- Perform a website or app scan and audit to determine each type of personal information you collect from visitors and where the data collection occurs.
- Determine your legal basis for data processing
- The GDPR outlines 6 legal bases in Chapter 2, Article 6 , so pick a valid reason for each category of personal data you collect.
- *I outlined the steps for using consent as a legal basis below.
- Determine if you’re a data controller or data processor
- Data controller — Any person or entity that determines the purposes and means for the processing of personal data, either alone or jointly with others.
- Data processor — Any person or entity that processes personal data on behalf of a data controller.
- *Please note that your company may act as both a controller and processor in different scenarios.
- Obtain informed, explicit opt-in consent
- Use a consent banner and avoid pre-checked boxes, which are not GDPR-compliant. Put a link to your privacy policy and cookie policy on the banner and prompt them to read both agreements.
- Make the consent request clearly distinguishable and easy to understand
- When consent is given via a written declaration, present the request in a way that is seperate from other matters, is easily accessible, and uses clear, plain language.
- Provide a way for consumers to withdraw consent
- Provide them with a consent preference center and ensure that withdrawing or opting out of consent is as easy as giving it.
- Maintain a consent log for your users
- To prove your users provided explicit opt-in consent, keep a log of their consent preferences for as long as you use their personal information but no longer than necessary.
- What personal data you collect about data subjects
- Clearly list all personal data you collect about the people who visit your website or use your app.
- This includes all personal information and sensitive personal information
- How you collect data
- Inform consumers HOW you’re collecting their data.
- This can include the use of internet cookies or other trackers or having them fill out digital forms, like when they create a new account.
- Why you collect data
- Inform consumers WHY you’re collecting each category of personal data.
- This is the legal basis you determined for the data processing.
- Who you share data with
- Inform consumers WHO you share their personal data with.
- This includes any third-party data processors you rely on, or any other external entities you partner with that also collects personal information from your consumers.
- How long you’ll store the data for
- State the exact timeframe or, when that’s not possible, explain your process for determining the timeframe.
- Legally, you can only store the data for as long as necessary to perform the original purpose of the data collection, subject to any other laws that may require the data to be held for longer periods.
- How to request rectification, data erasures, and objections
- Inform users how they can act on their right to correct or erase data you collect about them and how they can restrict or object to the processing of their personal data, like using a DSAR form.
- Explain your consumers’ right to lodge complaints
- Clearly express in your privacy policy that consumers can lodge a complaint about your practices with a supervisory authority.
- Explain when the data isn’t collected from the individual
- State where the source of the data is collected from, i.e., social media pages, public posts, or from external sources.
- Explain if you use automated decision-making
- Provide the logic involved, significance of, and envisaged consequences of why you use automated decision-making in those instances, including profiling.
- Only process the data on documented instructions from the controller unless otherwise required by Member State law.
- Ensure that staff accessing your data are committed to confidentiality, or are statutorily obligated to commit to confidentiality.
- Take all security measures outlined in Article 32 of the text.
- Only engage other processors with your written authorization, and under the same contractual obligations.
- Assist you, the controller, by taking technical measures to fulfill and respond to requests from data subjects to act on their rights.
- Assist you (the controller) in your compliance with security processing guidelines outlined in Article 32 and prior consultation requirements written in Article 36.
- Delete or return all personal data to you (the controller) after the contract term ends.
- Make available all information necessary to demonstrate GDPR compliance as outlined in steps 1 through 6 available to you (the controller) including audits or inspections conducted by you or an auditor of your choosing.
- Considering the risk level of the data, the controller and processor must implement appropriate technical and organizational measures to ensure personal data is securely stored, like:
- Pseudonymization and encryption of data*
- Ensure ongoing confidentiality, integrity, availability, and resilience of processing systems and services*
- Provide the ability to restore the availability and access to data promptly in the event of an incident*
- A process of testing, assessing, and evaluating the effectiveness of the technical and organizational measures*
- * These are the suggested security measures from the text of the GDPR.
- Perform a Data Protection Impact Assessment (DPIA) as outlined in Article 35and seek advice from an appointed Data Protection Officer (DPO)
- If the DPIA determines processing the data is a high risk, consult a supervisory authority as outlined in Article 36before the processing.
- If you, as the controller or processor, transfer data to a third country or international organization:
- Ensure they have appropriate safeguards (including contractual protections) in place and will make available effective legal remedies and ways for data subjects to enforce their rights.
Now that you’ve got the checklist, the rest of this guide goes into more depth about different requirements of the GDPR and how Termly’s solutions can help you easily and affordably achieve full compliance.
Let’s dive into this regulation together.
More Info on the GDPR
Want a bit more information about the GDPR? Below, check out some answers to frequent questions we get about this EU regulation and its global impact.
What Is the GDPR in Simple Terms?
The GDPR is a European Union or EU regulation that also covers the European Economic Area (EEA). It outlines data protection guidelines, consumer rights, and business requirements for collecting and using personal information.
This legislation gives users more control over how and when their data gets collected by websites or apps operating online.
It came into force on May 25th, 2018, and is built around the following seven privacy principles:
- Lawfulness, fairness, and transparency
- Purpose limitations
- Data minimization
- Accuracy
- Storage limitations
- Integrity and confidentiality
- Accountability
What Is the Scope of the GDPR?
The GDPR has a global scope because it applies to any entity that collects personal information and has visitors from the EU or EEA.
Other data privacy laws, like the amended California Consumer Privacy Act (CCPA) and the Virginia Consumer Data Protection Act (CDPA) have monetary thresholds in place or apply to businesses that collect specific amounts of data. But this is not the case with the GDPR.
Your business can be located anywhere in the world, but if you have visitors from the EU or EEA and collect their data, you must provide them with a way to follow through on their privacy rights or risk receiving fines for non-compliance.
There are 27 EU Member States:
- Austria
- Belgium
- Bulgaria
- Croatia
- Republic of Cyprus
- Czech Republic
- Denmark
- Estonia
- Finland
- France
- Germany
- Greece
- Hungary
- Ireland
- Italy
- Latvia
- Lithuania
- Luxembourg
- Malta
- Netherlands
- Poland
- Portugal
- Romania
- Slovakia
- Slovenia
- Spain
- Sweden
The additional countries under the EEA that the GDPR also protects include:
- Iceland
- Liechtenstein
- Norway
What Qualifies as Personal Data Under the GDPR?
Because you must inform consumers about what personal information (PI) you’re collecting, it’s important you know exactly how the GDPR defines personal information.
The GDPR describes personal data in Chapter 1, Article 4 as:
“…any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person…”
Any information that can identify an individual, either on its own or when combined with other collected data, is considered PI under this regulation.
This means any of the following details qualify, either on their own or in tandem with other attributes:
- Names
- Addresses
- Phone number
- Email addresses
- IP addresses
- Location
- Biometric data
- Political, religious, or philosophical beliefs
- Sexual orientation
- Trade union membership
- Race or ethnic origin
- Medical data
The regulation purposefully uses a broad definition so it can adapt and account for any technological advancements or changes.
Data Processors and Data Controllers According to the GDPR
A controller, defined in Chapter 1, Article 4, means any entity that, alone or with others, determines the purposes for and how personal information is processed. So if your business collects data and uses it for marketing and research, you qualify as the controller.
Any of the following entities can be a data controller:
- Natural or legal person
- Public authority
- Agency
- Any other body
A processor, on the other hand, means the body that actually processes the information and is also defined in Article 4. It can include any of the same entities listed above.
Processing under the regulation means collecting, recording, organizing, structuring, storing, adapting, altering, retrieving, consulting, using, disclosing, disseminating, or making available user personal data.
If you perform any of those actions on behalf of another entity, you qualify as their data processor.
International Data Transfers and the GDPR
The GDPR provides guidelines and restrictions for transferring data outside of the EU to third-party countries.
Some countries are considered “adequate”, and transferring to those locations is legal without prior authorization. Those countries include:
- Andorra
- Argentina
- Canada
- Faroe Islands
- Guernsey
- Israel
- Isle of Man
- Japan
- Jersey
- New Zealand
- South Korea
- Switzerland
- The UK
- Uruguay
When transferring to a country not considered “adequate”, you must ensure that the processor follows all GDPR requirements as written in Chapter 5 Articles 44 – 50 of the regulation, or risk receiving fines for noncompliance. This may require you to put additional clauses in your contracts with third parties.
Tips for Complying With the GDPR
To comply with the GDPR, we recommend the following tips for your website or app:
- Tip 1: Use a compliant privacy policy (and EULA for software services) and post it wherever data collection occurs
- Tip 2: Post an accurate cookie policy to properly inform users about all trackers or cookies your site uses
- Tip 3: Implement a compliant consent banner to obtain opt-in consent and give users a chance to say no to your data collection practices
- Tip 4: Give your users access to a consent preference center so they can change their minds or opt out of consent at any time
- Tip 5: Use Data Subject Access Request forms (DSAR or SAR) to easily allow your users to act on their privacy rights as outlined by the text of the GDPR
- Tip 6: Follow contractual obligations if you rely on a third party to process user data by using a Data Processing Agreement (DPA)
- Tip 7: Appoint a Data Protection Officer (DPO) and perform Data Protection Impact Assessments (DPIA) when necessary
- Tip 8: Only store personal information for as long as necessary for the purposes outlined in your privacy policy
- Tip 9: Take extra measures to safely store and keep your users’ personal information safe, and ensure any third-party processors you partner with can prove that they’re also GDPR-compliant
Penalties for Not Complying
There are major consequences to not following the GDPR, and they can impact your business even if the violation is an accident.
Penalties outlined in Article 83 include fines of up to €10 million (around $12 million) or up to 2% of your annual global turnover of the previous year, whichever is higher if you:
- Fail to meet contractual obligations between data controllers and processors
- Infringe upon the certification obligations for ensuring the security of the personal data collected and shared between data controllers and processors
- Fail to meet the guidelines of the independent, non-biased monitoring body for issuing and renewing certification
See a screenshot highlighting this portion of the regulation below.
But if you commit any of the following infringements, you risk fines of up to €12 million (around $22 million) or up to 4% of your annual global turnover of the previous year, whichever is higher:
- Fail to meet the basic principles for processing data, including conditions for consent
- Infringe upon the rights of data subjects
- Fail to meet international data transfer requirements
- Don’t comply with obligations outlined by specific Member State laws
- Don’t comply with an order or temporary limitation on data processing as directed by a compliant supervisory authority
Below, see another screenshot of Article 83 outlining these higher fines.
You may also be directed to cease processing personal data, or face other instructions from the relevant supervisory authority.
On top of these punishments, you also risk facing public scrutiny and losing the trust of your consumers. Internet users today know that companies who receive GDPR fines weren’t appropriately protecting or collecting their personal information.
Find out how important GDPR compliance is to your consumers by checking out these shocking data privacy statistics.
How Termly Helps Your Business Comply With the GDPR
You can use a combination of Termly products to help your business legally, easily, and affordably comply with all aspects of the GDPR, like our:
- Policy generators and templates
- Consent management platform
- DSAR Forms
Let’s discuss how each of these solutions can help your business with GDPR compliance in a little more detail.
Policy Generators and Templates
When filled out accordingly, our Privacy Policy Generator or privacy policy template can help you meet all business obligations regarding the consumer privacy rights outlined in Chapter 3, Articles 12 – 23 of the GDPR.
Privacy Policy Generator
According to this regulation, it’s your responsibility as the data controller to take appropriate measures to inform users about your data collection practices. Our tools allow you to create a privacy policy that fulfills these requirements — we highlighted relevant sections of the regulation below.
With our Privacy Policy Generator, you simply answer straightforward questions about your business, and it automatically creates the document for you.
The entire process is quick and there’s a save feature if you want to pause and come back to finish it later on. Our customer support team is also around if you ever have questions.
See an example of the GDPR portion of our Privacy Policy Generator in the screenshot below.
Privacy Policy Template
Using our free template is still easy but takes more effort as you manually fill in blank sections with details about your business and must ensure the information is accurate and complete. This requires a little more legal knowledge.
See what our GDPR-compatible privacy policy template looks like below.
Whatever you choose, both tools help with compliance. Our legal team and data privacy experts work on all of our policy generators and templates to ensure they meet privacy laws like the GDPR, the amended CCPA, and more.
Consent Management Platform
You can easily configure our Consent Management Platform (CMP) to meet all legal consent requirements and guidelines outlined by Articles 6 and 7 of the GDPR.
According to the text, obtaining active, explicit user consent is one of the legal bases for collecting and using personal information, as highlighted below.
You can use our GDPR-compliant consent banner to provide your users with a privacy policy and cookie policy — keeping them adequately informed — and to request legal opt-in consent.
Below, see a screenshot of the GDPR-related settings in our CMP tools.
Since cookies and other trackers qualify as personal information under this regulation, our Cookie Scanner checks your site, categorizes the cookies, and generates a compliant and accurate cookie policy that updates whenever another scan occurs.
Your users can update their consent preferences easily and at any time within a preference center, and we’ll store logs of their consent choices following Article 7 of the regulation.
Data Subject Access Request (DSAR or SAR) Forms
We provide compliant Data Subject Access Request forms, or DSAR or SAR forms, to help you meet the GDPR obligations surrounding users’ rights to access personal information collected about them outlined in Article 15.
To get access to the DSAR form, use our Consent Management Platform. Or, you can sign up as a Pro+ member and gain access to this along with the rest of our comprehensive suite of solutions.
Summary
With this guide and checklist in your toolbox, you’re fully equipped with the necessary resources to set your website or app up for full GDPR compliance.
- Privacy policy
- Cookie policy
- EULA (for software)
- Consent banner
- Consent management platform
- DSAR forms
- DPA
You can make these documents on your own. But to simplify the process even further, check out our full suite of GDPR-compliant website solutions.
James Ó Nuanáin, CIPP/E, CIPM, CIPT" width="150" height="150" />More about the author
Written by James Ó Nuanáin, CIPP/E, CIPM, CIPT
James is an Information Privacy Professional with over seven years of experience assisting large organizations comply with their obligations under the GPDR and other local privacy regulations. He is passionate about data privacy and the intersection between law and technology. More about the author
