Skip to Content
Close Icon

GDPR Checklist for Business Websites in the US

GDPR Checklist for Business Websites in the US

The General Data Protection Regulation (GDPR) is a law developed and enforced by the EU to protect the individual rights of their residents on the internet. It restricts the type of data that businesses and organizations gather about individuals in order to protect their identity and right to privacy. The law was groundbreaking when it came into effect a few years ago because it was the first of its kind to do two things:

  1. Regulate businesses according to where the resident lives and not the business’s address

  2. Protect residents beyond criminal attempts and extend to privacy

For these two reasons, businesses all around the world, including the United States, must build GDPR compliance into their website if residents in the EU will have access to it. Why is it important to comply with GDPR? Because “Organizations that fail to comply with the GDPR are risking severe penalties, including fines of up to $20 million or 4 percent of annual revenue, whichever is higher.”

Below is the specific GDPR checklist for business websites in the US.

Conduct a Personal Data Audit

Audit your website to track the kind of personal data you collect such as email addresses, physical addresses, payment information, etc. It does not matter if the information you collect is connected to payment, if you are offering goods or services to individuals within the EU, you should continue with this checklist and comply with the following material.

Conduct a Data Protection Impact Assessment (DPIA)

You can read about the qualifications that require you to conduct a DPIA here. To conduct a DPIA you need to:

  • Write out a description for how data is collected and identify why it’s being collected
  • Assess if you really need to be collecting personal data for your purposes and how much data is necessary
  • Determine the risks to an individual if the data you collect is breached

Improve Protection Based on DPIA

Based on your DPIA findings, you should implement improvements to your data security such as:

Establish Data Processing Agreement with Vendors

Any third-party vendor that you use for data control, whether it’s for email, web analytics, etc., needs to have a written data processing agreement. This agreement establishes that both parties are liable if a data breach were to occur and how each party is liable.

Appoint a Data Protection Officer (DPO)

Companies that need to hire a full-time DPO on staff are large corporations and public figures. Most companies will simply need to appoint a current member of staff to stay up-to-date on GDPR or be in communication with a vendor who helps you obtain GDPR.

Designate a Representative in the EU

If you’re offering goods or services and/or collecting personal data on a large scale, then you are required to designate a representative of your company in the EU. To complete this step, you need a written agreement between the two parties, but this does not mean your representative is solely responsible for a data breach if it were to occur.

Develop Disaster Recovery Plan for Possible Data Breaches

We recommend that you implement measures to prevent data breaches, such as encryption and multi-factor authentication. However, you also need to know your plan of action if a data breach occurs on your website (or with any of your platforms). It’s important to note, the GDPR explicitly states that you must notify a supervisory authority within 72 hours of a breach, so be sure to designate this person and outline that communication in your recovery plan.

Comply with Cross Border Transfer Laws

If you wish to transfer the personal data you collect to a different company or organization outside of the EU, you must comply with Article 45. However, if your company must also maintain HIPAA or SOC compliance, we recommend you do not transfer customer data of any kind from your secured website platform.

Set Up Consent for Data Collection

Lastly, the GDPR also requires that you provide justification for data collection. The easiest way to do this is to set up a way for website users to consent to have their personal information and/or website behavior tracked and collected. A great way to do this is with a cookie banner. This is a banner that pops up when you first visit a website, and it asks for your consent to track your information and should specify why it’s being tracked. From there, the website user should be able to opt-in or out of the data collection.

We know, this is a lot of information! If you’re considering installing a cookie banner on your website or would like to know more about what goes into maintaining GDPR for small businesses, please reach out by filling out the contact form below or giving us a call!

Please note, this article is not meant as legal advice for your business and VGM Forbin is not liable for GDPR compliance outside of data processing agreements between us and our clients. We did our best to break down information in an easy and digestible manner, but we recommend you also visit the official GDPR website if you’re looking to maintain compliance on your own.

The General Data Protection Regulation (GDPR) is a law developed and enforced by the EU to protect the individual rights of their residents on the internet. It restricts the type of data that businesses and organizations gather about individuals in order to...