Identify and document personal data that your website collects
2
Check if your methods of data collection are GDPR compliant
3
Secure consent for collecting personal data
4
Define how the data will be stored and processed
5
Adopt data encryption and pseudonymisation techniques
6
Set up procedure for responding to data subject access requests
7
Approval: Legal Team Review of Data Collection and Processing Techniques
8
Create a data breach notification plan
9
Ensure ongoing data privacy impact assessment (DPIA)
10
Implement ‘Right to Erasure’ process
11
Train staff members for GDPR compliance
12
Review third-party data processors for GDPR compliance
13
Update Privacy Policy and Cookie Policy
14
Add explicit opt-in choice for marketing communications
15
Create procedure for parental approval when collecting data from minors
16
Approval: Review Updated Privacy Policy
17
Perform annual reassessment of GDPR compliance
18
Update data subjects about their rights under GDPR
19
Maintain a record of data processing activities
Identify and document personal data that your website collects
Identify and document all the personal data that your website collects. This includes information such as names, email addresses, phone numbers, and any other data that can be used to identify individuals. Understanding the scope and types of personal data collected is essential for ensuring GDPR compliance. It will help you assess the risks associated with data processing and determine appropriate measures to protect individuals' privacy and rights.
Check if your methods of data collection are GDPR compliant
Evaluate the methods and techniques used to collect personal data on your website. Review the user interface, forms, cookies, and plugins to ensure they comply with GDPR requirements. Identify any areas where improvements are needed to meet the standards for transparency, fairness, and lawfulness of processing. Consider implementing mechanisms such as cookie banners, privacy notices, and consent checkboxes to enhance compliance and empower users.
1
Forms
2
Cookies
3
Plugins
4
User interface
1
Cookie consent
2
Privacy notice
3
Consent checkboxes
4
Transparency
Secure consent for collecting personal data
Design and implement a mechanism for obtaining explicit, informed, and freely given consent from individuals before collecting their personal data. This can be achieved through consent checkboxes, cookie banners, or specific consent pages. Ensure that individuals are fully informed about the purposes of data processing, how their data will be stored and used, and their rights under the GDPR. Establish a process to record and manage consent information to fulfill accountability obligations.
1
Consent checkboxes
2
Cookie banners
3
Consent pages
Define how the data will be stored and processed
Establish clear and documented procedures for storing and processing personal data collected by your website. Determine the legal basis for processing and identify appropriate security measures to protect against unauthorized access, disclosure, alteration, and destruction of data. Consider factors such as data retention periods, data minimization, and data accuracy to ensure compliance with GDPR principles and requirements.
1
Consent
2
Contractual necessity
3
Legal obligation
4
Legitimate interests
Adopt data encryption and pseudonymisation techniques
Implement encryption and pseudonymisation techniques to enhance the security and privacy of personal data. Encryption helps protect data during transmission and storage, while pseudonymisation replaces identifiable information with pseudonyms, making it more difficult to link data to an individual. Assess the adequacy of encryption algorithms and mechanisms, and ensure that pseudonymisation is reversible only with proper controls and safeguards.
1
SSL/TLS
2
AES
3
RSA
4
PGP
5
HMAC
1
Tokenization
2
Hashing
3
Randomization
4
Obfuscation
5
Anonymization
Set up procedure for responding to data subject access requests
Establish a procedure to handle data subject access requests (DSARs) efficiently and in compliance with GDPR requirements. Define how to receive and verify requests, process them within the legally required timeframes, and provide individuals with access to their personal data. Ensure that the necessary information is promptly gathered and that appropriate steps are taken to protect the rights and freedoms of the data subjects throughout the process.
1
Request validation
2
Data retrieval
3
Identity verification
4
Response drafting
5
Legal compliance
Approval: Legal Team Review of Data Collection and Processing Techniques
Will be submitted for approval:
Identify and document personal data that your website collects
Will be submitted
Check if your methods of data collection are GDPR compliant
Will be submitted
Secure consent for collecting personal data
Will be submitted
Define how the data will be stored and processed
Will be submitted
Adopt data encryption and pseudonymisation techniques
Will be submitted
Set up procedure for responding to data subject access requests
Will be submitted
Create a data breach notification plan
Develop a clear and comprehensive data breach notification plan to minimize the impact of any security incidents involving personal data. This plan should define roles and responsibilities, specify communication channels, and outline the steps to be followed in the event of a data breach. Make sure you are prepared to detect, report, and investigate breaches, promptly notify affected individuals, and coordinate with relevant authorities in compliance with the GDPR.
1
Detection and assessment
2
Containment and recovery
3
Notification
4
Investigation
5
Remediation
Ensure ongoing data privacy impact assessment (DPIA)
Incorporate a systematic and regular data privacy impact assessment (DPIA) process into your data processing activities. The DPIA helps identify and minimize privacy risks, ensuring that adequate safeguards are in place to protect personal data. Evaluate the necessity and proportionality of data processing operations, considering factors such as the nature, scope, context, and purposes of processing. Document the DPIA findings and take appropriate measures to address any identified risks.
1
Determine the need for a DPIA
2
Assess privacy risks
3
Identify measures to mitigate risks
4
Document findings
Implement ‘Right to Erasure’ process
Establish a process to respond to requests for the erasure of personal data in compliance with individuals' rights under the GDPR. Define how to receive and validate erasure requests, assess their validity and feasibility, and ensure the secure and permanent deletion of the requested data. Develop a clear timeline for the erasure process and communicate the outcome to the data subject.
1
Request validation
2
Data assessment
3
Secure deletion
4
Outcome communication
Train staff members for GDPR compliance
Provide training and awareness programs to staff members involved in personal data processing activities. Educate them about the GDPR principles, rights, and obligations, as well as the company's policies and procedures for ensuring data protection. Regularly update and reinforce GDPR training to keep staff members informed about evolving requirements and best practices to maintain compliance.
Review third-party data processors for GDPR compliance
Assess the GDPR compliance of third-party data processors that handle personal data on behalf of your organization. Perform due diligence to identify potential risks, evaluate their data protection measures, and ensure their alignment with the GDPR requirements. Document the results of the review and establish clear contractual clauses to regulate data protection responsibilities and liabilities with the third-party processors.
Update Privacy Policy and Cookie Policy
Review and update your Privacy Policy and Cookie Policy to align them with the GDPR requirements. Ensure that these policies provide clear, concise, and comprehensive information about the personal data processing activities carried out on your website, including the legal basis, purposes, retention periods, and individuals' rights. Make the policies easily accessible and regularly inform users about any updates or changes.
Add explicit opt-in choice for marketing communications
Implement an explicit opt-in mechanism for collecting consent from individuals who wish to receive marketing communications. Ensure that individuals have the choice to give their consent freely, that consent is specific to marketing communications, and that it is separate from other purposes of data processing. Provide clear information about the types of marketing communications and the means to opt-out in the future.
1
Email
2
SMS
3
Phone
4
Postal mail
5
Social media
1
Consent checkbox
2
Separate consent page
Create procedure for parental approval when collecting data from minors
Develop a procedure to obtain parental or guardian consent when collecting personal data from individuals under the age of consent. Implement age verification measures to ensure that the data subject is a minor, and establish a process for obtaining verifiable consent from a parent or guardian. Provide clear instructions and information to parents or guardians about their rights and the processing of their child's personal data.
1
Obtain verifiable consent
2
Provide information to parents
3
Record parental consent
Approval: Review Updated Privacy Policy
Will be submitted for approval:
Update Privacy Policy and Cookie Policy
Will be submitted
Perform annual reassessment of GDPR compliance
Conduct an annual reassessment of your website's compliance with the GDPR. Review the effectiveness of your data protection measures, assess any changes in data processing activities or legal requirements, and identify areas for improvement. Keep up-to-date records of the reassessment process, including the findings, actions taken, and future steps to maintain and enhance GDPR compliance.
Update data subjects about their rights under GDPR
Regularly inform data subjects about their rights under the GDPR and how they can exercise them. Ensure that individuals are aware of their rights, such as the right to access, rectification, erasure, restriction of processing, and data portability. Develop clear and user-friendly communication channels and mechanisms to facilitate the exercise of these rights, and provide guidance on how individuals can contact the relevant data protection officer or supervisory authority.
1
Right to access
2
Right to rectification
3
Right to erasure
4
Right to restriction of processing
5
Right to data portability
Maintain a record of data processing activities
Establish a comprehensive record-keeping system to document all data processing activities carried out by your website. This includes information about the purposes of processing, categories of personal data, recipients of data, data transfers, and retention periods. Maintain an up-to-date and organized record to demonstrate compliance with the GDPR's accountability principle and facilitate cooperation with supervisory authorities during audits or investigations.