
- What kind of personal information do you already have?
- Is there any sensitive personal data in the data?
- Do you have personal information about youngsters under the age of 16?
- How long do you retain personal information?
- Do you have permission to gather personal information? Where is it kept?
- How is the collected personal data used?
- Where is the gathered personal data kept?
- In your company, who has access to this information?
- Do any third parties have access to the personal information you collected? If so, how do you keep track of how they use this information? Are you in agreement about this?
- Are there any third parties headquartered outside the EU that have access to your users’ personal information? If so, are they familiar with the GDPR? Do you have any contracts with them?
IP addresses are considered personal data if they are used to identify a person. For example, if a user’s IP address is gathered together with their address, phone number, or email address, that is deemed personal data since the person’s identity may be connected to their address, phone number, or email address. If you are unsure if the IP addresses you gather should be regarded as personal data, be prudent and safeguard them as such. As GDPR is concerned with the protection of sensitive personal data and rigorously controls its processing, it is critical to identify sensitive data and apply suitable safeguards to it. Personally Identifiable Information (PII) is regarded as sensitive personal data and should be safeguarded with the utmost care.
Make your website secure.
As the owner of a website, you must guarantee that it is secure. This implies that the data saved must be safeguarded, as well as the website itself, against outside assaults and data breaches.
Here are the fundamental methods to safeguarding your website against hackers and other malicious individuals:
- Install an SSL certificate to have an HTTPS website URL, which will encrypt any data exchanged between your website and the server.
- If your users disclose payment information on the website, add additional levels of security to your server.
- For administrator accounts, use strong passwords.
- Anti-virus software or services should be used.
- Use the methods for safeguarding your website from DDoS attacks.
- Try not to communicate personal information, especially sensitive information, with third parties.
- To make the user anonymous, anonymize personal data before keeping it.
- Collect and keep no more personal data than is essential for your website, and delete it once you no longer require it.
Incorporate a Cookie Banner onto your website.
Here are some general considerations to keep in mind while adding a Cookie Banner:
- Describe the type of cookies you plan to place and why.
- Explain why cookies are required.
- The banner should have appropriate opt-in and opt-out choices for accepting and rejecting cookies.
- Do not set cookies unless the user has given express permission (opt-in option).
- Allow the option to activate Cookie Consent based on cookie category.
- Include information on your privacy policies, as well as a link to them.
- Allow users to withdraw or alter their Cookie Consent status on every page of your website.
- All user consents should be documented and saved.
- Make your website accessible even if the user has disabled cookies.
- Non-interaction with the banner or scrolling down the web page does not imply that the user consented to cookies.
Examine contracts with data processors or third-party vendors.
Confirm the age of your website visitors who agree to data processing.
Personal data processing is permitted under the GDPR for individuals above the age of 16. To properly gather personal data from kids under the age of 18, you must first get approval from the minor’s legal guardian.
Obtain permission for emails
If you utilise email marketing services to send newsletters or emails to EU users for any other reason, you must obtain permission from your users to do so. To receive emails from you, users must provide an opt-in consent.
Users should also be able to opt out of receiving emails at any moment. Include an unsubscribe link in your email that the recipient can readily find. When the user clicks on it, he should be sent to a page where he may quickly unsubscribe from emails without explanation.
Review your website forms
If your website has forms that collect personal data, such as contact or subscription forms, you must guarantee that the data is gathered and handled in accordance with the GDPR. Use this checklist to verify GDPR compliance when using internet forms:
- Inform the user of the intended use of the obtained data.
- Inform the user that he can request that his acquired data be deleted at any time.
- Inform the user about how he may download his personal data from the website.
- Use basic language so that your message is clear and succinct.
- Explain why you need their information.
- Pre-checked consent boxes are not permitted; instead, use an opt-in option to obtain user consent to gather data.
- Allow consumers to choose whether they wish to receive correspondence from you by providing an option, such as a tick.
Consider international data transmission.
If you are moving personal data from the EU to a non-EU country, you must employ international data transfer in accordance with the legislation. Use this short checklist to ensure GDPR compliance:
- Ensure that the privacy policies of your data processors or third parties situated in non-EU countries are consistent with your own.
- Examine contracts with processors or third firms headquartered in non-EU countries.
- Ascertain that the target country or service provider has a sufficient degree of data protection in place.
- Before transmitting data to any non-EU nation, do the essential risk assessments.
Examine the data breach
In the case of a data breach, you must be prepared, therefore create a procedure for it. Check the following essential areas to ensure that appropriate steps are taken in the event of a data breach:
- Within 72 hours, notify the appropriate supervisory authority of the data breach.
- Processors must notify controllers of data breaches, and controllers must notify a supervisory authority.
- The Data Protection Association (DPA) is a supervisory entity in charge of monitoring and enforcing GDPR compliance.
- Notify impacted users if the breach poses a significant danger to their privacy, including what steps they may take to secure their data.
- To avoid future data breaches on your website, update your practices.
- Create a plan of action for dealing with potential data breaches.
Maintain your CMS platforms
Check that your CMS, such as WordPress, Shopify, or Weebly, is up to date and GDPR compliant.
CookieScript generates a cookie script for each platform, which you just copy and paste into your CMS. You may also manually update the CMS and add your own unique code or design.
User request response
If you get a user request for personal information, be prepared to:
- Respond within two days.
- Delete or amend the user data within 30 days after receiving the request.
- Prepare a procedure for when someone demands their personal information in a portable, transferable format.