GDPR Compliance Checklist

Protect your users' data and ensure GDPR compliance with this checklist. If you need help implementing these measures, let us know.

May 28, 2018

New User Rights

Description

Users can ask the company to delete all of their personal data if at least one of the following is true:

  1. Personal data is no longer needed for the stated purposes of processing;
  2. A person has withdrawn their consent and there is no other basis for the processing;
  3. Personal data has been acquired/processed illegally;


Tech. Solution

Manual removal of user data in private storage after receiving (for example by mail) request from a user.

Description

Users can object to using their personal data for direct marketing purposes, including profiling.
Company must clearly inform the user about this right at the first contact and stop this user's data processing after receiving an objection.


Tech. Solution

"Restrict private data usage" checkbox should be introduced to the user profile.

Description

  1. If their stored personal data is wrong, the user has the right to request its correction.
  2. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.


Tech. Solution

Manual editing of data in private storage after receiving (for example by mail) a request from a user.

Description

Users have a right to know what information is stored.


Tech. Solution

This information should be presented to a user before registering in the system.

Description

A user can ask to receive their personal data in a convenient format and request the transfer of their data to the other company (if technically feasible).


Tech. Solution

Implement the following:

  • Automatic report generation to present private data in a convenient form;
  • Manual removal of user data in private storage.

Reasonable level of protection of personal data

Description

TFA protects from online fraud and identity theft


Tech. Solution

Integrate with Google Authenticator or similar service.
For iOS
For Android

Description

If a hacker intends to use automated login/password guessing, these measures can stop them.


Tech. Solution

  1. Use Google Authenticator which can change access code every few seconds.
  2. Block account for several minutes after three failed login attempts
  3. Ask users to pass a CAPTCHA test after a certain number of failed logins.

Brute Force Attack
Blocking Brute Force Attacks

Description

This feature helps prevent unauthorized access and modification of data

Description

Separating portals helps protect the information and allows securing admin section without hampering users.

Description

Common CMS's have common vulnerabilities. This feature adds another layer of protection against them.

Tech. Solution

HTTP Authentication

Description

SSL certificates protect the information transfer between app server and database or between the user and your service.

Tech. Solution

SSL Certificate

Description

New servers are shipped with all the ports open. Lock the unneeded ones so they can't be used for intrusion.

Description

Allowing only one IP-address will prevent unauthorised access and locate data breach. Cloud firewalls could help with that.

Tech. Solution

Cloud Firewalls

Description

Encryption helps protect the information while it is in transfer.

Description

VPN adds another layer of security to the data on the server.

Description

Logs allow to find out which data was modified.

Description

Set up triggers and notifications to detect intrusion quickly.

Tech. Solution

Inotify

Description

Backup the information in the DB and store it on an external cloud service. In the event of data breach, it will help to minimize losses.

Tech. Solution

Block Storage

Description

All the server logs should be kept and stored externally. It helps locate inconsistensies in case of hacker attacks.

Tech. Solution

Block Storage

Privacy by Design

Description

Pseudonymization means storing information which can identify a person (e.g. social security number) and the related data (gender, age, location etc.) separately.


Tech. Solution

  • System shouldn't collect data, which can allow matching user profile with real person without user consent;
  • Private data should be stored on separate server with encrypted database;
  • Application APIs should be covered by automated tests to prevent personal data leak

Description

The default privacy options in the app should be set to maximum protection when a user first registers/installs the app.


Tech. Solution

  • "Restrict private data usage" checkbox should be selected by default
  • Solution should pass "Data Protection Impact Assessments" (DPIA)

Six Stages of DPIA

Description

Encryption adds an extra layer of security the hacker must defeat before they can access the information.


Tech. Solution

There are three options:

  1. Custom GDPR-compliant server with centralized DB.
  2. Third-party GDPR-compliant server with centralized DB
  3. Custom Blockchain-based GDPR-compliant server

Data Encryption
Third Party Server

Data Minimization

Description

Store only the data that is necessary, delete when it is not needed anymore.


Solution

There are three main types of collected information:

  1. The necessary minimum data to do business (e.g. an online shop needs only the name and address of a person to deliver their goods);
  2. Extra data (sex, age, marital state) which isn't directly involved in company's service requires getting extra consent or justification in the public offer of your business;
  3. Sensitive personal data, which is often used for profiling (sexual orientation, political and religious views, race, ethnicity etc.) requires another expression of consent.

Consent

Description

  1. No expression of consent is needed if you ask for an information which is absolutely necessary to do your part of the agreement (e.g. full name and address for an online shop)
  2. If you want to use client's data for extra purposes (behavior analysis, advertising etc.) you have to ask for consent.


Tech. Solution

The text of the consent request must be clear and unambiguous. The "I agree" tickbox will be enough, but the user must take an action to clearly express their will.

Description

User must take an action to confirm consent to processing their personal information (e.g. click on the "I agree" form). Withdrawing consent should be as easy.


Tech. Solution

Include the consent withdrawal option in the user's profile.

Data Protection Officer

Description

Appoint a special person, who will be responsible for protecting private information.


Solution

Data Protection Officer

Document everything

Description

Make note of all the measures and procedures for protecting private information to present to the authorities.


Solution

Documents for GDPR

Inform the users affected by the breach "without undue delay"

Tech. Solution

Prepare a mass mailing plan for this contingency.

RECOMMENDED FOR YOU

Lead Generation Design of The Best SaaS Websites

If clothes make the man, the design makes the website. That's where potential customers start evaluating a product. The SaaS website can (and should) be an online lead-generation machine, so each component of it has to be as good as possible. As people generally remember the first and the last thing they see, having impressive header and footer can go a long way towards making your product successful. What do some of the best SaaS companies do with their websites’ headers/footers? Look at this list to get and keep in mind some ideas for custom software development while building or redesigning your SaaS website. ...

PHP 7 vs Node.js

Our team is experienced both in PHP programming and Node.js development. We have a portfolio with both PHP-based applications and Node.js-based applications as well as mixed ones. What do we take into account when considering which tool to use in custom software development? ...

The Top 10 Advantages Of Laravel for Cost-Effective Web Development

Laravel framework is very popular for custom software development. It is the Most Starred PHP Framework on Github: more than 35 000 developers from all over the world (mostly from the USA) greatly appreciate robust features of this platform. Based on data of the BuiltWith, Laravel's popular websites verticals include Business, Entertainment, Media, News, Shopping, Technology, Vehicles. Why is Laravel so popular? ...

100% Remote Million-Dollar SaaS Companies

Companies that hire remote (distributed, virtual, dispersed, or dedicated) workers and do it well seem to have a huge leg up on the competition. Let’s learn how these successful SaaS companies use global talents to increase software quality and reduce the cost of rent and office supplies: Basecamp, Buffer, Chargify, Convertkit, Ghost(pro), Groove, Hubstaff, Invision, Olark, and Zapier. As the company where you can find a remote PHP developer, we believe that you could utilize their experience and expertise to build your own full remote SaaS company. ...

SaaS Founders Who Became Rich Starting With MVP

Belitsoft has a huge experience in MVP software development for startups and prototypes for existing brands. MVP is a minimal version of the product with the minimum set of features that is enough to deploy and test the key hypothesis to solve problems of this product’ potential customers. Experts suggest that, in B2B, it’s not an MVP until you sell it. Viable means you can sell it. ...

Profitable SaaS Startup Ideas

The way to get profitable startup idea is not to try to think of startup ideas (including SaaS development). It's to look for problems, preferably problems you have yourself.  In fact, for many entrepreneurs, successful business ideas start out as solutions designed to address a challenge they face personally. Solving the problem that frustrates you may be one of the best ways of finding an idea for your startup. Look at these software developers who turned their problem into success.  ...

Get A Free Quote

Do you have a software development project to implement? We have people to work on it.
We will be glad to answer all your questions as well as estimate any project of yours.
Use the form below to describe the project and we will get in touch with you within 1 business day.

Call us:
Phone - USA
Phone - BELARUS
Skype
EMAIL US:
Contact form

We use cookies to enhance user experience

Ok Learn more