Share this Post
Not all of us have accountants and lawyers to dissect all of the complications involved in GDPR compliance.
This guide will help you to make sure your website or small business is GDPR-compliant with UK laws, without the mumbo-jumbo, handy for:
Jump to the end of this checklist for FAQs.
Onto the listicle
Table of Contents:
GDPR Checklist UK 🇬🇧
Step-by-Step Guide for All 7 Steps
We’ve broken this down into the seven key areas to think about - a GDPR checklist for websites where practical tips on how to make sure your website is up to standard.
Nice as official as it sounds.
This is about confirming that any data collected is only for legal use and purposes — and with transparency in the intention of legal use. GDPR requires you to confirm that any personal data you collect about users (or that you process and store) is these two things:
- ☑️ Lawfully obtained and handled.
- ☑️ Not used for anything illegal.
We won’t stress the second point, as we don’t expect to be using data for illegal activities if you are reading this article.
In terms of legally obtaining and handling personal data, you should make sure that you use disclaimers.
For instance, if you have a prize that can only be unlocked when subscribed to your email list, you should notify them — at the point of submitting their details — that they are indeed signing up to an email list with a regular newsletter.If you intend to hand off names and addresses to third parties for market research, this should be made clear, with an ability to unsubscribe at any time.
Officially known as “data minimisation” — this basically means being aware of how much data you are collecting. You shouldn’t try to collect as much as you can just for the sake of doing it. If you’re working in healthcare, use top cloud storage that is HIPAA compliant.
As the owner of a website, you are responsible for managing how much personal data is collected and that it is essential for your specific project.
For instance, you need an email address to do email marketing — and a first name could be important if you want to build a sense of community by being able to address your subscribers on a first name basis — but do you really need a surname or date of birth
- ✅ Do I absolutely need this information for processing?
- ✅ Is this option the most minimalistic in terms of needing personal data?
If you’re running a website with adult content, perhaps a date of birth is necessary.
For the EU, 18 is the minimum age for adult content. But do you really need a date of birth?
If you’re unsure, just give the option for the user to select ‘I am over 18’ or ‘I am under 18.’
No, this has nothing to do with the self-development or self-motivation world — again, remember that you are the manager of your website or small business.
With the evolution of the superconductors, mass communication, and ultimately the Internet has come thousands of superheroes all with their own successful businesses, in every niche you can think of from nutrition to yoga to artificial intelligence podcasts.
There is no one else around to control how data moves around; no internal auditors with a suit and tie to run secret audits. The GDPR puts the onus on the business owner to be self-aware of data that has been historically collected.
- ☑️ Do you need this data anymore in terms of its original purpose?
- ☑️ Are you trying to use this data for a new purpose than its original intention? If so, you will require new consent from the data owner.
As a GDPR principle, this will usually refer to as being accurate with your requests for personal data.
Accuracy is just a fancy word for having a strict sense of personal ethics with how you word any requests — ie. not lying. The easiest way to think of this is to not lie or stretch/hide the truth with messaging on why and how you will be collecting data.
- ❌ This will prevent you from misleading the data owner:
- ❌ Are you stretching the truth in your wording?
- ❌ Are you hiding something that the data owner could find worth mentioning?
Some analytic software like Google handle GDPR from their side of things, but if you are using other analytic software that personally tracks user activities — things like IP addresses — consent must be obtained, eg. not all top VPNs protect user IPs.
Also known as data retention or storage limits.
Collecting personal data should have a set time-limit after which that data is removed.
Data is only retained for as long as necessary for the purpose of which was obtained.
If your website collects particularly sensitive personal information, you should consider employing a controller for record-keeping — they will handle things such as maintaining records of all processing of data: names of the controller and any data protection officers; purposes of the processing; and more.
- ✅ Do you have sensitive personal information and is somebody controlling the record-keeping aspect?
- ✅ Do you have a data protection officer responsible for monitoring operations?
- ✅ Have you securely disposed of personal information after the purpose for it has concluded? (sure you have an email list, but maybe that company has been retired).
There is no specific security rule that governs exactly what level of encryption your website must have around the data that is being processed by it — rather you have to consider your industry and make sure you fall inside of the set limits, such as healthcare.
The basic standard if you are dealing with personal information is to have an SSL on your website by choosing a great web host that includes it. Pseudonymization is a new term that evolved from GDPR and is recommended.
- ☑️ Is your web host reputable with an SSL as standard?
- ☑️ Are you the weak link in the chain: does your domain registrar put you at risk or does it provide WHOIS Guard
PRO TIP ⭐
By no means should you ever request confidential information such as payments if your website is not secured by SSL. Not only will this hurt you and SEO but it is irresponsible for the point of view of GDPR.
Also known as accountability. As a website owner, you are the go-to for any users who want to request deletion of any of their personal data that has been processed by your website.
This also applies to any breaches. In the event of a breach, such as your website being hacked you are obliged to notify your regulator within 72 hours of becoming aware of it.
And if individuals could be at high risk in terms of rights and freedoms, you also obliged to notify the individuals affected.
Note: if your data is encrypted and so any breaches will not expose personal information, you do not need to notify individuals who have been affected.
We Got the Answers to All Your Questions 🙋
Why Do I Need to be Compliant?
You could face a significant fine if your website is not GDPR compliant.
Resulting from the General Data Protection Regulation Compliance regulation implemented May 25, 2018.
What is GDPR Compliance (UK and EU)?
This is regulation made by the European Parliament and Council of the European Union, setting laws on privacy and data protection for countries in the EU and European Economic Area (EEA) also addressing transfers of personal data beyond these areas.
Does GDPR Affect the UK?
Yes. While the UK is no longer part of the EU or EEA, the GDPR has been incorporated into UK data protection laws, effectively meaning that you need to follow EU GDPR.
Also, if you serve customers or offer services to individuals in the EEA, the EU GDPR could still apply directly to you.
What are the 7 Principles of GDPR UK?
To summarise the 7 principles of GDPR UK which this article covers:
- Data minimisation
- Limited storage length
- Data privacy and security
- “Right to be forgotten” (removal requests)
Demystified: GDPR Checklist for Dummies 📖
There’s a lot involved with GDPR compliance. Although most of it won’t be necessary for your average website owner, it is handy to get a basic feel for what the most common terms mean.
Data Protection Officer
Abbreviated as DPO, data protection officers work in an enterprise security leadership position. This is something you should worry about once you are the size of a public authority or body with processing activities that involve substantial personal data.
They are something like auditors, monitoring and managing internal compliance, and offering advice on data protection obligations — something like a supervisory body. This person can be a member of staff or an external service provider.
The DPO must have expertise in data protection and will report to the highest management level.
This was defined in the Data Protection Act 1998 (the DPA). The controller either alone or in collaboration decides the purposes for personal data use — how and why data is being processed.
The DPA can be a public authority, agency, person or another body. They also ensure that the level of data protection is compliant with GDPR standards, also putting into place measures that will meet this data protection level.
This describes the service point that handles the technical processing of data, on the behalf of the controller.
Cloud hosting is one form of data processing. They are a hosting platform where data is being stored. Have a look here for the most recommended cloud hosts with unlimited cloud storage and high levels of encryption.
Right to be Forgotten
Refers to the fact that any data subject (the person whose data is being collected) has the right to request deletion of any personal information that you have stored about them.
This also goes for any elements posted online by the data subject, including reviews, articles, or forum posts.
Information Commissioner’s Office
Abbreviated as ICO, the information Commissioner’s office has the right to work in the public interest. They promote transparency, data privacy, and information rights of data subjects. They also have the right to fine for any breaches — this can be up to £500,000.
The End of Our Journey 📚
How do I become GDPR compliant - Answering this question was quite important for us, as we knew that a lot of business owners needed help with it.
There are 7 principles website owners need to be aware of (check the FAQs for a summary of these). Don’t make it overcomplicated, just be aware of the level of sensitivity of data you are collecting.
If you are dealing with particularly detailed bits of personal data, then you need to consider hiring a professional GDPR compliance expert, and this may lead to you hiring a part-time or full-time data controller and/or data protection officer (DPO).
In the UK, monetary abilities are decided by the ICO however many of the rules in the EU’s GDPR are incorporated. And the ICO can issue fines of up to £500,000.
For most website owners, they all need to pay attention to GDPR at a basic level, so just go over each step and make sure you have the essentials down! I hope this GDPR checklist website has been useful.