GDPR compliance website checklist

This document will offer you the necessary guidance to assembly the information you need to go through in order to get your website GDPR compliant. We gathered info into a structure built around 8 key points, with explanations and examples.  

The main takeaway is there are several steps to be made and there is a checklist for every step.  

1. Identify where and how you collect data

Your website collects data from visitors through different channels – like forms, surveys, scripts, cookies or heatmaps. Data is collected in different stages of the users’ visit on the website – when browsing a page, in the check-out process, or in the account creation step.

All of these data sources need to be identified, reviewed, and properly documented.

Also, you need to clearly understand and document what types of data you collect. Depending on the website, you might collect a variety of data such as: name, email, address, financial information, or IP address.

2. Document the processing activity, its purposes and lawful basis, for each data source 

There has to be a reason or a purpose for you to collect any personal data. For example, if you store an email address to keep in touch with your customers, you need to inform them that the purpose of collecting their email address is business communication. You also need to check that the processing activity is necessary for the relevant purpose you previously stated.

Beside a purpose, you have to provide information about the legal basis for collecting a users’ data. Under GDPR, there are six lawful bases available for processing:

• Consent – when a person gives you their consent to process their data. Users’ consent must be freely given, specific, and informed
• Contractual obligation – when data processing is necessary to execute an agreement that the data subject is a part of
• Legitimate interests – is more flexible and could apply to any type of processing for a reasonable purpose
• Legal Obligation – when data processing is necessary in order to comply with a legal obligation
• Processing for vital interests – when data processing is necessary in order to prevent a calamity
• Public Interest – when data processing is necessary for the welfare of the general public

3. Analyze if any data sharing with 3rd parties occurs  

You have to check and furthermore inform your visitors if their data will be passed on to other companies or it will stay within your website. If the personal information will be passed on to another organization, you need to specify who will receive the data.

This situation occurs if you use trackers, cookies, or payment processors. Also, adding social media features to your website means that the person visiting your website, will send information to the social media provider. 

Under these circumstances, you must provide the list of cookies used by your website. Cookies notification must be available on the website, offering every user the possibility to read and agree with the privacy policy. Your privacy policy should refer to all these third-party data controllers in an easy-to-understand manner. 

 4. Put in place a mechanism to manage consent for processing that is based on consent (e.g., sharing with 3rd party, marketing consent) 

If the processing is based on consent, the website is responsible to make sure that it has obtained a valid user consent. 

Consent requests need to be concise, easy to understand and separate from any other information, such as general terms and conditions.

A consent request should be written in a clear and understandable language and should include specific information such as:

• The name of your organization
• The purposes of the processing
• The processing activities
• The user must be able to easily change or withdraw consent at any time 

You also need to make sure the consent is freely given, specified, informed, and unambiguous. If the consent is withdrawn, you must stop the data processing.

5. Provide privacy notices at data collection channels

Every privacy notice must contain specific info:
•    You need to provide contact details: name, address, email, and phone number of your organization. If you have appointed a DPO, you should add their contact details as well 
•    Explain to your users/ visitors in detail what data is being captured and held
•    A lawful basis for processing personal data is mandatory
•    The retention time of personal data. At the time of collecting the data you must inform the person how long you will store their data
•    Explain how the data is being used 
•    Display a person’s GDPR Rights: 

• The Right to Access their Data 
• The Right to have their data Rectified  
• The Right to be forgotten  
• The Right to restrict processing 
• The Right to Data Portability 
• The Right to Object to their data being used 
• The Right to make a Complaint to a Data Protection Authority 
• The Right to know if their data is being used for profiling 

6.  Provide a way for visitors to send feedback/ concerns/ objections to your privacy team or DPO 

Under GDPR, the identity and contact details of the Data Controller need to be provided. The business that owns the website is the Data Controller.

Visitors should be able at any given time to ask questions or to get more details from you regarding their personal data. Therefore, you must specify who to contact to find out this kind of info. At least a contact email address should be displayed on your website. 

7. Implement a monitoring & periodical review mechanism for the documentation 

Once you have all your processes and policies in place and documented, you will need to check back at regular intervals to assess their performance.

8. Establish a privacy policy

You also need to have a privacy policy in place. This is a document containing information about data processing. The Privacy Policy section of your website must include the following information:

• General company information 
• The types of data you store and how you collect it
• Links and short descriptions of the GDPR laws 
• Links to all the plugins, applications or software that store your user data 
• Links to the user request forms
• Information about the personal data that this website collects and its purpose
• Information about the data stored via the contact forms and its purpose
• Information about the website’s server, its security and protection methods
• Descriptions of the third-party data processors and links to their privacy policies
• Your action plan in case the data breaches
• The data controller and data protection officer information

Keeping a website GDPR compliant is an ongoing process’ that requires continuous effort and verification. Therefore, you need to set a schedule for auditing GDPR compliance, stick to it and document each audit.

Photo by Glenn Carstens-Peters on Unsplash