The EU’s General Data Protection Regulation (GDPR) is one of the strictest data protection/privacy laws on the planet, and non-compliant organizations can be fined heavily. In this blog, we provide a detailed GDPR compliance checklist to help organizations remain compliant and avoid those costly fines.
What is GDPR Compliance?
GDPR compliance is a regulation passed by the European Union to safeguard the privacy and security of personal data belonging to EU citizens. Companies that handle the personal data of EU citizens must follow certain rules and regulations that are laid out in GDPR compliance when collecting, processing, storing, and disposing of this data.
GDPR Compliance Checklist
Below we have collated a GDPR compliance checklist which includes some of the most important points that you need to consider if you want to stay GDPR compliant:
1. Ensure lawfulness and transparency of data processing
Ensure that you know what personal data you hold, where it is stored, and who has access to it. Make a list of all sensitive data you store and process, and ask the following questions:
- Inform people about collecting their personal data before doing it.
- What personal data do you hold?
- Does the data include sensitive personal data? If yes, how do you keep it safe?
- Does your website collect personal data from minors (below 16 years of age)?
- Valid reasons must be provided for collecting and processing data. It’s important that the user agrees to the processing of their data, so make sure that you receive consent through some sort of opt-in process, such as clicking a checkbox.
- Where is the personal data stored?
- Who has access to the data?
- Do any third parties hold this personal data? If yes, how do you control their processing of your data?
- Are these third parties based outside the EEA? If yes, what process do they have in place to protect your personal data from being accessed by foreign parties or from being used for purposes other than those permitted under the contract with that third party?
- Specify the period of data storage. Can any of this information be deleted or made anonymous?
- Gather only the data you need for the purposes stated. It’s important to provide clear and concise information about data collection, storage, and processing and all this information should be easily accessible.
2. Review your privacy policy
A privacy policy should form an integral part of your complete website content as part of GDPR compliance. It will need to be easily accessible via a link on every page of your website and this includes those pages where no personal data collection takes place.
The main purpose of a privacy policy is to inform your site’s visitors about how you collect, use, store, and disclose their personal data. It should also explain the user’s rights and your obligations to them. These rights include the right to access their personal data and the right to request the removal of their data.
The policy must be written in clear language that is easy to understand. It is not acceptable for a user to have to search for it or click several times before they can find it.
3. Secure your website
As a website owner, you must ensure your website is secure to comply with GDPR regulations. This means that both the data stored on your website needs to be protected and the website itself needs to be protected from outside attacks. It is a regular occurrence for websites to be attacked by hackers and others with malicious intent, so it is essential to prioritize your website security.
The following is a list of actions you can take to secure your website and keep user data protected:
- Install an SSL certificate (HTTPS website URL) that will encrypt any information sharing between the site and server.
- Use strong passwords for admin accounts.
- If you allow users to share payment information, then add extra layers of protection to your server.
- Use a CDN provider that can improve security. For example, by protecting websites against a DDoS attack.
- Install anti-virus software or services to protect against unauthorized access to the website.
- Do not collect, use or store more personal data than is necessary for your website.
- Try not to send or share personal data, especially sensitive data, to third-party services.
- Make personal data anonymous before storing it to de-identify users.
- Remove any personal data once it becomes surplus to requirements.
- Back up all data and store it in multiple secure locations.
4. Get consent for emails
If you have a mailing list of EU citizens, you need to review it regularly for GDPR compliance.
If you use email marketing services to send out emails, you need permission from your users that they want to receive these communications. The recommended method is to use double opt-in, where users must verify their email address after submitting it to the website.
Users need to be able to opt out of emails at any time. To do this, there needs to be an unsubscribe link found in your emails for the user to click on, and it should take them to a page where they can unsubscribe without any difficulty.
5. Document your GDPR compliance
A GDPR diary, or a data register, can be created to show a map of the flow of data through your organization. The more details that can be included, the better. In the event of an audit, the GDPR diary will serve as proof of compliance and if your organization suffers a data breach while introducing a compliance framework, then the GDPR diary can be used as proof of progress towards improved data security.
6. Add a cookie banner
If your website uses cookies which are not strictly necessary, then you should use a cookie banner to get GDPR cookie consent from users to be able to store the cookies on their devices.
This banner should inform visitors about how the website uses cookies and what information they store. It also informs them about their right to refuse the storage of cookies.
Here are the key points for you to consider when adding a cookie banner:
- The language used in the banner should be clear and concise. It should avoid legal jargon and long sentences.
- Include a description as to what kind of cookies you are setting and why.
- Explain how users can manage their cookie preferences.
- Include an opt-in option for cookies where users can accept them.
- Display an opt-out option for users who wish to block all cookies from your website.
- Add a third option for selective enabling of consent which is based on cookie category.
- Include information about your privacy policy and a link to the page.
- If the user closes or does not interact with the banner, this should not mean the user has consented.
- Do not load cookies without a user’s explicit consent (opt-in).
- Opt-out means the cookies should remain blocked and this includes any subsequent visits as well.
- There should be an option to recall the banner in case the user wants to withdraw or change their consent status.
7. Analyze and mitigate a data breach
The following is a list of what to have in place in the event of a data breach:
- To be able to provide a record of your processing activities.
- To be able to block all access to your website until you fix the vulnerability.
- Be able to conduct a thorough investigation of where, when, and how it happened. The data that was involved and who got affected.
- Notify the appropriate supervisory authority about the breach within 72 hours with all the information you have. Usually, the breach notification must include the categories and the approximate number of users concerned, any action taken, or measures planned by the company in response to the breach and including measures to mitigate its possible adverse effects.
- Notify the affected users if there is an increased risk to users’ rights and freedoms as a result of the breach, including what they can do to protect their data.
- Update your policies and procedures to prevent future security breaches on your website.
- Prepare a plan of action in the event of another data breach.
8. Check forms on your website
To adhere to GDPR compliance rules, if your website has any kind of forms, for example, inquiry, contact, or subscriptions forms, that collect personal data, you must ensure that you:
- Include a privacy statement that explains why you’re asking for personal details, what you intend to do with them, and that the user can withdraw consent at any time.
- Add an opt-in option, such as an unticked checkbox or a disabled toggle switch to obtain user consent to collect data.
- Add a checkbox, or similar, so that people can choose whether to receive correspondence or related services from you.
- Ideally, you should add a link to the Privacy Policy for further information.
9. Review data processors or third-party services
It is essential to find out which of the services or companies used directly by your company are GDPR compliant. You need to be aware of the privacy policies of any third-party service or company you use directly or indirectly.
If a third-party service is working on behalf of your company then you should ensure that they align with your privacy policy. This means that they should also be GDPR compliant.
10. Review international data transfer
If your business website relies on transferring personal data from EU to non-EU countries, then to remain GDPR compliant you should ensure the following:
- That the necessary risk assessments have been carried out before transferring the data.
- That the recipient country or service has an adequate data protection system in place.
- That you have all the necessary agreements with the recipient company/services.
How Lepide Helps Achieve GDPR Compliance
The Lepide Data Security Platform will enable you to identify and safeguard sensitive data belonging to EU citizens. The data classification feature included within the Lepide Solution will scan your file repositories (both local and remote) and automatically discover GDPR-related data and classify it accordingly. Anytime personal data belonging to EU citizens is accessed or used in an atypical manner, a real-time alert will be sent to your administrator’s inbox or mobile device. The Lepide platforms also come with numerous pre-defined GDPR compliance reports that can be generated and sent to the supervisory authorities at a moment’s notice.
If you’d like to see how the Lepide Data Security Platform can help you effortlessly satisfy GDPR compliance audits and steer clear of costly fines,.
GDPR Compliance FAQs
Do I Need to Comply with GDPR?
Organizations that collect or process the personal information of EU citizens or residents must comply with GDPR.
What are the 7 Principles of GDPR?
The seven principles outlined in Article 5.1-2 of the GDPR are: Lawfulness, fairness, and transparency; Purpose limitation; Data minimization; Accuracy; Storage limitation; Integrity and confidentiality; and Accountability.
What are the Penalties for GDPR Non-Compliance?
Non-compliance with GDPR can result in fines of up to 10 million euros or 2% of the company’s global annual revenue (whichever is higher) for less severe violations, and up to 20 million euros, or 4% of the company’s global annual revenue (whichever is higher) for violating core principles.
What is a Data Protection Officer?
A data protection officer is responsible for overseeing an organization’s data protection strategy and acting as the main point of contact for supervisory authorities and data subjects.
What is the Difference Between a Data Controller and a Data Processor?
Data controllers are individuals who decide how and why personal data will be processed. Data processors are third parties that process personal data on behalf of a data controller, such as cloud service providers or email service providers.
What are the Different Categories of Personal Data?
Sensitive personal data that require greater levels of protection includes racial or ethnic data, political affiliation or opinions, religious beliefs, trade union memberships, biometric data, health data, sexual orientation or activity, and genetic data.