Back in May, 2018, the General Data Protection Regulation (GDPR) Act came into force. The main purpose of this legislation was to protect personal data and privacy of all European Union citizens and ensure that all information is used fairly, lawfully and transparently. If your website collects and handles personal data from EU users, you should review our GDPR compliance checklist.

Is my website GDPR ready? 

Read this quick GDPR compliance checklist to guarantee your website remains GDPR compliant. 

Create a Privacy Policy that is GDPR compliant. 

A Privacy Policy’s principal goal is to notify your website visitors on how you collect, process, and/or share their personal data. It should describe the user’s rights as well as your company’s duties to them. Users have the following rights under the GDPR: 

  • The right to be informed.
  • The right to access.
  • The right to rectification.
  • The right to erasure.
  • The right to restrict processing.
  • The right to data portability.
  • The right to object.
  • The rights around automated decision-making and profiling.

You should also use the CookieScript Privacy Policy Generator, which allows you to construct your own Privacy Policy with pre-defined options and is available in 9 languages.

Understand the information you have. 

To understand how users’ personal data is managed, you first have to understand what personal data you have. The checklist below outlines the structure that you must adhere to in order to be GDPR compliant. 

  • What kind of personal information do you already have? 
  • Is there any sensitive personal data in the data? 
  • Do you have personal information about youngsters under the age of 16? 
  • How long do you retain personal information? 
  • Do you have permission to gather personal information? Where is it kept? 
  • How is the collected personal data used? 
  • Where is the gathered personal data kept? 
  • In your company, who has access to this information? 
  • Do any third parties have access to the personal information you collected? If so, how do you keep track of how they use this information? Are you in agreement about this? 
  • Are there any third parties headquartered outside the EU that have access to your users’ personal information? If so, are they familiar with the GDPR? Do you have any contracts with them?

IP Addresses

IP addresses are considered personal data if they are used to identify a person. For example, if a user’s IP address is gathered together with their address, phone number, or email address, that is deemed personal data since the person’s identity may be connected to their address, phone number, or email address. If you are unsure if the IP addresses you gather should be regarded as personal data, be prudent and safeguard them as such. As GDPR is concerned with the protection of sensitive personal data and rigorously controls its processing, it is critical to identify sensitive data and apply suitable safeguards to it. Personally Identifiable Information (PII) is regarded as sensitive personal data and should be safeguarded with the utmost care. 

Make your website secure. 

As the owner of a website, you must guarantee that it is secure. This implies that the data saved must be safeguarded, as well as the website itself, against outside assaults and data breaches. 

Here are the fundamental methods to safeguarding your website against hackers and other malicious individuals:

  • Install an SSL certificate to have an HTTPS website URL, which will encrypt any data exchanged between your website and the server. 
  • If your users disclose payment information on the website, add additional levels of security to your server. 
  • For administrator accounts, use strong passwords. 
  • Anti-virus software or services should be used. 
  • Use the methods for safeguarding your website from DDoS attacks. 
  • Try not to communicate personal information, especially sensitive information, with third parties. 
  • To make the user anonymous, anonymize personal data before keeping it. 
  • Collect and keep no more personal data than is essential for your website, and delete it once you no longer require it.

Incorporate a Cookie Banner onto your website. 

If your website gathers data from EU users and employs non-necessary cookies, you should use a Cookie Banner to get user consent to store cookies on their devices. The banner should tell website visitors that cookies are used and what information they gather. It should also notify users about their right to refuse the use of cookies and the gathering of personal data, as well as their right to seek the deletion of personal data previously obtained. 

Here are some general considerations to keep in mind while adding a Cookie Banner: 

  • Describe the type of cookies you plan to place and why. 
  • Explain why cookies are required.
  • The banner should have appropriate opt-in and opt-out choices for accepting and rejecting cookies. 
  • Do not set cookies unless the user has given express permission (opt-in option).
  • Allow the option to activate Cookie Consent based on cookie category.
  • Include information on your privacy policies, as well as a link to them. 
  • Allow users to withdraw or alter their Cookie Consent status on every page of your website. 
  • All user consents should be documented and saved. 
  • Make your website accessible even if the user has disabled cookies. 
  • Non-interaction with the banner or scrolling down the web page does not imply that the user consented to cookies.

Examine contracts with data processors or third-party vendors. 

If data processors or third-party are performing some functions on behalf of your business then you should ensure they align with your Privacy Policy. They should also take all necessary steps to ensure GDPR compliance. 

Confirm the age of your website visitors who agree to data processing. 

Personal data processing is permitted under the GDPR for individuals above the age of 16. To properly gather personal data from kids under the age of 18, you must first get approval from the minor’s legal guardian.

Obtain permission for emails 

If you utilise email marketing services to send newsletters or emails to EU users for any other reason, you must obtain permission from your users to do so. To receive emails from you, users must provide an opt-in consent. 

Users should also be able to opt out of receiving emails at any moment. Include an unsubscribe link in your email that the recipient can readily find. When the user clicks on it, he should be sent to a page where he may quickly unsubscribe from emails without explanation.

Review your website forms 

If your website has forms that collect personal data, such as contact or subscription forms, you must guarantee that the data is gathered and handled in accordance with the GDPR. Use this checklist to verify GDPR compliance when using internet forms: 

  • Create a checkbox with a link to your Privacy Policy page and words like “I have read and approve the website’s Privacy Policy.” 
  • Inform the user of the intended use of the obtained data. 
  • Inform the user that he can request that his acquired data be deleted at any time. 
  • Inform the user about how he may download his personal data from the website.
  • Use basic language so that your message is clear and succinct. 
  • Explain why you need their information. 
  • Pre-checked consent boxes are not permitted; instead, use an opt-in option to obtain user consent to gather data. 
  • Allow consumers to choose whether they wish to receive correspondence from you by providing an option, such as a tick.

Consider international data transmission. 

If you are moving personal data from the EU to a non-EU country, you must employ international data transfer in accordance with the legislation. Use this short checklist to ensure GDPR compliance: 

  • Ensure that the privacy policies of your data processors or third parties situated in non-EU countries are consistent with your own. 
  • Examine contracts with processors or third firms headquartered in non-EU countries. 
  • Ascertain that the target country or service provider has a sufficient degree of data protection in place. 
  • Before transmitting data to any non-EU nation, do the essential risk assessments.

 Examine the data breach

In the case of a data breach, you must be prepared, therefore create a procedure for it. Check the following essential areas to ensure that appropriate steps are taken in the event of a data breach: 

  • Within 72 hours, notify the appropriate supervisory authority of the data breach. 
  • Processors must notify controllers of data breaches, and controllers must notify a supervisory authority. 
  • The Data Protection Association (DPA) is a supervisory entity in charge of monitoring and enforcing GDPR compliance. 
  • Notify impacted users if the breach poses a significant danger to their privacy, including what steps they may take to secure their data.
  • To avoid future data breaches on your website, update your practices. 
  • Create a plan of action for dealing with potential data breaches.

Maintain your CMS platforms 

Check that your CMS, such as WordPress, Shopify, or Weebly, is up to date and GDPR compliant. 

CookieScript generates a cookie script for each platform, which you just copy and paste into your CMS. You may also manually update the CMS and add your own unique code or design.

User request response

If you get a user request for personal information, be prepared to: 

  • Respond within two days. 
  • Delete or amend the user data within 30 days after receiving the request. 
  • Prepare a procedure for when someone demands their personal information in a portable, transferable format.