Your business must comply with the General Data Protection Regulation (GDPR) if you own a website or app that collects personal information from visitors, and if your services are available to people in the European Union (EU) or European Economic Area (EEA).
Violating the GDPR, even by mistake, can lead to massive fines of up to 4% of your gross annual income and other forms of sanction.
To help you set your website or app up for full GDPR compliance and avoid costly fines, I’ve created an easy-to-follow GDPR checklist to guide you through the entire regulation.
GDPR Checklist
Here’s a simple GDPR checklist to help your website or app meets all data privacy requirements outlined by this regulation.
Part 1 – Start Here: GDPR Checklist for Businesses
Solution: Audit your business for GDPR requirements |
Source |
|
Inconsistencies or inaccuracies, even by mistake, can lead to fines for non-compliance. |
|
You’re required by law to have a legal basis for processing each type of personal data. |
|
Terms of the regulation are defined in Chapter 1, Article 4
Data controllers and data processors must follow slightly different guidelines, which we highlight for you further in this checklist. |
TIP: Processing data means the collection, recording, organizing, structuring, storing, adapting, altering, retrieving, consulting, using, disclosing, disseminating, or otherwise making available the information. | |
If Consent Is Your Legal Basis, You Must Follow These Steps
Solution: Use a Consent Management Platform that allows you to… |
Source |
|
Chapter 2, Article 7 |
|
Chapter 2, Article 7, Section 2 |
|
Chapter 2, Article 7, Section 3 |
|
Chapter 2, Article 7, Section 1 |
Part 2 – What You MUST Explain to Data Subjects
Solution: Create a GDPR-Compliant privacy policy, and include… |
Source |
|
Chapter 3, Article 13, and Article 15 |
|
Chapter 3, Article 15 |
|
Chapter 3, Article 15, Part (a) |
|
Chapter 3, Article 15, Part (c) |
|
Chapter 3, Article 15, Part (d) |
|
Chapter 3, Article 15, Part (e) |
|
Chapter 3, Article 15, Part (f) |
|
Chapter 3, Article 15, Part (g) |
|
Chapter 3, Article 15, Part (h) |
Part 3 – Accountability and Third-Party Contracts
Solution: Use a Data Processing Agreement (DPA) that requires the data processor to… |
Source |
|
Chapter 4, Article 28, Section 3, Part (a) |
|
Chapter 4, Article 28, Section 3, Part (b) |
|
Chapter 4, Article 28, Section 3, Part (c) |
|
Chapter 4, Article 28, Section 3, Part (d) |
|
Chapter 4, Article 28, Section 3, Part (e) |
|
Chapter 4, Article 28, Section 3, Part (f) |
|
Chapter 4, Article 28, Section 3, Part (g) |
|
Chapter 4, Article 28, Section 3, Part (h) |
If YOU are a data processor, ensure the data controller creates a compliant DPA for you to sign. | |
Part 4 – Data Security and Storage Requirements
Solution: Implement technical and organizational security measures. |
Source |
|
Chapter 4, Article 32 |
|
Chapter 4, Article 35 and Article 36 |
Part 5 – International Data Transfers
Solution: Implement appropriate data transfer safeguards |
Source |
|
Chapter 5, Article 46 |
The rest of this guide goes into more depth about different requirements of the GDPR and how Termly’s solutions can help you easily and affordably achieve full compliance.
More Info on the GDPR
Below, check out some answers to frequent questions I hear the most about the GDPR and its global impact.
What Is the GDPR in Simple Terms?
The GDPR is a European Union or EU regulation that also covers the European Economic Area (EEA). It outlines data protection guidelines, consumer rights, and business requirements for collecting and using personal information.
This legislation gives users more control over how and when their data gets collected by websites or apps operating online.
It came into force on May 25th, 2018, and is built around the following seven privacy principles:
- Lawfulness, fairness, and transparency
- Purpose limitations
- Data minimization
- Accuracy
- Storage limitations
- Integrity and confidentiality
- Accountability
What Is the Scope of the GDPR?
The GDPR has a global scope because it applies to any entity that collects personal information and has visitors from the EU or EEA.
Other data privacy laws, like the amended California Consumer Privacy Act (CCPA) and the Virginia Consumer Data Protection Act (CDPA) have monetary thresholds in place or apply to businesses that collect specific amounts of data. But this is not the case with the GDPR.
Your business can be located anywhere in the world, but if you have visitors from the EU or EEA and collect their data, you must provide them with a way to follow through on their privacy rights or risk receiving fines for non-compliance.
There are 27 EU Member States:
- Austria
- Belgium
- Bulgaria
- Croatia
- Republic of Cyprus
- Czech Republic
- Denmark
- Estonia
- Finland
- France
- Germany
- Greece
- Hungary
- Ireland
- Italy
- Latvia
- Lithuania
- Luxembourg
- Malta
- Netherlands
- Poland
- Portugal
- Romania
- Slovakia
- Slovenia
- Spain
- Sweden
The additional countries under the EEA that the GDPR also protects include:
- Iceland
- Liechtenstein
- Norway
What Qualifies as Personal Data Under the GDPR?
Because you must inform consumers about what personal information (PI) you’re collecting, it’s important you know exactly how the GDPR defines personal information.
The GDPR describes personal data in Chapter 1, Article 4 as:
…any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person…
Any information that can identify an individual, either on its own or when combined with other collected data, is considered PI under this regulation, including:
- Names
- Addresses
- Phone number
- Email addresses
- IP addresses
- Location
- Biometric data
- Political, religious, or philosophical beliefs
- Sexual orientation
- Trade union membership
- Race or ethnic origin
- Medical data
The regulation purposefully uses a broad definition so it can adapt and account for any technological advancements or changes.
Data Processors and Data Controllers According to the GDPR
The GDPR describes different obligations depending on if your business qualifies as a data controller or data processor. It’s possible to act as both.
A controller, defined in Chapter 1, Article 4, means any entity that, alone or with others, determines the purposes for and how personal information is processed. So if your business collects data and uses it for marketing and research, you qualify as the controller.
Any of the following entities can be a data controller:
- Natural or legal person
- Public authority
- Agency
- Any other body
A processor, on the other hand, means the body that actually processes the information and is also defined in Article 4. It can include any of the same entities listed above.
Processing under the regulation means collecting, recording, organizing, structuring, storing, adapting, altering, retrieving, consulting, using, disclosing, disseminating, or making available user personal data.
If you perform any of those actions on behalf of an entity, you qualify as their data processor.
International Data Transfers and the GDPR
The GDPR provides guidelines and restrictions for transferring data outside of the EU to third-party countries.
Some countries are considered “adequate”, and transferring to those locations is legal without prior authorization, including:
- Andorra
- Argentina
- Canada
- Faroe Islands
- Guernsey
- Israel
- Isle of Man
- Japan
- Jersey
- New Zealand
- South Korea
- Switzerland
- The UK
- Uruguay
When transferring to a country not considered “adequate”, you must ensure that the processor follows all GDPR requirements as written in Chapter 5 Articles 44 – 50 of the regulation, or risk receiving fines for noncompliance.
This may require you to put additional clauses in your contracts with third parties.
Tips for Complying With the GDPR
To comply with the GDPR, we recommend the following tips for your website or app:
Penalties for Not Complying
There are major consequences to not following the GDPR, and they can impact your business even if the violation is an accident.
Penalties outlined in Article 83 include fines of up to €10 million (around $12 million) or up to 2% of your annual global turnover of the previous year, whichever is higher if you:
- Fail to meet contractual obligations between data controllers and processors
- Infringe upon the certification obligations for ensuring the security of the personal data collected and shared between data controllers and processors
- Fail to meet the guidelines of the independent, non-biased monitoring body for issuing and renewing certification
See a screenshot highlighting this portion of the regulation below.
But if you commit any of the following infringements, you risk fines of up to €12 million (around $22 million) or up to 4% of your annual global turnover of the previous year, whichever is higher:
- Fail to meet the basic principles for processing data, including conditions for consent
- Infringe upon the rights of data subjects
- Fail to meet international data transfer requirements
- Don’t comply with obligations outlined by specific Member State laws
- Don’t comply with an order or temporary limitation on data processing as directed by a compliant supervisory authority
Below, see another screenshot of Article 83 outlining these higher fines.
You may also be directed to cease processing personal data, or face other instructions from the relevant supervisory authority.
On top of these punishments, you also risk facing public scrutiny and losing the trust of your consumers. Internet users today know that companies who receive GDPR fines weren’t appropriately protecting or collecting their personal information.
How Termly Helps Your Business Comply With the GDPR
You can use a combination of Termly products to help your business easily and affordably comply with the GDPR.
Policy Generators and Templates
When filled out accordingly, our Privacy Policy Generator or privacy policy template can help you meet all business obligations regarding the consumer privacy rights outlined in Chapter 3, Articles 12 – 23 of the GDPR.
Privacy Policy Generator
According to this regulation, it’s your responsibility as the data controller to take appropriate measures to inform users about your data collection practices. Our tools allow you to create a privacy policy that fulfills these requirements — we highlighted relevant sections of the regulation below.
With our Privacy Policy Generator, you simply answer straightforward questions about your business, and it automatically creates the document for you.
The entire process is quick and there’s a save feature if you want to pause and come back to finish it later on. Our customer support team is also around if you ever have questions.
See an example of the GDPR portion of our Privacy Policy Generator in the screenshot below.
Privacy Policy Template
Using our free template is still easy but takes more effort as you manually fill in blank sections with details about your business and must ensure the information is accurate and complete. This requires a little more legal knowledge.
See what our GDPR-compatible privacy policy template looks like below.
Whatever you choose, both tools help with compliance. Our legal team and data privacy experts work on all of our policy generators and templates to ensure they meet privacy laws like the GDPR, the amended CCPA, and more.
Consent Management Platform
You can easily configure our Consent Management Platform (CMP) to meet all legal consent requirements and guidelines outlined by Articles 6 and 7 of the GDPR.
According to the text, obtaining active, explicit user consent is one of the legal bases for collecting and using personal information, as highlighted below.
You can use our GDPR-compliant consent banner to provide your users with a privacy policy and cookie policy — keeping them adequately informed — and to request legal opt-in consent.
Below, see a screenshot of the GDPR-related settings in our CMP tools.
Since cookies and other trackers qualify as personal information under this regulation, our Cookie Scanner checks your site, categorizes the cookies, and generates a compliant and accurate cookie policy that updates whenever another scan occurs.
Your users can update their consent preferences easily and at any time within a preference center, and we’ll store logs of their consent choices following Article 7 of the regulation.
Data Subject Access Request (DSAR or SAR) Forms
We provide compliant Data Subject Access Request forms, or DSAR or SAR forms, to help you meet the GDPR obligations surrounding users’ rights to access personal information collected about them outlined in Article 15.
To access to the DSAR form, use our Consent Management Platform. Or, sign up as a Pro+ member and gain access to this along with the rest of our comprehensive suite of solutions.
Summary
To set your website or app up for full GDPR compliance, you’ll need a:
- Privacy policy
- Cookie policy
- EULA (for software)
- Consent banner
- Consent management platform
- DSAR forms
- DPA
You can make these documents on your own, or simplify the process by checking out Termly’s suite of GDPR-compliant website solutions.