Complete GDPR Website Checklist

This complete General Data Protection Regulation (GDPR) compliance checklist for your website will point you in the right direction when considering how the General Data Protection Rule applies to your company. If you’ve read our Ultimate GDPR Overview then, you should have a better understanding of how the General Data Protection Regulation affects your business ecosystem.

Complete GDPR Website Checklist
Learn how to create a GDPR compliant website with this Complete General Data Protection Regulation (GDPR) Checklist.

Active Opt-In Forms

The biggest thing here will be allowing users to actively opt-in for your services. There are many subscribe forms that pre-select the opt-in box. This is not allowed under the GDPR requirements.

Unbundled Opt-In

Each service for which the user’s data will be used must be outlined in the opt-in process. You can no longer bundle terms and agreements and offers to the user under one opt-in. You must specify and allow voluntary consent for which services the user is opting for their information to be used.

Granular Opt-In & Transparency

Your users need to be able to view separate consent policies for different types of processing. Phone, Email and Mail data usage should be clearly defined in your privacy policy. If you offer multiple products and services, then you should create separate opt-ins for each.

GDPR Friendly Form

Growth hack tip!

Segmentation like this can and should be synced up with your CRM platform. This will jumpstart your marketing automation efforts.

GDPR states that it must be just as easy to withdraw as it was to sign up. Make sure you keep your contact preferences page easy to find. In addition, you may consider segmenting topics of interest and providing an opt-out checkbox for each one. Including easily identifiable opt-out links in all marketing emails can also help to remain GDPR compliant.

Your forms should clearly identify who will be receiving the party’s information. The prior language of specifically defined categories of third-party entities is no longer acceptable. The GDPR mandates that these third parties be named.

Online Payments

If you’ve got an e-commerce website that stores customer information post-purchase, then it must be removed after a reasonable period of time. While GDPR does not specify the time frame you should consult with your legal team and use best judgment to state this on your site.

Google Analytics, Tag Manager

According to BuiltWith, there are over 30 million live websites using Google Analytics. Thankfully, Google has been working to increase their data privacy policies with EU legal teams for years. You can read more about Google’s commitment to GDPR here.

Tag Manager allows you to integrate third-party vendors via their multiple tags offered. If you work with an agency or partner that processes your tag manager data then you should look to legal to get a contract in place outlining their responsibilities as a data processor to you as a data controller.

The General Data Protection Regulation travels far beyond the digital confines, as it implicitly cites data as personal information. This means that you will need to audit your business as a whole. Legal teams can help you answer other tricky GDPR questions such as:

  • Do I need to provide consent for past data collected via (post) mail services?
  • Are all my third-party vendors GDPR compliant?
  • What qualifications must my data protection officer have?
  • Can there be multiple data controllers assigned?

This article does not constitute legal advice, nor is this information intended to create or rise to the level of an attorney-client relationship. You should always seek professional legal advice where appropriate.

Read more: How to Make Your Website GDPR-Compliant