The GDPR (General Data Protection Regulation) is a European privacy law that protects the rights of individuals with respect to the processing of personal data. It establishes uniform rules to protect and empower all EU citizens’ data privacy rights. the law extends the EU’s data protection laws to all foreign companies processing the personal data of people in the EU. This means that the GDPR will affect your business even if you don’t have any physical presence in the EU. If your website collects and processes the personal data of EU visitors, then you should go through our GDPR checklist.

A simple GDPR checklist for your website’s compliance

Here is what you can do to ensure your website stays compliant with the GDPR.

#1 Know the data you hold

Getting ready for GDPR means you will need to know what personal data you hold, where it is stored, and who has access to it. The following checklist provides the questions you need to ask yourself and your staff to determine if you are ready for GDPR compliance.

  • What personal data do you hold? 
  • Does the data include sensitive personal data? If yes, how do you keep it safe?
  • Does your website collect personal data from minors (below 16 years of age)?
  • Why does your website require this data?
  • How have you retained consent for processing this personal data?
  • Where is this personal data stored?
  • Who all has access to this data?
  • Do any third parties hold this personal data? If yes, how do you control their processing of your data?
  • Are these third parties based outside the EEA? If yes, what mechanism do they have in place to protect your personal data from being accessed by foreign bodies or from being used for purposes other than those permitted under the contract with that third party?
  • How long does this personal data need to be kept? Can any of this information be deleted or anonymized?

#2 Secure your website

Website security is something that you cannot afford to ignore. As a website owner, you must ensure your website is secure. This means that the data stored on the website needs to be protected and that the website itself needs to be protected from outside attacks. Websites are regularly attacked by hackers and other people with malicious intent. 

Here are a few things you can do to secure your website and keep user data protected:

  • Install an SSL certificate (HTTPS website URL) that will encrypt any information sharing between the site and server.
  • Use strong passwords for admin accounts.
  • Add extra layers of protection to your server in case you allow users to share payment information.
  • Use a CDN provider that can improve security, e.g., by protecting websites against DDoS.
  • Use anti-virus software or services to protect against unauthorized access to the site.
  • Do not collect, use or store personal data more than what is necessary for your website.
  • Try not to send or share personal data, especially sensitive type to third-party services.
  • Pseudonymize or anonymize personal data before storing them to de-identify the users.
  • Remove personal data once your website does not need them.
  • Back up the data in multiple locations.

#3 Update privacy policy

A privacy policy should be an integral part of your overall website content. You will also need to ensure that it is easily accessible via a link on every page of your website (including those where no personal data collection takes place). 

The primary purpose of a privacy policy is to inform your site’s visitors about how you collect, use, store, and disclose their personal data. It should also explain the user’s rights and your obligations to them. Some of these rights include the right to access their personal data and the right to request the erasure of their data.

The policy must be written in clear language that is understandable by people. If a user has to go searching for it or click several times before they can find it, then this is not acceptable.

Create Privacy Policy for FREE

Generate a privacy policy for your website in just a few clicks.

CREATE YOUR FREE PRIVACY POLICY

*no credit card required

#4 Get consent for emails

If you have a mailing list of EU citizens, you need to review it for GDPR compliance.

If you use email marketing services to send out newsletters or for any communication, you need permission from your users to send the emails. The recommended method is to use double opt-in, where users have to verify their email address after submitting it to the website. 

Users should be able to opt out of emails at any time. To do this, the user has to be able to click on an unsubscribe link found in your emails and it should take them to a page where they may easily unsubscribe without any difficulty. 

#5 Add a cookie banner

If your website uses non-necessary cookies (don’t know what they are? Read this to find out), then you should use a cookie banner to get GDPR cookie consent from users to store them on their devices. 

The banner informs visitors about how the website uses cookies and what information they store. It also informs them about their right to refuse the storage of cookies.

Here are the key points you can consider while adding a cookie banner:

  • The language used in the banner should be clear and concise by avoiding legal jargon and long sentences.
  • Describe what kind of cookies you are setting and why.
  • Explain why you need to set cookies. 
  • Explain how users can manage their cookie preferences.
  • Include an opt-in option for cookies where users can accept them.
  • Display an opt-out option for users who wish to block all cookies from your website. 
  • Add a third option for selective enabling of consent based on cookie category.
  • Include information about your privacy policy and a link to this page.
  • Closing or non-interaction with the banner should not mean the user has consented.
  • Do not load cookies without users’ explicit consent (opt-in).
  • Opt-out means the cookies should remain blocked, on subsequent visits as well.
  • There should be an option to recall the banner in case the user wants to withdraw or change consent status.

Let us take care of cookie compliance, so you can focus on your business

Sign up on CookieYes and make your website GDPR compliant for cookies.

FREE COOKIE BANNER

*no credit card required

#6 Check forms on your website

If your website has any kind of forms, e.g. inquiry, contact, or subscriptions, that collect personal data, you must ensure:

  • Include a privacy statement that explains why you’re asking for their details; what you’re going to do with them; and that they can withdraw consent at any time.
  • Add an opt-in option, such as an unticked checkbox or a disabled toggle switch to get user consent to collect data.
  • Add a checkbox (or similar option) so that people can choose whether to receive correspondence from you or related services.
  • Preferably, add a link to the Privacy Policy for further information.

#7 Review data processors or third-party services

The first thing you need to do is find out which of the services or companies your company uses directly are GDPR-compliant. You must be aware of the privacy policies of any third-party service or company you use directly (or indirectly).

If they are doing work on behalf of your company then you should ensure they align with your privacy policy. This means that they should be GDPR compliant as well. 

#8 Review international data transfer 

If your business website relies on transferring personal data from EU to non-EU countries, then you should ensure the following:

  • Have you done the necessary risk assessments before transferring the data?
  • Does the recipient country or service provide an adequate level of data protection system in place?
  • Do you have all the necessary agreements with the recipient company/services?

#9 Provide data rights provision

Web users have a right to obtain information about the personal data you hold about them and to request that it be corrected or deleted at any time. They should be easily able to access the right options to exercise these rights.

Read more about Data Subject Access Request (DSAR).

The GDPR does not describe a method for this information to be disclosed. One way is to add a link or button in the footer of all your web pages, or by providing a page with more detailed information on how to manage their data. Some websites also prefer to provide email contact information to submit their requests.

Your privacy policy should describe how you meet this requirement.

#10 Analyze and mitigate data breach

Here is what you should do to prepare in the event of a data breach

  • Keep a record of your processing activities.
  • Block all access to your website until you fix the vulnerability.
  • Conduct a thorough investigation — where, when and how it happened, what data was involved, and who got affected and how.
  • Notify the appropriate supervisory authority about the breach within 72 hours with all the information you have. Usually, the breach notification must include the categories and the approximate number of users concerned; the categories and the approximate number of personal data records affected; any action taken, or measures planned, by the company in response to the breach, including measures to mitigate its possible adverse effects.
  • Notify the affected users if there is an increased risk to users’ rights and freedoms as a result of the breach, including what they can do to protect their data.
  • Update your policies and procedures to prevent future security breaches on your website.
  • Prepare a plan of action if another data breach happens or is likely to happen in the future.

Here is a summarized GDPR checklist for quick reference:

gdpr checklist for website infographic

Why is GDPR compliance important for your website?

GDPR protects users’ privacy and ensures that their information is protected. The regulation applies to all companies, from large corporations to small businesses. Organizations should prepare for the change or risk severe consequences for failure to comply. If you are not compliant, your business can suffer a major fine, up to 4% of their annual global turnover or €20 million (whichever is higher).

Despite all the changes and challenges, there are some advantages to the new regulations. The GDPR is an opportunity for companies to re-evaluate the way they store, share, and protect customer data. By building trust and fostering customer loyalty, companies can position themselves as a trusted source. With proper preparation, businesses will be able to capitalize on new opportunities arising from the GDPR.

This 10-step GDPR checklist will hopefully help you get your website GDPR-compliant. There is no one-size-fits-all approach or solution when it comes to GDPR compliance. Each website (or company) has different business operations and needs to comply with GDPR in its own way. This means making sure you’re compliant involves some careful planning and analysis on your part—and then devising customized procedures specific to your company’s needs.

So, are you ready to tackle the GDPR requirements and be in line?

Frequently asked questions

What are the basic requirements of GDPR?

The basic requirement is to collect and process the personal data of users fairly, securely and lawfully for a lawful purpose and disclose details about how you handle the data to users. Data must be collected for specific, explicit and lawful purposes and not further processed in a way incompatible with those purposes. The data must be adequate, relevant and limited to what is necessary for the purpose for which it is processed. Organizations are obligated to allow users to exercise their rights over their data and notify them about data breaches within 72 hours with relevant information.

What is GDPR compliance checklist?

A GDPR compliance checklist, such as the one provided in this article, is a list of things you need to do to be compliant with the gdpr. It is a useful tool for your business to ensure that all areas of your organization are complying with the law. It will help you identify the areas of improvement and highlight any areas where you might have gaps in information or data protection processes and procedures. 

What is the maximum penalty for non-compliance with the GDPR?

The maximum fine one can get for non-compliance with the GDPR is up to €20 million or 4% of the annual global turnover, whichever is greater. In some cases, it will not stop with a financial penalty. The authorities may ask you to delete the personal data you hold or stop processing it.

How to be GDPR compliant?

If you want to make sure that you are fully GDPR compliant, you need to take a privacy-first approach and keep the following checklist in mind:

  • Be transparent about your data processing practices
  • Collect and use personal data fairly and lawfully
  • Get consent to collect data wherever relevant
  • Allow users to access, correct, and delete their data
  • Let users manage their data
  • Ensure technology meets regulatory compliance requirements
  • Keep personal data safe and secure
  • Have a privacy policy that is easy to find and read
  • Review third-party services and vendors and ensure they are GDPR-compliant.

Disclaimer: This GDPR checklist is intended as a general guide only. It should not be construed as legal advice, and readers should consult a lawyer in their jurisdiction with any specific legal questions they may have.