GDPR audit. You likely need one if you operate a blog. Or a website, a newsletter, an e-commerce store, or anything online that harvests user data.
And you’ll need that GDPR audit soon, like yesterday—because Europe’s General Data Protection Regulation (that’s what GDPR stands for) went into effect May 25.
So you better find out fast whether you comply with this new law. The most reliable way to do so is with a GDPR audit.
If a GDPR audit reveals non-compliance, you must hurry to remedy it. Failure to meet GDPR’s rigorous requirements for data collection, storage, utilization, and security put you at risk for potentially painful criminal penalties and civil damages.
OK, seems like a prank. GDPR is European Union law. And, since you're not located in Europe, you wonder why do a GDPR audit.
Alas, sorry, no prank. GDPR subjects to the law anyone everywhere who collects data on people calling Europe home. High probability this means you.
An insightful article we published here at this blog spells out some of GDPR’s most relevant provisions. Read it to acquaint yourself (if you aren’t already) with this significant new law.
But continue reading this post and we’ll tell you…
…five things to know about a GDPR audit:
You can conduct an audit yourself or, for better results, you can retain the services of a qualified GDPR audit authority. Valet, for instance, can spot-check your website to give you a general picture of how well or poorly you meet the requirements of GDPR. But if you want a comprehensive assessment down to the smallest detail, Valet can help you there too by offering you a referral to a team of highly trusted independent auditors.
A GDPR audit is advisable if you directly or indirectly gather personal data or any other information that can be associated with an identified living person. Examples include names, email and physical addresses, location data, government-issued identification numbers, phone numbers, and IP addresses.
1. Data collection, processing and storage.
You earn good marks in a GDPR audit for collecting only the information required to actually run your business.
You also score high for disabling any automatic opt-ins. Example: no longer issuing a subscription to your newsletter when the user merely submits a contact form.
Under GDPR, users enjoy the right to access their own data. They also possess the tight to know about the information collected and to receive explanations about how you use it. An audit should reveal that you support those rights. An audit should demonstrate that users can access—free of charge—information they request about themselves.
Your website must include an option that lets users download or erase their collected personal data. Ditto for your privacy policy. It needs to include a GDPR compliance line that specifies the information your website collects from visitors. It should also indicate who has access to those data and state how long you will store them.
(In this same vein, it’s a good idea to include a line in your Google Analytics code—assuming you installed Google Analytics on your website—to indicate that you store IP addresses along with visit duration and that Google has access to these records.)
2. Asking for consent
Your GDPR audit should turn up evidence that you ask for consent before you collect data—and that you ask in a prominent way, explaining why you want the data and what you do with them once collected.
It’s evidence of compliance if you offer users an option to not participate in the collection of data or to withdraw data they consented to let you harvest. Similarly, you do well to configure your website so that it has zero pre-selected options for giving consent.
Speaking of consent, if a user asks to withdraw it, you should honor his or her request without delay or penalty.
3. GDPR-compliant plugins.
A GDPR audit should divulge what data are collected by the plugins associated with your website. You may be shocked to discover that some of your third-party plugins do not comport with the requirements of GDPR.
On the other hand, you’ll be delighted to learn that many of your plugins do comply with GDPR. WordPress, for instance, deserves kudos for proactively developing the WP GDPR Compliance Plugin. This plugin provides a user checkbox that makes several other plugins automatically GDPR compliant. Ticking the checkbox results in consent to handle the user’s personal data for a defined purpose. At present, this plugin supports Contact Form 7, WooCommerce, and Gravity Forms, but contained in its roadmap are other popular plugins).
You can get the WP GDPR Compliance Plugin here.
Another plugin that complies with GDPR is Ninja Forms, available here.
4. Data breaches must be reported.
A GDPR audit can shine a bright light into the darkest recesses of your website or blog machinery and tell you if hackers have broken in.
Checking for signs of breaches is very important because GDPR allows limited time to notify users following a cyber break-in.
5. Users are entitled to receive from you correct information.
You’ll know from your GDPR audit whether info you pass along to users is valid or invalid, factual or bogus.
This is key because GDPR obliges you to let users readily know who you are, who your data protection officer is (assuming you have one) and how to contact you and your data protection officer or your organization. GDPR also compels you to clearly state in your privacy policy whether any of the information you collect will end up in the possession of third parties. As well, GDPR insists you specify for how long you store user data.
To be honest, you need to be cognizant of far more than just these five areas if you want the fullest possible picture from your GDPR audit. You have to dig deep to know what you’re doing right and what you’re doing wrong with regard to compliance.
If that seems like a task you’d rather not undertake on your own, don’t sweat it. Remember, Valet can put you in touch with the right resources for exactly this kind of project. Just give us a shout at hello@valet.io.