GDPR Implementation Checklist 2018 – US Websites

General Data Protection Regulation (GDPR)

Even though it is a European Union law, it will affect anyone who deals with organizations or individuals from the EU.

Specifically, the regulation changes how European citizens’ personal information is collected and processed.

  • The main point of the regulations is that consumer consent to share their data is “freely given, specific, informed, and unambiguous.” Then, there must be transparency about how that data is used. If they decide they want their data to cease being used or processed, companies must make it easy to do so.

Here, we will explain what the GDPR means for you and your business.

Then, we will tell you exactly what you need to do to make sure your business complies.



What is the General Data Protection Regulation (GDPR)?

  • The European Union passed a law protecting the personal data of EU citizens.
  • This law regulates how EU citizens’ personal data is collected, processed, and used.
  • The goal is to simplify privacy regulations within the EU.
  • There are stiff penalties for failures to comply with the new regulations.
  • The GDPR was passed in April of 2016. There has been a two-year preparation period for businesses affected.
  • It goes into effect on May 25, 2018.


Who does the GDPR apply to?


Anyone who deals with the personal data or behavioral information of EU citizens.

This information includes:



  • Names


    • Personal Addresses
    • Email Addresses
    • Photos
    • Bank Details
    • Social Network Posts
    • Medical Information

“Personal Data” is often called Personally Identifiable Information (PII) in the United States.

Most likely to be affected:

    • Public Authorities
    • Monitoring Organizations
    • Data Processing Companies
    • Travel Companies
    • E-commerce Businesses
    • Software Services
    • Hospitality Industry

A financial transaction does not have to occur for GDPR regulations to apply.

Generic marketing isn’t covered by the new law, unless the marketing collects personal data as part of a marketing survey. That is, if you collect the email addresses, names, mailing addresses, or any other personal data of any European citizen at any point, the new regulations apply to that data.


How can I make sure my business complies?

Obtaining Consent

  • Ask for consent before data collection.
  • The language used in the request for consent must be simple, clear, and easily understandable.


  • No confusing words or phrasing.
  • Consent to share data must be explicit.
  • Consent cannot be given because of silence, not checking a box, or inaction.
  • It must be as easy to withdraw consent to get it.

Data Breaches:


  • A major change comes in the breach notification rules.
  • It requires companies to notify individuals about data breaches within 72 hours.


  • EU regulators must be notified of any exposure involving email addresses, personal data with sensitive information (data related to medical, financial, or children).
  • Breeches of high-risk data—credit card numbers, passwords—requires that the individual data owner is notified directly.
  • Breeches can result in penalties of up to 4% of global revenue.


Next Steps:

  • Update any forms to fit the new rules.
  • Adjust any interactions that require consumer consent.
  • Figure out exactly what personal data is being stored and used throughout your data systems and make sure it conforms to the new regulations. The law applies to data controllers and processors—which includes cloud information.
  • Current data security standards like PCI DSS, ISO 27001, NIST, etc., already comply to the new rules for data protection.


Overview of Regulations

New Rights Protections:

  • If there is a breach of information, you must notify the customer within 72 hours of becoming aware of the breach.
  • Data subjects have a right to know if their data is being used, when, where, and for what purpose.
  • Data erasure or the “right to be forgotten” gives data subjects their right have their data deleted and to stop it from being used or processed.
  • Data portability gives data subjects the right to transfer their data from one controller to another.  

Key Changes:

  • Covers more territory
  • Applies to businesses who process European data whether they are in Europe or not
  • Increased penalties

If you need help implementing GDPR, feel free to reach out or comment below!