GDPR Compliance Checklist for WebsitesUNDERSTANDING GDPR

Is your organization ready for GDPR data and web regulations? The new EU privacy law took effect and 2018, affecting millions of websites and businesses worldwide, so let’s review how to prepare your business to be fully compliant. If you’re already familiar with GDPR, check out our GDPR Compliance Checklist to assess your organization’s readiness.

GDPR Compliance Checklist for Websites

What is the General Data Protection Regulation (GDPR)?

The European Union (EU) wrote the GDPR bill to better protect the privacy of EU citizens in Europe by regulating how personal data can be collected, stored, and used by organizations that have websites and use web applications.

Many businesses around the world are already impacted by new privacy protections because any company that collects data from EU citizens will need to comply with the new rules or face violations and suits. The official EU regulation can be reviewed here.

What organizations are affected by GDPR?

Any company that stores or processes personal information about EU citizens within EU states must comply with the GDPR, even if they do not have a business presence within the EU. This, of course, includes businesses and organizations in the United States that have websites that can be accessed by European users. Specific criteria for companies required to comply are:

  • A presence in an EU country.
  • No presence in the EU, but it processes personal data of European residents.
  • More than 250 employees
  • Fewer than 250 employees but its data-processing could impact the rights of data subjects, or includes certain types of sensitive personal data.

Website Traffic, Data & Analytics Collection (Google Analytics & Adobe) Can Cause GDPR Violations

If your organization conducts business online, such as with an app, web app or website, many of the data tracking/collection methods can put you at risk. Examples include:

  • Google Analytics
  • Adobe Analytics
  • Google Ads
  • Bing Ads
  • Newsletter Mailing Lists (Mailchimp, etc.)
  • 3rd party website tracking tools

GDPR Compliance Website Checklist

To help businesses and web developers with GDPR compliance, Xivic has published a GDPR Compliance Checklist G-Sheet. This checklist will help determine if your website or web app requires updates to comply with the General Data Protection Regulation. Once reviewed, you can determine the next steps in developing the business processes and documentation to make sure your organization is fully compliant with the new regulations.

How do organizations ensure compliance?

Overall, organizations need to develop processes to complete any data requests from your users regarding their personal data. GDPR states that you must deliver a complete response for a request for personal data information within 30 days. A complete response includes:

  • What personal data is being recorded about the user
  • The data storage location
  • Why your organization recorded and used their personal data
  • The data retention period

If you collect and process a large amount of personal data, your organization may need to hire a Data Privacy Officer to ensure personal data is stored securely and fully compliant.

Developing business processes and documentation to deal with a data security breach can also better prepare your organization for a worst-case scenario of a hack. Under GDPR, businesses have less than 72 hours to announce a breach or you can face fines equal to 4% of your annual global revenue or €20 million.

At the minimum, you must have a Privacy Policy in place and update it to comply with GDPR if you process any personal data. You must also update all internal procedure documentation and have a well-defined policy on the data retention periods for all personal data stored at your company.

How are companies responding to GDPR regulations?

Some businesses have outright closed down or stopped doing business in the European Union, perhaps because they weren’t doing enough business to justify the risk, or simply because the cost of upgrading their software was seen as too high. Several online gaming and online software providers simply shut down, since the vast majority of their business is online and highly sensitive to the regulations.  

Other companies have simply blocked access to European users and ignored the GDPR altogether. Since almost all public websites in the United States are accessible in Europe, almost all websites are vulnerable to potential GDPR violations, hence why some companies are simply using digital tools to block these users altogether. This could involve numerous implementations handled by internal or external web teams hired by the business for this purpose. 

Not all organizations, of course, have the luxury of simply shutting down or blocking European business. Companies that run an active website online that are accessible to EU users, and do not want to open themselves up to GDPR fines and violations, will need to consult with their internal web teams or work with an external web partner to update their web applications to comply with the new code and regulation.

How courts & businesses responding to GDPR violations & fines?

Some of the first fines and violations are being adjudicated in the European Union right now or very recently. The first what a €4,800 plus legal costs fine for a betting shop that was recording the public sidewalk outside of its business while it simultaneously recorded its front door.

One of the largest fines was handed down against a hospital in Portugal, the Centro Hospitalar Barreiro Montijo near Lisbon received a €400,000 fine for two different GDPR violations (the company has vowed to appeal and fight the charges). The main ruling was that the hospital allowed sensitive data to be accessed by non-medical staff.

A German chat platform was fined €20,000 for a breach of user data, mostly passwords, by storing them in a plain text unencrypted format. The company was hacked and the user data was published online — making it one of the more embarrassing cases to date.

Fines seem related to the severity of the breach (such as size and sensitivity of data, and potentially the recklessness of the offense), and are formulated directly to the size and revenue of the offending organization or business.

First & Next Steps

There is likely no way to be completely insulated from GDPR fines and hazards. There are simply too many potential surface areas and security risks for any business or organization performing digital information services, commerce or e-commerce in the European Union or over EU servers.

However, any business or organization that does not want to be exposed to legal risk should work with an external web team to upgrade or update their web applications and websites to GDPR code.

An expert agency can carry out the work for any organization, or work to consult with the company’s internal team. Regardless of the chosen solution, based on a number of factors, all US businesses will need to adapt and be prepared for GDPR or ADA website compliance.

Disclaimer: The goal of this article is to educate you on GDPR and help you build processes to ensure compliance; however, the final confirmation of GDPR compliance should come from your legal counsel. Your legal counsel should stand behind all legal decisions that are made as any violations could incur fines from the EU.