The GDPR Simplified with Checklist for Site Owners to Stay Compliant

The GDPR is now in effect. Learn about your rights as a user, and your responsibilities as a website owner, as of 25 May 2018.

The GDPR (General Data Protection Regulation) has been in the works for over 4 years. So why, all of a sudden, is every business sending you an update to their privacy policy, or sending emails asking for your consent to have your data collected? The short answer is that until 25 May 2018, these regulations were mere suggestions for how a business should operate their data collection policies. But now, they are enforceable by law.

Much of what the new regulations require of businesses is very straightforward. On the user end, however, despite the fact that one of the new regulations is that language for consent must be clear and unambiguous, many of the regulations seem complex and difficult to understand. But here at TechBoomers, we believe that everyone – especially the casual technology user – should be able to understand what’s going on and how things work. So this article will break down everything you need to know about the new GDPR rules.

In this article, we’ll explain:

What is the GDPR?
What is considered “personal data” under the GDPR?
What does the GDPR mean for users?
User checklist of what to do
What does the GDPR mean for your organization’s website?
Site owner checklist of what to do
Terms you may not understand: explained
More helpful resources for understanding the GDPR

61% of infosec pros genuinely believe that the GDPR will genuinely protect consumer’s privacy, so read on to learn everything you need to know about what the GDPR means for you.

What is the GDPR?

The GDPR is a set of regulations enforceable as of 25 May 2018 that requires any business operating within the EU digital economy to better protect user privacy in the online world. Companies must make users aware of how and why the collect their data, and proactively protect it from possible breaches.

These regulations have been in effect in EU countries since 2015, and have been followed by many EU businesses. Prior to the 14 April 2018 approval however, they were seen as suggestions, and were not legally binding. The new regulations force any entity operating within the EU, which includes essentially any website in the world that a person residing in the EU can access, to follow them or be fined €20 million or up to 4% of their annual global turnover.

Sanctions and fines will, of course, depend on the severity of the breach of these regulations. A significant breach in which all users’ names, addresses, and credit card numbers have been obtained is obviously more substantial than failure to appoint a qualified Data Protection Officer. Regardless, all new regulations laid out in the GDPR should be taken seriously, and certainly will make businesses more aware and cautious about how they protect their users’ privacy.

What is considered “personal data” under the GDPR?

Personal data, as defined by the GDPR, includes any information that can uniquely identify a user. This includes names, addresses, photos, IP addresses, genetic or biometric data, and much more. The GDPR extended the number of things that are considered data, to protect any unique component of a user.

What does the GDPR mean for users?

If you’re a user of any website, the GDPR is here to protect you – it is all about your new rights! The EU wants you to be fully aware of them so you can protect your privacy and use websites with full knowledge of what they are doing with your information. This is a brief summary of the new rights you have under the GDPR.

A right to: know how your data is collected and processed

The privacy policy of any business should clearly explain when they collect your data, how they do it, and where they store it. If it doesn’t, they are required to explain this to you in a way that you can understand.

A right to: know exactly what the website is doing with your data

You know the how, but what exactly do they do with your information? Is it given to third parties? Is it sold? Is it used for internal purposes only? You need to be aware of this to determine whether this website is one you want to use or not.

A right to: opt-out immediately if you don’t like it

The website must immediately explain to you if they are tracking you in any kind of way – before you actually use the website. If you don’t like what they are doing, you can decline the website using cookies to track you. The website has the option of not using the cookies and allowing you to use the site, or of preventing you from accessing it further if you do not agree with their policies.

A right to: understand with clear, general language, what is going on

If the way this organization explains what they are doing with your data is too confusing, or if at any time you don’t understand it, then the company likely needs to update their policy. Contact someone in customer service and ask them to explain the parts you don’t understand. Then suggest they update their policy to use the simpler terms they explained to you so that all users have a better grasp of what they are doing with user data.

A right to: know when your data has been hacked/there has been a breach

The GDPR’s most serious sanctions are reserved for companies who leave themselves open to a breach of user data, and especially those that fail to act on it. If your information is compromised in any way, the entity must notify you with 72 hours. They must explain what was compromised, how it was compromised, and what they intend to do to prevent that from happening in the future. This new regulation makes a lot of sense, given how frequently serious data breaches have occurred over the past 15 years.

A right to: be forgotten

If at any time in the future you want your data to be removed or erased, you have a right to this now. Even if you provided consent to data collection in the past, you are able to contact an organization and request that your information be permanently erased. If you do, they are not allowed to keep your data, even if you already agreed to them doing so in the past.

User checklist of what to do

Now that you are aware of your rights as a user, there are a few things you should be doing to make sure the online services you use comply with these new standards.

1. Think about what you are currently in agreement to

In the past, how many times have you clicked “accept” without actually reading a website’s terms of service and privacy agreement? Probably quite frequently, and so have a lot of other people. As a collective, we need to put a stop to this attitude and start doing some reading. A website’s privacy policy usually isn’t that long, and now, it needs to be stated in clear, easy-to-understand language.

Start giving these a read, and stop just agreeing to things you don’t understand. It only takes 5 minutes to skim a privacy policy. If it makes the difference between keeping your information private and having it loosely protected, it’s worth it, don’t you think?

2. Think about the types of services you use and pinpoint the biggest potential risks

Think about the sites and apps you use every day, and identify the services where a breach of data privacy would hurt you the most: places you put in your credit card information, social security number, home address, or telephone number. Make sure you read these updated privacy policies, and understand both what the organization is doing with this information, and what they would do in the case of a data breach.

Make sure you also stay wary of possible phishing scams using the GDPR as a guise for obtaining your information. If you receive an email from a website or app you use, they won’t be asking for more information; they will be asking for your permission to keep the information on you that they already have! So don’t click any suspicious links in emails, or provide any additional information to anyone. Watch out for scams like this appearing to be from Airbnb while trying to steal your credit card information.

3. Reach out to the business if you didn’t receive an update/are unsatisfied with their privacy policy

If you didn’t receive an email with an updated privacy policy for a site you use, and you’re concerned about how they will protect your data, make sure you review their privacy policy now. Simply Google “[site name] privacy policy” and read through it. You previously agreed to it, so you better understand it. If you can’t understand it, contact the organization, inform them that their policy isn’t in clear language, and have someone explain it to you in terms you can understand.

What does the GDPR mean for your organization’s website?

If you don’t have a proactive privacy protection plan in place, your organization could be headed for trouble; you’re opening yourself up to future fines and sanctions if you don’t comply with the GDPR. The old relaxed viewpoint of “guidelines” is gone; with the GDPR, you now have regulations that legally bind you to protect your users’ data and make sure they are informed of what you do with it.

One of the most important changes is that geographical borders are no longer relevant to data protection. If your website, app, or service is available to anyone within the EU, you are responsible for adhering to these regulations. The other most important point is that you are most likely to receive a fine if you are responsible for a breach of data, and you a) could have easily prevented it, or b) are not transparent about it and do nothing to respond to it to help your users.

If you’re unsure about what exactly it is you need to start doing, read the checklist below. In most cases, you’ll likely find you are already at least partially adhering to these regulations – you just need to spruce up your policies or put plans in place to be a little more proactive.

Site owner checklist of what to do

You are now aware of your responsibilities. They may seem like a lot; are you ready for this shift? Where do you start? Is what you’ve done so far to comply really complying? Even the U.K. plans to comply in entirety with the GDPR, despite Brexit; so you should, too. This checklist will help you make sure you’ve done what you need to do to protect your users.

1. Identify the channels you use to collect data

This is quite obviously step 1. Make a list of all the ways in which you obtain any form of information from your users. These might include:

Newsletter subscriptions
User profiles
User accounts
Images sent in to your service
Tracking locations
Tracking where users come from/go to on your site

…and many other things. You need to know every avenue through which data is coming into your website so you can figure out what needs to be done at each step to ensure you are compliant with the GDPR.

2. Update every channel of data retrieval so that consent is clear and obvious

Once you know where the data is coming from, you need to make sure each step has clear and obvious consent when the user agrees to have you collect their data or information. All language needs to be clear – no legalese, no confusion – just simple, clear language that any average person can understand. If they have to sit and mull over 2-3 sentences that explain why you are collecting their data, you aren’t doing this right.

Make sure you update (or put into place) a privacy policy, cookie consent notice, subscription consent, user signup consent, and anything else you identified in step 1. If you want to see a great example of a thorough but clear and simple privacy policy, check out this one on Expedia.

3. Re-contact anyone if consent wasn’t explicit and clear in the past

If you noticed through this check-up that your consent was not very clear in the past, you need to reach out to any person who has agreed to your service, or whose data you control in any way. This is technically only true of users who reside in the EU, but it is good practice to make sure you take all your users’ privacy seriously. Make sure they consent to your control of their data now. If they decline or don’t respond, it is your responsibility to permanently delete that information.

4. Get rid of info you collected that did not comply, or information you simply don’t need

Identify any forms of data you collected without asking for consent, as well as information you have but simply don’t need anymore. For example, if your service used to require phone numbers for verification, but no longer does, permanently remove any of that information.

If you don’t need the data for any reason currently, or you obtained it without consent, ask yourself: why are you still keeping it? It’s safer to get rid of it and protect your users than be fined for harboring information you don’t even need.

5. Appoint a Data Protection Officer (DPO)

A Data Protection Officer is a person who would be responsible for all levels of the data coming into your website. This person would deal with any issues related to user privacy, and make decisions based on policies regarding privacy.

Though this would be a good practice for any entity, some companies simply don’t have the resources to employ a person solely for this reason. In many cases, this is because your site does not obtain data in large enough quantities for this to be a necessity. You are only required to have a Data Protection Officer if your entity:

Is a public authority
Engages in large-scale systematic monitoring
Engages in large-scale processing of sensitive personal data

If your organization doesn’t do any of these three things, then you probably don’t need a DPO. You do, however, need at least one person who is versed in the GDPR, what it means, and what you are responsible for.

6. Make all employees aware of the GDPR, and what their responsibilities are

Especially in the case of customer-facing employees, you want to make sure your employees know what they need to do to assist users through any issues related to data or privacy protection. This would be the responsibility of the DPO (if you have one). Make sure that, at every level, your employees know what they need to do to comply with any issue that will arise in the future.

7. Put a data breach plan into place

As we mentioned above, one of the most serious issues related to these new regulations is what happens if your organization leaves itself vulnerable to a breach of data. If your users’ information is compromised in any way, your company is liable for that, and may face fines and other discipline. However, what you do proactively to prevent a breach, and how you respond to one if it does happen, will greatly affect the severity of the consequences against your company. Here’s a rundown of what you need to know:

By law, a breach needs to be reported to your users within 72 hours
The reporting must include information including the categories of information exposed, the number of users who were compromised, and the categories and numbers of personal data records concerned
Transparency during this process is your best bet at not being fined, or reducing the fines coming at you
You must explain the situation and communicate it clearly to all employees, especially those who will be responding to and assisting customers that have concerns about their data
Create a social media response and make sure you have enough available employees to respond to social media outreach from users
Publicly publish as much information as you can, as fast as you possibly can, explaining what happened with the breach
Direct users across as many channels as possible (newsletter, emails, social media, website popups, etc.) to a blog post or micro-site that explains what happened.
Provide your users with clear instructions for filing complaints, reporting suspicious behavior, or getting assistance from your organization
Provide constant updates going forward until the situation is resolved

By creating a plan for each of these steps before there is a breach of data, you will be much more likely to handle the situation in a way that is satisfactory to not only the EU Commission, but your users as well. On the other hand, failing to prepare for a breach will not only certainly result in fines, but will probably encourage your users to ditch your service in favor of one that better protects their information.

Terms you may not understand: explained

Many of the terms thrown out to make sure you are compliant or understand your rights are surprisingly unclear. Here are some definitions that anyone can understand about what they really mean.

Consent: A person must actually agree to you using their data, as well as understand what it is being used for. If they haven’t in the past, you need to either get their consent now or remove their data.
Cookie consent notice: A banner/pop-up immediately noticeable on your webpages that explain how and why you use cookies. It must also offer the user a chance to opt-out of using your service before their data is collected.
Data breach notification: An explanation to your users that a breach has occurred with their data. You must tell them what was compromised, what it means for them, and what you are doing to ensure this does not happen again in the future.
Data Erasure or “Right to be Forgotten”: A person has the right to have their data erased, prevent further dissemination of it, and prevent third-parties from further processing of the data. This includes situations where the data is no longer relevant to the service being provided, or the person later withdraws their consent.
Data portability: A person can receive the data collected about them in a commonly-readable format, and can transmit that data to another party if they so choose.
Data Protection Directive: The previous version of the GDPR that contained most of these regulations, but as suggestions only for businesses operating within the EU.
Data Protection Officer (DPO): A person appointed to be in control of data collection, protection, and all other things concerning a users’ data privacy. This is really only necessary for organizations that collect and use data on a larger scale, or are a public/governing entity.
Directive: A legislative act that is seen more as a goal for entities to aspire to achieve. This is opposed to a regulation, which is a binding legislative act that an entity must abide by.
EU Digital Single Market: Digital economy activity taking place related to any businesses or person residing in the EU.
“Extra-territorial applicability” or “Increased territorial scope”: The GDPR rules apply not just to businesses operating in the EU, but to any business possessing the data of citizens within the EU.
Personal Data: Any information that uniquely identifies a user, either directly or indirectly. Common data items include name, location, and identification number.
“Privacy by Design”: When you are designing your system, it needs to have privacy in mind from Stage 1 – not as an afterthought to what you have created.
Pseudonymisation: Data is stored in such a way that it cannot be understood without the use of additional information (such as a decryption key).
“Right to Access”: A person’s right to know whether or not their data is being processed, where it is being used, and for what purpose you are using it.