Updated 4/29/25, 3:15?PM
In our digitized world, businesses can collect and store a huge amount of consumer data. In many cases, they do so with good intentions, such as to improve and personalize the services they offer.
However, as online activities increase, so do concerns over privacy, security, and cybercrime. This is exemplified by the fact that 87% of consumers now think data privacy is a human right.
That’s why legislation such as GDPR was brought in to protect the rights of all consumers. In this post, we look at what GDPR means for your organization and show you the ultimate checklist to ensure your website complies.
GDPR stands for General Data Protection Regulation. This is a strict privacy and security law that sets out when and how online businesses can collect, process, and store personal data.
The legislation was passed by the European Union in 2016 and came into force on May 25th, 2018, replacing the Data Protection Directive 95/46/EC. It was designed to increase data privacy for all EU citizens no matter where they are, giving them more control over how their personal information is collected, used, and protected online.
GDPR applies to all organizations engaged in “professional or commercial activity” (not to “purely personal or household activity”). This includes organizations with HOA websites, education sites, or any other online presence doing business with EU citizens, which must be able to prove their compliance.
GDPR states that organizations must follow seven key principles:
We’ll go into more detail on these below.
Personal data means any information relating to an identifiable individual. This can include identification information such as your name, home address, email address, and photos; financial information; medical details; social media posts; or your computer’s IP address.
Here’s the thing: GDPR applies to organizations from anywhere in the world if they collect or use data related to EU citizens. You might not have physical premises in the EU or even an EU website, but if you offer goods or services to EU citizens, or track EU visitors to your site, you must comply.
It’s not always clear how strictly this will be interpreted—for instance, what if a Spanish citizen stumbles across your website while visiting the US—but it’s better to be safe than sorry.
Apart from the fact that everyone has the right to privacy, GDPR helps protect consumers from cybercrime, including financial fraud and stolen identity. If companies minimize the amount of data they store, it’s less likely to be accessed by criminals.
Plus, if you can demonstrate compliance and a commitment to protecting customers, they will see you as trustworthy. Your business is more likely to receive digital applause signs such as positive feedback and word-of-mouth recommendations.
Failure to comply with GDPR can result in a fine of 20 million Euros or four percent of your annual turnover, whichever is higher. In addition, data subjects have the right to seek compensation if their information is stolen or leaked.
In 2021, Amazon was fined a record 746 million euros by the data protection regulator in Luxembourg (where Amazon has its EU base) and was also fined by France in 2020. WhatsApp and Google have fallen foul of the legislation too, while the overall number of GDPR fines rose sevenfold in 2021.
As every organization is different, we recommend your business develops a set of guidelines for its particular circumstances. It’s a good idea to consult an attorney for complete peace of mind, but for now, here are the main things you need to do to ensure GDPR compliance.
If your company has 250+ employees or conducts high-risk data processing, GDPR states that you must keep a detailed list of your activities and be prepared to show it to regulators upon request. Even for smaller firms, it’s good practice to take stock of the data you use and make sure you have a valid reason for using it.
Consider what kind of data you process, who has access to it, and the steps you’re taking to protect and eventually do a data deletion requests. Also think about any third parties with access—for example, if you’re using online contract management software, make sure it fits in with your policy.
It’s a good idea to come up with your own privacy and security policy so everyone in your organization understands the GDPR regulations and the wider implications of data security. This should include guidance on email, passwords, device encryption, and VPNs. Any employees with access to personal data should receive extra training.
It’s important to review this policy regularly as your company evolves. Use the Agile Manifesto values to ensure you can respond quickly to new developments, and consider data protection principles in the design of any new product or activity.
Your website should include a clear privacy policy to tell visitors how you intend to collect, use, and protect their data. Explain how this is processed and who has access to it. Make the information easy to find by displaying it in your website footer, and mention that further details are available.
Merely having a privacy policy isn’t enough to comply with GDPR. Don’t assume that if someone continues to use your website, they agree to your policy—you need to obtain clear consent (which is “freely given, specific, informed and unambiguous”). If you process data from under-16s, verify individual ages and gather consent from their guardians too.
You must seek consent from users to track their online behavior via cookies. Generate a cookie alert pop-up with a choice of options (“accept” cannot be the default) and include a direct link to the relevant policy documents. Your site should still be accessible without cookie placement.
All forms and other data collection methods must be explicitly opt-in—for instance, a tick-box can’t be pre-ticked. Again, include a link to your privacy policy, and make it easy for users to opt out. Collect only the fields you genuinely need and don’t keep the data a moment longer than necessary.
Double opt-in (where the contact must click a confirmation link to finalize their subscription) isn’t mandatory under GDPR, but it’s still good practice. Check existing mailing lists for compliance, and clean your database if required. Don’t purchase mailing lists from a third party, as you won’t have obtained consent from those contacts.
Many businesses now store and process data in a multi-cloud environment or hybrid integration platform, which means they must pay even more attention to security.
That’s where encryption and pseudonymization come in (although they aren’t mandated by GDPR). The platforms and tools you use may have end-to-end encryption built in, but data transfers between companies and supply chains are not always encrypted.
Pseudonymization means storing customer data so it can’t be connected to an individual, typically by breaking it up into several separate files. Pseudonymization differs from anonymization in that an identity can be recreated from pseudonymized data but not from anonymized data. Anonymized data is generally used to collate statistics.
People have the right to see what personal data you have on them, how you use it, how long you plan to store it, and the purpose behind it. You must provide an easy way for users to request, view, and update their data, and have it erased if they wish (you must comply with deletion requests within one month).
If users’ personal data is exposed due to a breach, GDPR mandates that you must notify the supervisory authority in your jurisdiction within 72 hours. You’re also required to quickly communicate data breaches to users (unless the breach is unlikely to put them at risk). You should create a data breach reporting policy so everyone knows what to do and provide staff training on how to detect breaches.
Some organizations need to appoint a dedicated data protection officer to manage GDPR compliance. This is not mandatory unless your data is processed by a public authority, undergoes systematic monitoring, or is processed on a large scale.
However, you might choose to do so anyway to be on the safe side. The DPO needs to understand how GDPR applies to your organization, offer advice and training, conduct audits, and liaise with regulators.
If you own or operate a website, GDPR isn’t something you can afford to ignore. Check thoroughly to make sure you have clear consent and a valid reason for collecting, processing, and storing personal data, and that privacy and protection are built into your systems and services.
As online activity continues to grow, it’s likely more legislation surrounding data privacy will emerge. Several other countries and US states have begun producing data privacy or protection acts, including the California Consumer Privacy Act (CCPA).
Therefore, it’s essential you take action to protect users’ data—not just for GDPR compliance, but to get a head start on the privacy regulations that are emulating it.
Sources:
GDPR compliance checklist - GDPR.eu.
GDPR Guideline for Companies with less than 250 Employees.
