SecurityCategory

Quick GDPR checklist: A latecomer’s guide to complying with the General Data Protection Regulation

5 min read
Tom Rankin
GDPR Checklist Computer

Why are we offering up a quick GDPR checklist? Well, given that 98 percent of EU-based companies were not GDPR-compliant when the EU’s new General Data Protection Regulation launched on May 25, it likely means many more business based in the United States aren’t either. Even if your business is located outside the European Union, you can’t afford to ignore the GDPR.

The law applies to organizations “outside of the EU if they offer goods or services to, or monitor the behaviour of, EU data subjects,” according to FAQs on the GDPR Portal. “It applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location.”

In a nutshell, simply ignoring the regulation isn’t an option.

If you haven’t yet taken the bull by the horns, check out this GDPR checklist to learn how to quickly and accurately comply with the GDPR. Let’s get started!

Related: How the General Data Protection Regulation might affect American businesses in 2019 and beyond

A brief look at the GDPR

We’ve talked about the General Data Protection Regulation (GDPR) before. Essentially, this is an EU initiative that protects the rights of EU-based citizens online. To put it another way, the GDPR outlines how you can and cannot use personal user data collected via your website.

What’s more, the GDPR discusses how to handle website visitor data, and what to do in the event of a breach. On paper, it’s a great (and much needed) regulation. However, the implementation has been less than stellar — and both sides have played a part.

The main bone of contention is in how the GDPR will be “policed.” Let’s talk about that a little more next.

What happens if you don’t comply?

GDPR Checklist Questions

The main reaction to the GDPR from those not wishing to comply is: How will they catch me? There’s a solid argument (based on historical directives such as the so-called “Cookie Law”) that the authorities will do minimal (if any) detective work in order to root out non-compliance.

This is a fair argument given the circumstances, although a directive is much different to a regulation in this instance. For starters, there’s definite mobilization when it comes to enforcing the law. While we won’t get into the nitty-gritty here, the GDPR essentially applies to anyone potentially dealing with EU users, and blocking site access from this group is a non-starter.

The Information Commission Office (ICO) in the UK has produced guidelines alluding to a scaled system of reprimands, with the oft-touted 4 percent fine of your turnover restricted to the very largest businesses. In fact, the official GDPR website also outlines a tiered system for introducing fines.

Your quick GDPR checklist for compliance

While you might want to comply with the GDPR, you might also be worried about how to do so before it becomes an issue. This GDPR checklist will show you how to quickly comply with the regulations.

1. Figure out if you need to comply

You first step is to consider whether you actually need to comply with the GDPR. The simplest answer here is that every site handling the personal data of users who reside in the EU must comply regardless of size.

2. Figure out how you will comply

For instance, you might need to employ a dedicated Data Protection Officer (DPO). You’ll also need to consider the data you document relative to your business’s size. You’ll likely have under 250 employees, in which case you only need to document processing activities that:

  • record regular activities (such as signing into WordPress).
  • could result in ta risk of the rights and freedoms of individuals.
  • involve special categories of data, such as criminal convictions.

Visit the Information Commissioner’s Office website for a comprehensive look at the documentation you must maintain for GDPR compliance.

3. Figure out your approach to GDPR compliance

Once you’ve figured out your level of compliance, you can then figure out your approach. In a recent WordPress update, there are built-in options to help with compliance, and they may be all you need. For example, there’s now a dedicated section for creating a Privacy Policy page, which means you could potentially adapt your current policy to suit.

GDPR Checklist Setting

What’s more, there’s now a system to help log user accounts within your WordPress database, including a simple way to delete and export accounts.

However, if these built-in WordPress features don’t fit the bill or your website is not built on WordPress, you might need need to spend in order to comply with the GDPR. A solution from a company such as iubenda might be the easiest option.

In any case, the “sticking plaster” approach in this quick GDPR checklist should only provide time for you to comply more thoroughly. That being said, some solutions are geared towards permanent methods of compliance, so it pays to browse around at the constantly changing landscape before sticking with your choice.

Related: Tips for your Terms of Service and Privacy Policy pages

Doing right by users

All of the current conversations about the GDPR also focus on the potential repercussions of non-compliance. We can talk all day long about the fines you could receive, but ultimately, protecting your customer’s sensitive data (and giving them a way to back out) is a good move to make.

This quick GDPR checklist provided a high-level overview of how to comply with the GDPR if you haven’t already done so. Bear in mind, this constitutes the quickest way, not necessarily the most cost-effective, or thorough.

The above content should not be construed as legal or tax advice. Always consult an attorney or tax professional regarding your specific legal or tax situation.