Website Audit Checklists:

The Definitive Guide

by Ian Cleary

Data Protection & User Privacy Audit Checklist

The following chapter is about the Data Protection & User Privacy Audit Checklist which is part of the full Website Audit Checklist definitive guide.

Data Protection Audit

The laws regarding data protection and user privacy are becoming more stringent.


…there’s a good reason for this.  Too many companies have abused the use of user data they acquired.

And even though you’d never do such a thing, you need to take steps to ensure user data you collect, store and process is well protected.

What are the main data protection and user privacy laws?

There are many different regulations around the world.

You’ve probably heard of GDPR (general data protection regulation) in Europe.  This regulation ensures that companies that store and use personal data are using it as intended and with user consent.

In the US you have the CAN SPAM act  – this should really be called CANNOT SPAM act!

No matter what country you are in most of the issues below should be solved by your organisation. Tighter restrictions will arrive to your door step so you need to be ready.

Who is responsible for ensuring that there are adequate measures in place?

You need at least one person on your team that is responsible for users’ privacy/data protection. 

This person will track the changes in international policy, implement relevant changes and audit your data privacy measures on a regular basis.

Do you have a strong privacy policy that is compliant with relevant regulations?

You’ll need to have a privacy policy in place which clearly outlines what personal data you are processing and storing and for what purposes.

There should be a link to your Privacy Policy on every page on your website. Most websites place the link in the footer and that’s where users expect to find it.

Your privacy policy should outline details such as:

  • How personal data is processed, stored, and secured
  • When data is removed
  • For what purposes your company stores user data
  • The process for getting user’s personal data removed.

Are there terms and conditions that cover what is required?

The Terms and Conditions page is written for people doing business with you. It details your processes, procedures, and establishes the agreements between you and your customers.

For example, if you collect credit card information maybe this information is passed to a third party for processing.  If so, you need to make this clear.

We used to use Stripe (payment provider) for a recurring transaction with customers and, of course, Stripe needed to keep record of who they bill each month.  This needs to be clear in the terms and conditions.

So, what should your terms and conditions address?

  • Your products and services
  • Payment terms
  • Limitation of liability (i.e. Liability disclaimer)
  • Copyright and trademarks
  • Termination of service
  • Notification of changes
  • Governing law

For email opt-ins, can users give permission to receive ongoing marketing emails?

Remember all the email lists you somehow ended on without really knowing?

You can’t just buy email lists and start emailing people.

They need to give you their permission.

Under GDPR they need to specifically check a box saying they want to receive marketing information from you.

Since you’re capturing personal data you need to get users’ consent to capture, store, and process their data.

Adding a simple checkbox below the form to get users to agree to your terms and privacy policy will make your form compliant.

Is sensitive data encrypted?

To keep the personal data of your website users safe, the GDPR requires you to use encryption or pseudonymization whenever possible.

Can users access a copy of the collected data?

Under GDPR, users can make a Subject Access Request (SAR) to obtain the right to access their personal data collected and stored through your website. Make sure that your privacy policy clearly explains how a user can put in a SAR.

Is there a cookie consent banner?

A large majority of websites today use cookies. For example, if your website has Google Analytics or social media pixels installed, then you’re using cookies.

However, cookies are used to recognize a user’s device and store information about their preferences or past actions.

This means that you need to notify website visitors about the data you’re collecting through cookies and explain why you’re collecting it so they can give you their consent (or not).

A cookie banner is typically a good way to get users to read and consent to your cookie policy.

Has an information audit been conducted?

The information audit is about reviewing the information your store about individuals/companies and evaluating the following:

a). Do you have the permission to store this data?

b). Are you storing the data longer than you should be?

c). Do you need to conduct outreach to allow you to keep this information?

Is there a process in place in case of a breach?

GDPR is very clear about the practices you need to implement to keep data secure in case of a breach. First and foremost, you need to notify the ICO in the first 72 hours since you discover that there’s been a breach.

In addition, you’re required to keep a record of the data breach.

Before something like this happens, make sure to check with your hosting provider if they have tools and processes in place to detect malicious activity and hacking attempts that could compromise personal information you collect through your website.

This will give you some peace of mind that there are processes in place to prevent/prepare for potential breach.