|GDPR Compliance Checklist|
|Data Audit for Personal Data|
|According to GDPR:|
‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’);
an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Your first step is to conduct an audit of your data and answer the following questions:
|1. What information do you collect?||Answer:|
|2. Where does the data come from?||Answer:|
|3. How do you process it?||Answer:|
|4. How do you use it?||Answer:|
|5. Who will it be shared with?||Answer:|
|Identity and contact details of the controller and where applicable, the controller’s representative and the data protection officer|
|Purpose of the processing and the legal basis for the processing|
|Is there legitimate interest of the controller or third party, where applicable|
|Retention period or criteria used to determine the retention period|
|The existence of each of data subject’s rights|
|The right to withdraw consent at any time, where relevant (Opt-out)|
|The right to lodge a complaint with a supervisory authority|
|Details of data transfers to third party|
|Enable on IP Anonymization|
|Since Geo-location data can be yield from IP address. geo-location data, IP addresses are considered PII. Therefore it's crucial to anonymize IP addresses for data safety.|
If you use Google Analytics (GA) and Google Tag Manager (GTM), you can update your (GA) Settings variable by clicking into More Settings -> Fields to Set and then add a new field named ‘anonymizeIp’ with a value of ‘true’.
If you use a tag managment platform different to Google Tag Manager (GTM), you may need to edit your tracking code: https://developers.google.com/analytics/devguides/collection/analyticsjs/field-reference#anonymizeIp
|Configure Google Analytics (GA) Data Retention Settings|
|User & Event Retention|
Use this setting to select how long user data is stored. You can only set this to 14, 26, 38, ,or 50 months. Alternatively, you can choose to retain user and event data indefinitely.
The second setting is "Reset on new activity". Enabling this setting will reset the data retention period for a user whenever they have new activity on your website. If this setting is on, and your retention window is 26 months, then every time a user returns to your site Google Analytics will keep storing their information until 26 months pass without a return visit.
|Audit your Collection of Pseudonymous Identifiers (hashed Emails, User IDs)|
|Build an Opt In/Out Capability|
|Under GDPR, data subjects have the right to opt-out and withdraw consent any time. Your need to embed a mechanism into your data controlling/processing system that allows you to seamlessly delete user data upon request.|
|Appoint Data Protection Officer (DPO)|
|Under the GDPR, you must appoint a DPO if:|
• You are a public authority (except for courts acting in their judicial capacity);
• Your core activities require large scale, regular and systematic monitoring of individuals (for example, online behaviour tracking); or
• Your core activities consist of large scale processing of special categories of data or data relating to criminal convictions and offences.
This applies to both data controllers and data processors.
Appoint DPO if any of the above applies to you.
|Define a process for reporting a data breach|
|Include the steps employees will have to take when a breach of data regulation happens. Any loss or breach of data must be reported within 72 hours of first becoming aware of the breach. |
Great information can be found here: http://www.experian.com/assets/data-breach/white-papers/experian-2017-2018-data-breach-response-guide.pdf