Xivic Inc. - GDPR Compliance Checklist
 Share
The version of the browser you are using is no longer supported. Please upgrade to a supported browser.Dismiss

 
View only
 
 
ABCDEFGHIJKLMNOPQRSTUVWXY
1
GDPR Compliance Checklist
2
3
Data Audit for Personal Data
4
According to GDPR:

‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’);
an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Your first step is to conduct an audit of your data and answer the following questions:
5
1. What information do you collect? Answer:
6
2. Where does the data come from?Answer:
7
3. How do you process it?Answer:
8
4. How do you use it?Answer:
9
5. Who will it be shared with?Answer:
10
11
Update Privacy Policy to provide following information to your data subject at time of data collection
12
Identity and contact details of the controller and where applicable, the controller’s representative and the data protection officer
Notes: ________
13
Purpose of the processing and the legal basis for the processing
14
Is there legitimate interest of the controller or third party, where applicable
15
Retention period or criteria used to determine the retention period
16
The existence of each of data subject’s rights
17
The right to withdraw consent at any time, where relevant (Opt-out)
18
The right to lodge a complaint with a supervisory authority
19
Details of data transfers to third party
20
21
Enable on IP Anonymization
22
Since Geo-location data can be yield from IP address. geo-location data, IP addresses are considered PII. Therefore it's crucial to anonymize IP addresses for data safety.

If you use Google Analytics (GA) and Google Tag Manager (GTM), you can update your (GA) Settings variable by clicking into More Settings -> Fields to Set and then add a new field named ‘anonymizeIp’ with a value of ‘true’.

If you use a tag managment platform different to Google Tag Manager (GTM), you may need to edit your tracking code: https://developers.google.com/analytics/devguides/collection/analyticsjs/field-reference#anonymizeIp

Notes: ________
23
24
Configure Google Analytics (GA) Data Retention Settings
25
User & Event Retention
Use this setting to select how long user data is stored. You can only set this to 14, 26, 38, ,or 50 months. Alternatively, you can choose to retain user and event data indefinitely.

The second setting is "Reset on new activity". Enabling this setting will reset the data retention period for a user whenever they have new activity on your website. If this setting is on, and your retention window is 26 months, then every time a user returns to your site Google Analytics will keep storing their information until 26 months pass without a return visit.

Notes: ________
26
27
Audit your Collection of Pseudonymous Identifiers (hashed Emails, User IDs)
28
According to GDPR, using Pseudonymous Identifiers appears to be an acceptable practice. However you need to ensure that your Privacy Policy is updated to reflect this data collection and purpose, as well as to gain explicit consent (via opt-in) from your users. The language used needs to be clear and understandable for your users (Free of technical terms)
Notes: ________
29
30
Build an Opt In/Out Capability
31
Under GDPR, data subjects have the right to opt-out and withdraw consent any time. Your need to embed a mechanism into your data controlling/processing system that allows you to seamlessly delete user data upon request.
Notes: ________
32
33
Appoint Data Protection Officer (DPO)
34
Under the GDPR, you must appoint a DPO if:

• You are a public authority (except for courts acting in their judicial capacity);
• Your core activities require large scale, regular and systematic monitoring of individuals (for example, online behaviour tracking); or
• Your core activities consist of large scale processing of special categories of data or data relating to criminal convictions and offences.

This applies to both data controllers and data processors.

Appoint DPO if any of the above applies to you.

Notes: ________
35
36
Define a process for reporting a data breach
37
Include the steps employees will have to take when a breach of data regulation happens. Any loss or breach of data must be reported within 72 hours of first becoming aware of the breach.
Great information can be found here: http://www.experian.com/assets/data-breach/white-papers/experian-2017-2018-data-breach-response-guide.pdf

Notes: ________
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
Loading...
Main menu