- As the global economy moves into the 21st century and technology becomes even more prevalent, data protection standards must be adjusted to prevent our personal data from falling into the wrong hands. GDPR, or The General Data Protection Regulation, is the European Union’s latest attempt to provide its citizens with a uniform solution for personal data protection and a peace of mind that their personal data is safe. Not only does the GDPR expand EU personal data protection obligations but it now directly affects companies established outside of the European Union – most particularly, US companies.
While there are numerous resources available that help US companies reach GDPR compliance, the May 25th, 2018 deadline for all US companies who collect, process, or store the personal data of EU citizens is fast approaching and many companies are still largely unaware of how this affects them. Is your website GDPR compliant? To help answer this question, we put together a checklist to assist you in your GDPR compliance efforts.**Please note – This is a high-level overview only and should not be used as a complete determination for GDPR compliance. Please consult your lawyer or other compliance professional familiar with the intricacies of the GDPR.
Website Checklist for GDPR Compliance
- Make sure you have documentation (e.g., privacy notice) on your website informing visitors that their information is being collected, of the type of data being collected, why it’s being collected, and how long the information is being held for.. The GDPR requires sites to provide additional detail to users before collecting data. Make sure your site provides full disclosure of personal information purposes and time limits. Siteimprove makes access to all policies, including those related to privacy, easy to locate.
- Make sure you are aware of all types of personal data collected on your website. Websites collect all types of data so it’s important to determine what data is necessary for collection and where it is located (I.e., if third-parties have access). Limiting the amount of data collection can reduce storage expenses and reduce liability and disclosure efforts following a data breach. A good place you can start is identifying a tool that works for the needs and scope of your organization. Siteimprove GDPR monitors your online presence, alerting you to the personal data that lives there, thus saving you time and lowering the risk of compliance issues down the road. Knowing where personal data lives on your website is a great way to find potential risks before issues arise.
- Consider utilizing encryption as a part of your data collection and storage. While this point is more “behind the scenes”, companies should consider encryption of their collected personal data, depending on the level of sensitivity. Not only does it protect personal data by making personal data unreadable (should it fall into the wrong hands), encrypted data could be considered “unintelligible”. In some cases, unintelligible data is not required to be disclosed following a data breach.
- Make sure all consent forms are unchecked by default and have an easy confirmation process (positive opt-in) For example, the option to “click” an approval button or select a “check-box” make for an easy confirmation process. Siteimprove makes it easy to set up a policy on your site, so an opt-in or opt-out option is always present when necessary. **Note: This must be separate from other terms and conditions and consent forms should be easy to understand.
- Make sure the contact information for your Data Protection Officer (if applicable) or any other data privacy personnel is listed clearly on your website. The GDPR requires companies to provide people with the ability to view, edit, or delete their personal information. Additionally, people also have the right to send inquiries regarding their information. Make sure you allow people easy access to anyone responsible for managing personal data so inquiries can be made.
- Make sure you have a process in place for easy data deletion (Right to be Forgotten) Completing data requests can be a time-consuming process. Make sure you have processes in place to handle deletion requests in a timely manner.
- Are you ready for a data breach? Should this unfortunate event take place, make sure you know what to do and who to contact (I.E., Supervisory Authority, DPO, customers, etc.) and that all necessary notification forms are in place.
- Be prepared for data portability requests. Another main component of the GDPR is allowing people with the ability to transfer their personal information from one service to another quickly and easily via a common format (I.e., CSV file). Do you have this capability?
- Do you have a mobile app? The GDPR also applies to personal data collected through mobile devices and apps. Spend some time reviewing the data your mobile app collects, where it goes and why it is collected, all while making sure it complies with the GDPR.