9-step GDPR compliance checklist

Companies across all industries collect data from their website visitors to learn more about their audiences’ activities, preferences, and interests. However, this standard business function could be costly if you’re not collecting this data in a GDPR-compliant way.

But GDPR compliance can be complex. The EU regulation provides individuals with data privacy rights, compliance responsibilities, and processing principles for organizations to follow. However, it allows for flexibility in each company’s implementation depending on their business, technologies in use, third-party platforms required, and user data processed. Each company requires customized expertise to determine how to achieve and maintain GDPR compliance.

We’ve outlined key elements you need to know about the GDPR’s requirements and created a GDPR compliance checklist that will help you achieve and maintain legal compliance.

What is considered personal data under the GDPR?

We’ll spare you the full definition of personal data from the General Data Protection Regulation (GDPR). The regulation was enacted in the EU in 2016 and came into force on May 25th, 2018. In essence, it’s designed to give EU citizens more control over their personal data and simplify rules for companies’ handling of it. Let’s go over what is considered personal data.

The GDPR defines personal data as “any information related to an identified or identifiable natural person.” This encompasses various data types, both from online and offline sources, that can directly or indirectly identify an individual alone or in combination with other data, such as:

• names, addresses, phone numbers, and email addresses
• identification numbers like Social Security, passport, or driver’s license numbers
• location data such as GPS coordinates or IP addresses
• biometric data like fingerprints, facial recognition, or DNA
• genetic data
• health-related or healthcare information
• political opinions, religious beliefs, or membership in trade unions

Whether a company operates in ecommerce or serves B2B customers, the GDPR applies to them if they operate in the EU. 

The GDPR principles center around access to and use of personal data. Even seemingly harmless information can be classified as personal data if it can be linked to an individual, even if it has to be combined with several other data points to do so. This is why personal data includes sources like website cookies, social media posts, and audio/visual recordings.

Who does the GDPR apply to?

The GDPR applies to any organization that handles the personal data of EU residents, regardless of the company’s physical location. An organization that is based in the United States and that only services American customers does not need to comply with the GDPR. However, if an American company has EU customers, they do have to comply.

Under the GDPR, several entities have responsibilities relating to data processing and privacy compliance, including:

• companies based in the EU that collect or process personal data
• companies based outside the EU that provide goods or services to EU residents or monitor their behavior
• data controllers that determine how, why, and by whom personal data is processed
• data processors that process personal data for specific purposes on behalf of a controller (e.g. vendors)

Noncompliance can lead to significant GDPR fines, potentially reaching up to EUR 20 million or 4 percent of global annual revenue, whichever is greater.

While there are some exemptions to compliance for personal or household activities and certain freedom of expression and information cases, the GDPR generally applies broadly to most organizations handling the personal data of EU residents. 

This also applies to organizations with a joint controllership relationship. In this scenario, both companies have a joint responsibility for handling people’s personal data.

Beyond legal requirements, demonstrating respect for data privacy with GDPR compliance brings business benefits, enhancing brand reputation and building trust with customers.

Who’s responsible for GDPR compliance within a company?

GDPR compliance responsibility within a company is shared across multiple functions and stakeholders, though ideally there is a central representative to oversee privacy operations, like a Data Protection Officer (DPO). Depending on a company’s data processing operations, this role may be required for GDPR compliance (e.g. if the data processed is very sensitive or processing is high risk to customers). For other companies, a DPO may just be recommended to oversee data privacy operations.

Generally, data controllers and processors are responsible for ensuring data processing they do is GDPR-compliant, though ultimately the controller has legal responsibility, including for processing and data protection by third-party processors, hence the importance of contractual agreements prior to initiating third-party processing. 

There can be other stakeholders regarding data processing and GDPR compliance, which include the following.

Achieve regulatory compliance with a GDPR compliance checklist

The GDPR is one of the strictest data privacy and protection regulations in the world. The full text spans 99 Articles, outlining everything from what constitutes valid user consent to what entities have supervisory authority. Yet, many organizations struggle to determine clear guidelines, rules, or requirements for how they should handle users’ personal data.

To simplify the complexity, Usercentrics has compiled a detailed GDPR compliance checklist that demonstrates each step needed to help companies become privacy compliant. 

This 9-step GDPR audit checklist covers key areas to address, from data collection and storage to individual rights and data breach reporting.

What’s included in the GDPR compliance checklist?

By downloading Usercentrics’ printable GDPR compliance checklist PDF, you’ll learn:

• how to create a privacy policy
• requirements to inform users of their rights and how to exercise them
• the way to obtain valid consent
• best practices to securely document consent data

Bolster your company’s marketing operations with the data you need, while demonstrating your commitment to data protection. Give your customers confidence in how their personal information is handled and increase trust with your audience.