You should mainly be aware of which data from your customers and website visitors you actually require and record (“process”) and in what form.
GDPR does not generally prohibit the processing of data. Rather, it regulates it in the interest of consumer protection. The processing of data must be justified. This means that you may only process (collect) data that is actually necessary for serving the intended purpose. In the case of an online store, this data may be the postal address or the date of birth. The customer’s religion, however, would not be important for the purchase of a bottle of wine, for example. Requesting or storing this information would therefore be considered unjustified within the context of the GDPR.
As soon as you have an overview of the data you process, and how, you must document it (Art. 30, “Records of Processing Activities”). You must be able to present these records in the event of an audit. Small companies are exempt from this requirement under certain circumstances.
Furthermore, each person has the right to see which of their personal information you process and for what purposes.
Should several people have access to the data (e.g. webmaster, employees, external partners), you must also document and be able to prove that these parties have a legitimate reason for working with the data.
Any protective measures (virus protection, data storage, protection against unauthorized access, etc.) must also be relevant and appropriately documented.
Stricter laws apply for newsletters. Whereas before, it was possible to sign up for a newsletter in a one-off process, the GDPR now stipulates that a “double opt-in” process must be used. If the recipient address and any other information has not been obtained via this two-stage process, you may be in breach of the Regulation if you fail to make amends.
For support requests please use this form instead.