Table of Contents
Easy GDPR Compliance Checklist for Ecommerce
The General Data Protection Regulation (GDPR) is a comprehensive data regulation employed by the EU and UK countries. If your company handles the personal data of citizens of the EU or UK, you must follow the GDPR's regulatory requirements or face potential fines of up to €20 million which is why privacy compliance is important.
A good starting point for getting up to speed is using a General Data Protection Regulation compliance checklist, which we've put together to make it easy for you.
How to ensure GDPR compliance
If your company protects customer information under the GDPR, there are a couple of strategies you can take:
- You could hire an in-house data protection officer (DPO).
- You could outsource the job to a data protection agency.
However, the choice may not be yours, as the GDPR stipulates when you are allowed to do either.
In-House Data Protection Officer
According to the GDPR, if your company handles personal data and has more than 10 to 15 employees, an in-house DPO or other accountable person ensuring compliance becomes mandatory. Your DPO will help your company regularly monitor your data collection and protection practices on a large scale.
Outsource to a Data Protection Agency
If you operate on a smaller scale with fewer employees, you can choose to appoint a DPO or handle your compliance in another manner. A popular alternative to hiring a DPO is outsourcing the role to a data protection agency.
An agency can help you with everything a DPO would normally handle, but you may not need them on a full-time basis. An agency can be an appropriate yet economical choice for smaller companies with smaller budgets collecting EU and UK personal data.
The cost of an average DPO is estimated at $108,000, although it can run up to six figures. On the other hand, a data protection agency may charge under $200 per month for unlimited data requests, compliance reporting, and custom legal policies drafted in multiple languages.
What are the basics of the General Data Protection Regulation?
No matter the size of your company, you must adhere to the GDPR if you target EU or UK customers. Compliance includes:
- Receiving consent from all data subjects
- Explaining your company's intel plan, including:
- How information is collected
- How information is used
- How information is secured
- Potentially hiring a DPO, if your company meets the size requirements
Additionally, seven key GDPR principles explain how your business may remain compliant while processing data:
- Lawfulness, fairness, and transparency
- Purpose limitation
- Data minimization
- Storage limitation
- Integrity and confidentiality
Additionally, there are two other concepts in addition to the seven core principles that businesses should adhere to:
- Privacy by Design
Core Principle: Lawfulness, Fairness, and Transparency
Your company's data processing practices must be legal. Collect the data fairly and be transparent about how you will use the information.
Core Principle: Purpose Limitation
State a clear purpose for processing data from the beginning. Record this purpose and only change the process after receiving user consent.
Core Principle: Data Minimization
Your company shouldn't collect data it doesn't need. Only collect the minimum amount of data necessary for your stated purposes.
Core Principle: Accuracy
Ensure the data you collect is up to date and accurate.
Core Principle: Storage Limitation
Don't hang on to your data forever; it's not necessary. Set a timeline that coincides with the information's purpose, then dispose of it properly.
Core Principle: Integrity and Confidentiality
Have appropriate security measures to protect the data. Make efforts to avoid data breaches.
Core Principle: Accountability
Your company will be held accountable for how you handle data and your overall compliance with the GDPR.
Supporting Concept: Privacy by Design
Privacy by Design (PbD) implies that data security is more than an afterthought. It's in the essence of your business.
Supporting Concept: Consent
Your company must ask users for consent to collect and process their data. Your users are also allowed to withdraw their consent at any moment. Your information must be accessible and written in clear language rather than legal jargon. Your users should fully understand what they agree to. Additionally, you can't use the data for a purpose you didn't previously disclose.
What rights are afforded to users?
In addition to regulations that businesses must comply with, the GDPR outlines eight user rights in Articles 16 through 22. These rights are reflected in the above principles. They are:
- The right to be informed
- The right of access
- The right to rectify information
- The right to erasure / the right to be forgotten
- The right to restrict data processing
- The right to data portability
- The right to object
- Automated individual decision-making, such as profiling
What are compliance documents?
The GDPR requires a list of mandatory compliance documents, policies, and procedures. The GDPR requires that you document your processing activities, which is generally a good idea even without the GDPR's mandate. We've broken that list down to make compliancy a bit less confusing.
Your GDPR Compliance Checklist
Your GDPR compliance checklist is broken down into documents, policies, and procedures. Additionally, we've included some documents that may or may not be required of your company, depending on your specifics.
Compliance documents include:
- Privacy notice
- Employee privacy notice
- Data subject consent form
- Supplier data processing agreement
- Data Protection Impact Analysis (DPIA) Register
- Data breach register
- Data breach notification form to the supervisory authority
- Data breach notification form to data subjects
Compliance policies include:
- Personal data protection policy
- Data retention policy
- Data retention schedule policy
Compliance procedures include:
- Data breach response
- Notification procedure
Possibly applicable documents include:
- Data Protection Officer job description: If your company is required to hire a DPO, you will need a DPO job description.
- Inventory of processing activities document: This is mandatory if your company can answer "yes" to any of the following:
- Do you have more than 250 employees?
- Is your processing likely to result in a risk to your data subjects' rights?
- Is your processing more than occasional?
- Does your processing include special categories of data?
- Does your processing include personal data related to criminal convictions or offenses?
- Standard contractual clauses for transferring personal data to controllers: This is required if you transfer personal data to a non-EU state and rely on model clauses for your lawful grounds for cross-border data transfer.
- Standard contractual clauses for the transfer of personal data to processors: This is mandatory if you transfer personal data to a processor outside the European Economic Area and you rely on model clauses for your lawful grounds of cross-border transfer.
How do you conduct a compliance audit step-by-step?
Conducting a compliance audit can be intimidating, particularly if you've never done one before. This step-by-step checklist will help ease your mind, so you can rest easy knowing you've checked all the boxes.
Ensure your GDPR audit covers the following topics:
- Data governance refers to six principles that your company must follow:
- Data minimizations
- Purpose limitation
- Integrity & confidentiality
- Storage limitation
- Lawful transport
- Risk management: Conduct a Data Protection Impact Assessment (DPIA) to identify and mitigate risks as part of your risk management plan.
- GDPR project: Create a GDPR compliance project with full board member support.
- Role and responsibility organizational arrangement: Ensure you can clearly show how roles and responsibilities are defined in your organization.
- Scope of compliance: Clearly and accurately define your scope of compliance, including identifying the databases holding personal data.
- Appointment of DPO (if required): Have someone responsible for overseeing your compliance process.
- Record of full data processing
- Personal Information Management System (PIMS)
- Rights of data owners/subjects
- Information Security Management System (ISMS)
How often should a checklist compliance be verified?
A GDPR compliance assessment is carried out so your organization can find weak links in the chain before it turns into a GDPR audit. An assessment carries no real risk, while an audit could end in sanctions.
Running a compliance assessment regularly can help your company stay abreast of any vulnerabilities in your system. It's best to schedule assessments regularly, perhaps every one to two years, and include additional assessments if your company has undergone major changes in data or data policies.
How can Enzuzo help me with General Data Protection Regulation compliance?
Enzuzo is ideal for small to medium-sized companies that aren't required to hire an in-house DPO. Our services are thorough and more economical than an in-house DPO. We can help you set a regular schedule for GDPR compliance assessments and offer expert advice to guide you through them.
Enzuzo is easy to use and makes complex topics like data protection and GDPR compliance infinitely more manageable. Join the thousands of other thriving businesses that have saved hundreds if not thousands of staff hours on staffing, headaches, and dollars on their data privacy protection plans by employing our user-friendly data privacy software.
Paige is the growth marketing lead at Enzuzo and host of The Living Lab podcast, providing insightful articles in the privacy space.