You may need to comply with the General Data Protection Regulation (GDPR) if you own a website or app that collects personal information from your visitors, and it is available to visitors from the European Union (EU) or European Economic Area (EEA).
Under this regulation, users from the EU and EEA have specific rights over their personal data, and businesses must follow precise GDPR requirements governing how they legally collect, process, use, sell, and share that information.
Violating the GDPR, even by mistake, can lead to massive fines of up to 4% of your gross annual income and other forms of sanction.
To help you set your website or app up for full GDPR compliance and avoid costly fines, we’ve created an easy-to-follow GDPR checklist that guides you through the entire regulation.
As promised, here’s a simple GDPR checklist to help ensure your website or app meets all data privacy requirements outlined by this regulation.
Part 1 – Start Here: GDPR Checklist for Businesses
Solution: Audit your business for GDPR requirements
||Inconsistencies or inaccuracies, even by mistake, can lead to fines for non-compliance.|
||You’re required by law to have a legal basis for processing each type of personal data.|
||Terms of the regulation are defined in Chapter 1, Article 4
Data controllers and data processors must follow slightly different guidelines, which we highlight for you further in this checklist.
|TIP: Processing data means the collection, recording, organizing, structuring, storing, adapting, altering, retrieving, consulting, using, disclosing, disseminating, or otherwise making available the information.|
If Consent Is Your Legal Basis, You Must Follow These Steps
Solution: Use a Consent Management Platform that allows you to…
||Chapter 2, Article 7|
||Chapter 2, Article 7, Section 2|
||Chapter 2, Article 7, Section 3|
||Chapter 2, Article 7, Section 1|
Part 2 – What You MUST Explain to Data Subjects
||Chapter 3, Article 13, and Article 15|
||Chapter 3, Article 15|
||Chapter 3, Article 15, Part (a)|
||Chapter 3, Article 15, Part (c)|
||Chapter 3, Article 15, Part (d)|
||Chapter 3, Article 15, Part (e)|
||Chapter 3, Article 15, Part (f)|
||Chapter 3, Article 15, Part (g)|
||Chapter 3, Article 15, Part (h)|
Part 3 – Accountability and Third-Party Contracts
Solution: Use a Data Processing Agreement (DPA) that requires the data processor to…
||Chapter 4, Article 28, Section 3, Part (a)|
||Chapter 4, Article 28, Section 3, Part (b)|
||Chapter 4, Article 28, Section 3, Part (c)|
||Chapter 4, Article 28, Section 3, Part (d)|
||Chapter 4, Article 28, Section 3, Part (e)|
|Chapter 4, Article 28, Section 3, Part (f)|
||Chapter 4, Article 28, Section 3, Part (g)|
||Chapter 4, Article 28, Section 3, Part (h)|
|If YOU are a data processor, ensure the data controller creates a compliant DPA for you to sign.|
Part 4 – Data Security and Storage Requirements
Solution: Implement technical and organizational security measures.
||Chapter 4, Article 32|
|Chapter 4, Article 35 and Article 36|
Part 5 – International Data Transfers
Solution: Implement appropriate data transfer safeguards
||Chapter 5, Article 46|
Now that you’ve got the checklist, the rest of this guide goes into more depth about different requirements of the GDPR and how Termly’s solutions can help you easily and affordably achieve full compliance.
Let’s dive into this regulation together.
More Info on the GDPR
Want a bit more information about the GDPR? Below, check out some answers to frequent questions we get about this EU regulation and its global impact.
What Is the GDPR in Simple Terms?
The GDPR is a European Union or EU regulation that also covers the European Economic Area (EEA). It outlines data protection guidelines, consumer rights, and business requirements for collecting and using personal information.
This legislation gives users more control over how and when their data gets collected by websites or apps operating online.
It came into force on May 25th, 2018, and is built around the following seven privacy principles:
- Lawfulness, fairness, and transparency
- Purpose limitations
- Data minimization
- Storage limitations
- Integrity and confidentiality
What Is the Scope of the GDPR?
The GDPR has a global scope because it applies to any entity that collects personal information and has visitors from the EU or EEA.
Other data privacy laws, like the amended California Consumer Privacy Act (CCPA) and the Virginia Consumer Data Protection Act (CDPA) have monetary thresholds in place or apply to businesses that collect specific amounts of data. But this is not the case with the GDPR.
Your business can be located anywhere in the world, but if you have visitors from the EU or EEA and collect their data, you must provide them with a way to follow through on their privacy rights or risk receiving fines for non-compliance.
There are 27 EU Member States:
- Republic of Cyprus
- Czech Republic
The additional countries under the EEA that the GDPR also protects include:
What Qualifies as Personal Data Under the GDPR?
Because you must inform consumers about what personal information (PI) you’re collecting, it’s important you know exactly how the GDPR defines personal information.
The GDPR describes personal data in Chapter 1, Article 4 as:
“…any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person…”
Any information that can identify an individual, either on its own or when combined with other collected data, is considered PI under this regulation.
This means any of the following details qualify, either on their own or in tandem with other attributes:
- Phone number
- Email addresses
- IP addresses
- Biometric data
- Political, religious, or philosophical beliefs
- Sexual orientation
- Trade union membership
- Race or ethnic origin
- Medical data
The regulation purposefully uses a broad definition so it can adapt and account for any technological advancements or changes.
Data Processors and Data Controllers According to the GDPR
The GDPR describes different obligations depending on if your business qualifies as a data controller or data processor. It’s possible to act as both.
A controller, defined in Chapter 1, Article 4, means any entity that, alone or with others, determines the purposes for and how personal information is processed. So if your business collects data and uses it for marketing and research, you qualify as the controller.
Any of the following entities can be a data controller:
- Natural or legal person
- Public authority
- Any other body
A processor, on the other hand, means the body that actually processes the information and is also defined in Article 4. It can include any of the same entities listed above.
Processing under the regulation means collecting, recording, organizing, structuring, storing, adapting, altering, retrieving, consulting, using, disclosing, disseminating, or making available user personal data.
If you perform any of those actions on behalf of another entity, you qualify as their data processor.
International Data Transfers and the GDPR
The GDPR provides guidelines and restrictions for transferring data outside of the EU to third-party countries.
Some countries are considered “adequate”, and transferring to those locations is legal without prior authorization. Those countries include:
- Faroe Islands
- Isle of Man
- New Zealand
- South Korea
- The UK
When transferring to a country not considered “adequate”, you must ensure that the processor follows all GDPR requirements as written in Chapter 5 Articles 44 – 50 of the regulation, or risk receiving fines for noncompliance. This may require you to put additional clauses in your contracts with third parties.
Tips for Complying With the GDPR
To comply with the GDPR, we recommend the following tips for your website or app:
Penalties for Not Complying
There are major consequences to not following the GDPR, and they can impact your business even if the violation is an accident.
Penalties outlined in Article 83 include fines of up to €10 million (around $12 million) or up to 2% of your annual global turnover of the previous year, whichever is higher if you:
- Fail to meet contractual obligations between data controllers and processors
- Infringe upon the certification obligations for ensuring the security of the personal data collected and shared between data controllers and processors
- Fail to meet the guidelines of the independent, non-biased monitoring body for issuing and renewing certification
See a screenshot highlighting this portion of the regulation below.
But if you commit any of the following infringements, you risk fines of up to €12 million (around $22 million) or up to 4% of your annual global turnover of the previous year, whichever is higher:
- Fail to meet the basic principles for processing data, including conditions for consent
- Infringe upon the rights of data subjects
- Fail to meet international data transfer requirements
- Don’t comply with obligations outlined by specific Member State laws
- Don’t comply with an order or temporary limitation on data processing as directed by a compliant supervisory authority
Below, see another screenshot of Article 83 outlining these higher fines.
You may also be directed to cease processing personal data, or face other instructions from the relevant supervisory authority.
On top of these punishments, you also risk facing public scrutiny and losing the trust of your consumers. Internet users today know that companies who receive GDPR fines weren’t appropriately protecting or collecting their personal information.
How Termly Helps Your Business Comply With the GDPR
You can use a combination of Termly products to help your business legally, easily, and affordably comply with all aspects of the GDPR, like our:
- Policy generators and templates
- Consent management platform
- DSAR Forms
Let’s discuss how each of these solutions can help your business with GDPR compliance in a little more detail.
Policy Generators and Templates
The entire process is quick and there’s a save feature if you want to pause and come back to finish it later on. Our customer support team is also around if you ever have questions.
Using our free template is still easy but takes more effort as you manually fill in blank sections with details about your business and must ensure the information is accurate and complete. This requires a little more legal knowledge.
Whatever you choose, both tools help with compliance. Our legal team and data privacy experts work on all of our policy generators and templates to ensure they meet privacy laws like the GDPR, the amended CCPA, and more.
Consent Management Platform
According to the text, obtaining active, explicit user consent is one of the legal bases for collecting and using personal information, as highlighted below.
Below, see a screenshot of the GDPR-related settings in our CMP tools.
Your users can update their consent preferences easily and at any time within a preference center, and we’ll store logs of their consent choices following Article 7 of the regulation.
Data Subject Access Request (DSAR or SAR) Forms
We provide compliant Data Subject Access Request forms, or DSAR or SAR forms, to help you meet the GDPR obligations surrounding users’ rights to access personal information collected about them outlined in Article 15.
To get access to the DSAR form, use our Consent Management Platform. Or, you can sign up as a Pro+ member and gain access to this along with the rest of our comprehensive suite of solutions.
With this guide and checklist in your toolbox, you’re fully equipped with the necessary resources to set your website or app up for full GDPR compliance.
You’ll need a:
- EULA (for software)
- Consent banner
- Consent management platform
- DSAR forms
You can make these documents on your own. But to simplify the process even further, check out our full suite of GDPR-compliant website solutions.