GDPR Compliance Checklist

Nice as official as it sounds.

This is about confirming that any data collected is only for legal use and purposes — and with transparency in the intention of legal use. GDPR requires you to confirm that any personal data you collect about users (or that you process and store) is these two things:

• ☑️ Lawfully obtained and handled.
• ☑️ Not used for anything illegal.

We won’t stress the second point, as we don’t expect to be using data for illegal activities if you are reading this article.

In terms of legally obtaining and handling personal data, you should make sure that you use disclaimers.

For instance, if you have a prize that can only be unlocked when subscribed to your email list, you should notify them — at the point of submitting their details — that they are indeed signing up to an email list with a regular newsletter.If you intend to hand off names and addresses to third parties for market research, this should be made clear, with an ability to unsubscribe at any time.

Officially known as “data minimisation” — this basically means being aware of how much data you are collecting. You shouldn’t try to collect as much as you can just for the sake of doing it. If you’re working in healthcare, use top cloud storage that is HIPAA compliant.

As the owner of a website, you are responsible for managing how much personal data is collected and that it is essential for your specific project.

For instance, you need an email address to do email marketing — and a first name could be important if you want to build a sense of community by being able to address your subscribers on a first name basis — but do you really need a surname or date of birth

• ✅ Do I absolutely need this information for processing?
• ✅ Is this option the most minimalistic in terms of needing personal data?

If you’re running a website with adult content, perhaps a date of birth is necessary.

For the EU, 18 is the minimum age for adult content. But do you really need a date of birth?

If you’re unsure, just give the option for the user to select ‘I am over 18’ or ‘I am under 18.’

No, this has nothing to do with the self-development or self-motivation world — again, remember that you are the manager of your website or small business.

With the evolution of the superconductors, mass communication, and ultimately the Internet has come thousands of superheroes all with their own successful businesses, in every niche you can think of from nutrition to yoga to artificial intelligence podcasts.

There is no one else around to control how data moves around; no internal auditors with a suit and tie to run secret audits. The GDPR puts the onus on the business owner to be self-aware of data that has been historically collected.

• ☑️ Do you need this data anymore in terms of its original purpose?
• ☑️ Are you trying to use this data for a new purpose than its original intention? If so, you will require new consent from the data owner.

As a GDPR principle, this will usually refer to as being accurate with your requests for personal data.

Accuracy is just a fancy word for having a strict sense of personal ethics with how you word any requests — ie. not lying. The easiest way to think of this is to not lie or stretch/hide the truth with messaging on why and how you will be collecting data.

• ❌ This will prevent you from misleading the data owner:
• ❌ Are you stretching the truth in your wording?
• ❌ Are you hiding something that the data owner could find worth mentioning?

Some analytic software like Google handle GDPR from their side of things, but if you are using other analytic software that personally tracks user activities — things like IP addresses — consent must be obtained, eg. not all top VPNs protect user IPs.

Also known as data retention or storage limits.

Collecting personal data should have a set time-limit after which that data is removed.

Data is only retained for as long as necessary for the purpose of which was obtained.

If your website collects particularly sensitive personal information, you should consider employing a controller for record-keeping — they will handle things such as maintaining records of all processing of data: names of the controller and any data protection officers; purposes of the processing; and more.

• ✅ Do you have sensitive personal information and is somebody controlling the record-keeping aspect?
• ✅ Do you have a data protection officer responsible for monitoring operations?
• ✅ Have you securely disposed of personal information after the purpose for it has concluded? (sure you have an email list, but maybe that company has been retired).

There is no specific security rule that governs exactly what level of encryption your website must have around the data that is being processed by it — rather you have to consider your industry and make sure you fall inside of the set limits, such as healthcare.

The basic standard if you are dealing with personal information is to have an SSL on your website by choosing a great web host that includes it. Pseudonymization is a new term that evolved from GDPR and is recommended.

• ☑️ Is your web host reputable with an SSL as standard?
• ☑️ Are you the weak link in the chain: does your domain registrar put you at risk or does it provide WHOIS Guard

PRO TIP ⭐

By no means should you ever request confidential information such as payments if your website is not secured by SSL. Not only will this hurt you and SEO but it is irresponsible for the point of view of GDPR.

Also known as accountability. As a website owner, you are the go-to for any users who want to request deletion of any of their personal data that has been processed by your website.

This also applies to any breaches. In the event of a breach, such as your website being hacked you are obliged to notify your regulator within 72 hours of becoming aware of it.

And if individuals could be at high risk in terms of rights and freedoms, you also obliged to notify the individuals affected.

Note: if your data is encrypted and so any breaches will not expose personal information, you do not need to notify individuals who have been affected.

• ✅ Visitors should be able to check what data you have on them and request removal.
• ✅ Do not be the point of weakness. Ensure your device is protected by a great affordable antivirus or at least a quality malware scanner for online protection.’