Skip to content

6 Key Steps to Ensure GDPR Compliance – The Steps You Need to Take Right Away

GDPR Compliance

Not everyone can be a GDPR compliance specialist, but that doesn’t mean you should ignore data protection and privacy, especially if you run a business. Even though much talk has been made about GDPR compliance, being GDPR-ready is not a one-time project. It’s an ongoing approach to business.

Trusting the people we share our data with (looking at you, Facebook!) is a big part of how we do business online. When a company needs personal data to run its service, the user should be aware of why and how it is used so they can decide upon the service.

This is why GDPR puts more responsibility on organizations and increases the rights of individuals.

Some consultants we talked to say that there is no such thing as being 100% GDPR compliant. It’s more about taking a look at data and processes from an “ethical” standpoint and not as much about “tools” or “checklists”.

So, don’t search for a template; each organization has its way of doing things. Try to develop efficient data protection and privacy strategy based on your scenario. This guide is just a starting point with a high-level and general approach. Ideally, you will need to dig into each area of your business and look at how you collect, process, disclose, store and delete data.

💡 This guide is purely for guidance and does not constitute legal advice or legal analysis. Organizations may need to seek independent legal advice for specific legal issues or queries.

Do I need to be GDPR compliant?

The General Data Protection Regulation (GDPR) encompasses several European privacy laws. However, these restrictions and guidelines don’t only apply to European businesses and websites.

Technically, everyone should comply with the GDPR due to the wide scope of the regulations. Still, there is some flexibility in their interpretation.

For instance, if your business is based in the European Union and targets European customers, you’ll need to meet the requirements of the GDPR privacy policy.

If your website is based outside the EU and only receives the occasional European visitor (but doesn’t explicitly target them), this is a slightly different matter. However, to be on the safe side, it’s still worth making your website GDPR compliant.

For more information on these regulations, we recommend checking out this article on location-based compliance with GDPR. This way, you can make an informed decision, one which safeguards user data and protects your business against potential fines and legal action.

6 steps to ensure GDPR compliance

Here are six steps to meet the GDPR compliance requirements on your website!

Step 1: Know the key concepts and articles regarding GDPR

Being GDPR compliant is not just about “fixing a website”. It’s part of your entire organization.

There are only a few situations where businesses don’t process information. In most cases, there are different levels of key personnel (HR, IT, marketing, security teams) that interact with customers’ data and, therefore, should be aware of the General Data Protection Regulation. It isn’t a one-person show. You need both technical and legal implementations.

Understanding the terms is a big step. Here are some that we will use in the guide and will help you navigate GDPR:

  • Data subject – a natural person whose personal data is processed by a controller or processor.
  • Data controller – the entity that determines the purposes, conditions, and means of processing personal data.
  • Personal data – any information related to a natural person or Data Subject that can be used to directly or indirectly identify the person.
  • Data processor – the entity that processes data on behalf of the Data Controller.

Next, get yourself familiar with the articles below. This will make your transition to the GDPR less difficult.

  • Art. 5: Principles relating to the processing of personal data.
  • Art. 6: Lawful bases of personal data processing.
  • Art. 12 – 22: Data subject rights (access, data portability, right to be forgotten, etc.)
  • Art. 25 & 32: Companies should implement the necessary protection measures to protect the personal data of the data subject.
⚡ Action steps:

  • Take your time to read the law.
  • Check out our Complete WordPress GDPR Guide.
  • Process user data carefully. Treat it as you would treat trade secrets.
  • Evaluate your products, services, tools, providers, etc., according to GDPR dispositions.
  • Brief your collaborators on GDPR risks and benefits.

Step 2: What to do for GDPR compliance now

You should take action in a handful of different areas:

2.1. Data mapping

An important step towards compliance with GDPR is understanding how data moves in your organization. Documenting the way information flows in your company by making an inventory helps you demonstrate that you comply. A good starting point should be this data map: GDPR Data Map Template.

gdpr compliance data map

Mapping the data flow will also help you identify areas that could cause GDPR compliance problems. Remember that processing operations can be conducted only if the data controller can rely at least on a lawful basis. The most appropriate lawful basis will depend on the personal data being processed and the purposes for processing.

2.2. Privacy Policy

Review and update your current Privacy Policy. This is the first place people will look to check for GDPR compliance.

You must communicate to individuals the legal basis for processing the data, retention periods, the right to complain when customers are unhappy with your implementation, whether their data will be subject to automated decision-making, and their rights under the GDPR.

Furthermore, you must provide the information in concise, easy-to-understand, and clear language.

2.3. Training

The GDPR is a business change project – the people you work with need to understand the importance of data protection and be trained on the basic principles of the GDPR and the procedures being implemented for compliance.

Share this article with people that need to be informed.

⚡ Action steps:

  • Map and document data streams performed by data processors.
  • Be fully transparent to the user who is giving up their information.
  • Give informative notice to your employees, vendors, and clients per Art. 13 of GDPR.
  • Configure your consent method to use explicit/active consent when processing sensitive personal data on your website.

Step 3: GDPR compliance steps to take next

Data controllers should always cooperate with the Supervisory Authority regarding the fulfillment of their tasks.

Schedule regular audits of data processing activities and security controls in your organization. Keep records of personal data processing up to date for proof of consent.

3.1. Check what other vendors are doing

Because GDPR has no clear-cut rules, the market will have to devise different tactics to ensure that data is in compliance but not sacrifice user experience. A lot of companies came out with new features, so be sure to check competitor websites for changes and best practices for your niche.

3.2. Report data breaches

You should make sure you have the right procedures in place to detect, report, and investigate not only internal but also external data breaches. Be smart while setting up the data breach matrix based on data breach severity, the number of data subjects affected, the type of personal data involved, etc.

Typically, you must report data breaches to the Supervisory Authority within 72 hours unless the personal data was anonymized or encrypted.

3.3. Continue working on operational policies, procedures, and processes

As mentioned before, privacy is not a one-time project. It is continuous work to make sure that the data you collect is safe and used with a proper scope. You should review your procedures to ensure they cover all the rights individuals have, including how you would delete personal data or provide data electronically in a commonly used format.

⚡ Action steps:

  • Design data breach reporting mechanism.
  • Bring all the internal procedures in line with the GDPR and privacy policies.
  • Review and update employee, customer, and supplier contracts.
  • Secure personal data through appropriate organizational and technical measures.
  • Verify if data transfers outside the EU are compliant with GDPR requirements. Do not forget about the transition points.

Step 4: Website adjustments

This topic is a little bit controversial, especially for developers and marketers. I would say that adjusting forms and getting consent for cookies should fix 80% of the issues. However, keep in mind this is not legal advice.

4.1. Opt-In Forms

This is the standard way businesses gather information, so you must adjust all the forms you use. There isn’t a consensus on how to best do this, but we are following our email service provider’s recommendations.

4.2. Cookie Consent

The short version: inform your visitors in plain language about the purpose of your cookies and trackers before setting anything other than strictly necessary cookies.

There are different ways companies implement this, and the GDPR reference to cookies doesn’t clear things up. Sure, there are so-called functional cookies that are used for a session, but you need specific consent to set a cookie to track the user.

You need to know here that another European regulation (ePrivacy) is coming out, which will legislate cookies even more.

Step 5: Other GDPR compliance issues to consider

Here are other aspects of the GDPR that are no less important:

5.1. Data transfer and disclosure

Eyes on personal data transfer. Make sure that your data processors will ask for your approval whenever they intend to transfer data outside the EU/EEA. The same rules apply when the data processors intend to subcontract part of the services they provide.

5.2. Data Protection Impact Assessments (DPIAs)

The GDPR introduces mandatory DPIAs for organizations involved in high-risk processing, such as deploying new technologies, a profiling operation likely to affect individuals significantly, large-scale monitoring of a publicly accessible area, etc.

5.3. Legitimate Interests Assessments (LIAs)

Unlike DPIAs, LIAs is just a best practice developed mainly by privacy specialists. It refers to all those situations when the data controllers seek to rely on legitimate interests (marketing operations, etc.). An “interest” can be considered “legitimate” as long as the data controller can pursue this interest in a way that complies with data protection and other laws.

5.4. Data Protection Officers

The GDPR will require some organizations to designate a Data Protection Officer (DPO). Organizations requiring DPOs include public authorities, organizations whose activities involve the regular and systematic monitoring of data subjects on a large scale, or organizations that process what is currently known as “sensitive personal data” on a large scale.

5.5. Processing Children’s Data

If your organization processes data from underage subjects, you must ensure that you have adequate systems in place to verify individual ages and gather consent from guardians. GDPR has some specific provisions for children under 16 years old (please note art. 8 of GDPR)

Step 6: Monitor and audit

Businesses must acknowledge that being transparent about how data is used and protected is now required by law. Each organization (including charities and public sector entities) must define a scope for collecting specific data.

You should only collect the personal information needed to provide the service or product and nothing more. Also, the data should not be shared for other unrelated purposes.

Another big thing is to keep the data safe from hacking, accurate, and up to date, and even delete it after a period.

General Data Protection Regulation is leaving lots of room for improvement when it comes to protecting individuals. This is why the future ePrivacy Regulation will bring even more transparency, especially in Big Data, shedding some light on the occurrence and purpose of analytics. This should be a good enough reason to monitor and audit your data regularly.

Don’t stop here. Go to the official resources we used for this guide and learn about privacy.

Click to see the resources

Conclusion

In the end, there are levels of compliance, and you should decide which one fits you based on a lot more factors than the ones listed here. However, this is a great start to get you going in the right direction and toward GDPR compliance. Of course, as a business, we all need to keep ourselves competitive in the marketplace, so there will be some trade-offs.

How are you preparing for GDPR compliance? Share your best practices in the comments section below!

3 Comments
Most Voted
Newest Oldest
Inline Feedbacks
View all comments
Marius Vetrici
May 28, 2018 2:31 pm

Thanks for the article Claudiu. Really appreciate it.

TammyRose
May 22, 2018 12:47 pm

That is really interesting
Smile We all love reading and We all are always searching for informative
information like this!

Ryan Biddulph
May 20, 2018 10:21 am

CD I just read how WordPress included that nifty comment disclosure – below comments – with its latest update. So smart. Would do the trick for me because I don’t grow a list, and only store data via comments published on my blog.
Ryan

Or start the conversation in our Facebook group for WordPress professionals. Find answers, share tips, and get help from other WordPress experts. Join now (it’s free)!

Most Searched Articles

Best JavaScript Libraries and Frameworks: Try These 14 in 2024

In this post, we look at the best JavaScript libraries and frameworks to try out this year. Why? Well, with JavaScript being available in every web browser, this makes it the most accessible programming language of ...

25 Best Free WordPress Themes (Responsive, Mobile-Ready, Beautiful)

If you're looking for only the best free WordPress themes in the market for this year, then you're in the right place. We have more than enough such themes for you right ...

12 Best WordPress Hosting Providers of 2024 Compared and Tested

Looking for the best WordPress hosting that you can actually afford? We did the testing for you. Here are 10+ best hosts on the market ...

Handpicked Articles

How to Make a WordPress Website: Ultimate Guide for All Users – Beginners, Intermediate, Advanced

Many people wonder how to make a WordPress website. They’ve heard about WordPress, its incredible popularity, excellent features and designs, and now they want to join the pack and build a WordPress website of their own. So, where does one get ...

How to Start an Ecommerce Business: Ultimate Guide for 2024

Is this going to be the year you learn how to start an eCommerce business from scratch? You’re certainly in the right place! This guide will give you a roadmap to getting from 0 to a fully functional eCommerce business. ...