
GDPR compliance checklist - gcatalfamo
https://gdprchecklist.io/
======
zapita
This is very useful, thank you.

One request I have (to anyone out there who is listening) is a checklist
focused on common small business tools and workflows.

For example, if I use Google Analytics on my website, or I advertise on
Facebook and use the Facebook tracking on my website, do I need to do anything
to be compliant. Same question for Mailchimp mailing lists, Square payments,
Shopify e-commerce, etc etc. I get these questions from friends and clients
all the time, and I struggle to give them a clear answer. I'm sure specialized
consultants could, but small businesses often can't afford those.

Most of the resources I see are either aimed at larger companies, or tech
startups. But the people most badly in need of guidance are neither.

~~~
lucideer
> _if I use Google Analytics on my website, or I advertise on Facebook and use
> the Facebook tracking on my website, do I need to do anything to be
> compliant_

If you use these you can do two things:

1\. avoid sending GA events with user data in them (e.g. user ID).

2\. ensure your site doesn't have pages containing personal data in the URL
path

Squarespace, Shopify, MailChimp, as hosts, _should_ be providing their own
customers with guidance for each case.

Unfortunately, as far as I've seen from Google, the guidance they're providing
on GA seems to basically amount to "if you use our service, it's your
responsibility to audit what you send to us", and not much else. Which is...
disappointing but unsurprising.

------
advisedwang
UI feedback: The "Select your organisation's role" widget is confusing. The
phrasing suggests you click on the the role you have, but then that gets un-
hilighted suggesting I just removed it from the set of roles my organization
has.

~~~
BLanen
Should just be a checkbox, yea.

------
donogh
Really nice idea. What immediately jumps out is there are checkboxes for tasks
that don't apply to everyone. For example, most companies won't need a Data
Protection Officer (DPO).

Still, the world needs more clarity on GDPR, and this helps.

~~~
therealmarv
yes, the checklist is in my point of view wrong there!

~~~
simonswords82
I agree, and not only that, our solicitors advised us that by appointing a DPO
when it's not needed we assume the responsibilities of companies who do need a
DPO.

In other words, if you don't need a DPO you definitely shouldn't just appoint
somebody because that feels like the right thing to do.

------
sbov
> you should assign a representative in one of the member states for your
> business. This person should handle all issues related to processing.

Am I reading this wrong? It seems like if every country adopted laws like
this, so you would need to have ~200 different representatives across the
globe to have any kind of online business.

~~~
brianbreslin
Would this mean hiring local companies to rep you like registered agents?
Sounds super prohibitive to small businesses. Also seems if true to be a
decent business opportunity.

~~~
Arnt
No.

It's like handling mail to abuse@<domain>. You sort of have to do it, but
noone forces you to have different employees handle mail to abuse@<each
domain>, or to have people in different countries do it. The people who force
you to handle abuse@<domain> may or may not have the power to make you do it,
which is another similar aspect.

What you can _not_ do is answer the phone and say "uh, I'm not sure who's in
charge of that... let me put you on hold..."

------
pasharayan
A Question: is there a way to block your website from being rendered in
Europe, if you aren't sure if you comply with GDPR?

~~~
jotaen
The decisive factor for GDPR is whether you offer your service in the EU, not
where users are (technically) accessing your service from. Think of a EU
resident using a US VPN, thus having a US ip address.

~~~
graeme
What about a company which offers a worldwide service, but whose market is
99.99% outside europe?

I run a site targeted at north americans. However, each year I usually get 1-2
sales within Europe (mostly UK), and a very small number of visitors from EU
countries.

~~~
jotaen
If you are processing data of EU residents that you are offering business to,
then they can hold you accountable for GDPR violations. This also applies to
the UK, as the UK is (still) part of the European Union.

~~~
graeme
I see. I'm assuming "processing" includes stuff like including it in google
analytics reports or having a database of EU users who signed up for a free
account.

EU is basically inconsequential revenue for me. What would be the minimum
required?

1\. Shut off sales to EU, or 2\. Shut off free account creation and/or email
list signup to EU + shut off google analytics for EU, or 3\. Block all EU IPs

It's not worth figuring out how to comply. I make less than $500 from the EU
each year.

"Ignore it" doesn't seem like a good move as the fine is very large.

~~~
jotaen
It’s hard to give general advice without knowing your specific situation.
Ignoring GDPR has serious risks, though, as you already said.

In my company (Germany) we work together with an external data protection
officer, who was of great help for us dealing with the GDPR requirements. So
maybe you find it worth talking to one, just to get a better understanding of
the matter.

~~~
graeme
I'm Canadian. It sounds like the GDPR affects business globally though.

------
lucideer
This is really nice.

Two notable points:

1\. It is relatively short and well-categorised. I've seen scare-mongering
blogposts exhaustively listing all the worst-case edge cases you could
possibly have to consider, whereas this is a common-sense high-level overview.

2\. There are links to relevant articles on each point to provide quick
clarity. For example: "Your company has appointed a Data Protection Officer
(DPO)" links to Article 37 which clarifies that this requirement is only for
"public authority or body"; "regular and systematic monitoring of data
subjects on a large scale"; or "processing on a large scale of special
categories". Other similar clarifications for the other points are helpful
too.

------
clay_the_ripper
If I got a potential customer that was in the EU, I would simply not do
business with them to avoid anything to do with GDPR. As a small business
owner, I don’t have the resources or time to devote looking into anything
related to GDPR. I guess GDPR is mostly targeted at larger companies? Anyone
else feel this way?

------
microcolonel
Can you be exempted or protected from the GDPR by asking your users to
explicitly certify that your service is not being rendered in the EU? The EU
is annoying, skittish, and expensive to do business with, so for some
businesses I can imagine it's just not worth the hassle.

If in the future you want to expand to the EU, and can afford it, it would be
nice not to already have a bad relationship with their regulators.

------
mirko22
whats the point of a checklist that says things like: (it’s GDPR issue not the
check lists)

“When providing services to children, the privacy policy should be easy enough
for them to understand.“

how do you explain to a 7year old how you handle data in mysql (which is
mentioned in another point) or how do you do it for a 13 year old? actually
how do you do it for 33 year old?

i’d love to see examples of this.

~~~
freeone3000
"We keep your email and its password so we can tell who you are when you visit
again. We also keep your email in case we need to contact you, in case people
see your information who are not supposed to."

------
oblio
Glad something like this turned up.

A productive approach to a real problem people have.

