GDPR checklist (for small communities/groups/forums)

billy

GDPR Checklist

for small communities, groups, and forums

Research & Planning
Review more in depth guidance from trusted sources and plan out what you will need to do. One way which is required if you collect risky data or have over 250 employees, but optional otherwise, is to complete this assessment. Although likely optional for a small community it can still help you to plan out what you might need to do next.
- Decide who will lead your GDPR efforts and handle requests from users
- Ensure your team (volunteers or employees) all understand how your community will comply
- Appoint a DPO (Data Protection Officer) or do not because this usually isn’t necessary for small communities
Create Privacy Policy
Your privacy policy must be very clear and transparent. When it is complete, place a link to it in an obvious location and as a best practice near things like forms. The link should simply read, “Privacy Policy,” because that’s very clear. You will find policy generators and templates by doing a quick search online. Make sure the privacy policy explains what data you collect, why, and be sure there is justification, or legitimate reasons for collecting that data. Be sure to include:
- Data collected
- The reason the data is collected
- How data is stored and secured
- Clarity around what is deleted when an account is deleted (account data such as email vs. posts)
- Include a link to your web host’s DPA (Data Processing Agreement), which regulates their responsibilities as a host, thus allowing you to have a GDPR compliant site, because they are compliant
- Information about cookies
- Third part information (if any)
- Children policies (minimum age to participate)
- Consent (“by signing up you agree” type language)
  - Ideally you need an unchecked check box on your sign up form (the user needs to check it, can not be pre-checked)
  - Keep a record of who gives consent (many blog and forum softwares offer plugins/extensions for this)
- DMCA (you will take down copyrighted content)
- CCPA (you won’t sell user data)
- GDPR requests (how the user can request their personal data, delete their account, request their data be transferred, or make any other requests about their data)
- Contact information
- How the user will be notified about policy changes
- Your additional privacy policy verbiage goes here
Create Terms of Service
This isn’t 100% GDPR related but it goes along with it. Plus, this is a checklist for small communities such as Internet forums where Terms are very necessary. So, this is your reminder to create this documentation as well. This is different from data privacy. It’s about the rules of your community such as, no profanity allowed.