GDPR Checklist – What You Need For GDPR Compliance
May 30, 2018 by Paul Ceppaglia
What is GDPR compliance, and how does it affect you? This article will not only answer these questions, but also provide a quick 5 point GDPR checklist.
So, what’s the deal with these updates? Why are these companies all updating their privacy policies at the same time? Should you open those emails, or can you just file them directly into the trash?
More importantly, if you run your own website or have your own email list, do you need to hop on this privacy update bandwagon?
Let’s have a look at the reason behind those emails…the General Data Protection Regulation, or GDPR.
What is GDPR?
In January 2012, the European Commission laid out plans for data protection across the entire European Union (EU). This proposal, known as the General Data Protection Regulation (or GDPR for short), aims to protect the data and privacy of all individuals within the EU.
Put simply, the GDPR is a set of rules created to give EU citizens more control over their personal data, while simultaneously simplifying the regulations for business.
With GDPR, organizations must ensure that personal data is gathered legally and under strict conditions. In addition, those who collect and manage that data will have an obligation to both protect the data from misuse, and respect the rights of data owners.
In 2016, the EU Parliament approved the GDPR, with enforcement scheduled to commence on May 25, 2018.
How Does GDPR Define “Personal Data”?
Prior to GDPR implementation, the EU Directive on Data Protection, personal data was broadly defined as “Any information relating to a living, identified or identifiable natural person,” including:
- Identifiable information such as numbers
- Factors specific to a person’s physical, physiological, mental, economic, cultural or social identity
Under the new GDPR guidelines, what is considered “personal data” has been expanded and more clearly defined. The GDPR still retains a broad definition of personal data as “data from which a living individual can be identified or identifiable (by anyone), whether directly or indirectly, by all means reasonably likely to be used.”
Boxcryptor provides a list of things that could be interpreted as personal data:
- Biographical information or current living situation, including dates of birth, Social Security numbers, phone numbers and email addresses.
- Looks, appearance and behavior, including eye color, weight and character traits.
- Workplace data and information about education, including salary, tax information and student numbers.
- Private and subjective data, including religion, political opinions and geo-tracking data.
- Health, sickness and genetics, including medical history, genetic data and information about sick leave.
- Location data, including any data indicating the geographical position of a user. This could mean:
- The latitude, longitude, or altitude of the user
- The direction of travel of the user
- The time the location data was collected
- Data generated by the use of mobile apps
Who is Affected by GDPR?
GDPR will be applied to any organization which operates within the EU, and any organization residing outside of the EU that offers products or services to customers within the EU. In reality, this means that GDPR will affect many corporations world-wide, including any websites receiving visitors from the EU.
Why is GDPR Compliance Important?
To state the obvious, many aspects of our daily lives revolve around data. Banks, retailers, government, social media…nearly every service we use and online interaction we have either collects or analyzes some form of our personal data. Our names, addresses, credit card numbers, and more are collected, analyzed, and sometimes stored by various organizations.
Serious data breaches have been occurring with increased frequency, which is quite concerning. GDPR compliance will be enforced in an attempt to reduce such data breaches, as well as hold responsible parties accountable if and when such a breach should occur.
Andrus Ansip, vice-president for the Digital Single Market, was quoted as saying “The digital future of Europe can only be built on trust. With solid common standards for data protection, people can be sure they are in control of their personal information.”
Under the terms of GDPR, organizations will need to ensure that personal data is gathered legally and under strict conditions. In addition, those who collect and manage this data will be required to protect it from misuse, and to respect the rights of data owners. Failure to do so will result in stiff penalties.
Prepare For GDPR Compliance
To the unprepared, this can all seem very overwhelming. To be honest, a comprehensive guide to GDPR compliance is beyond the scope of a single article. There are so many variables (based upon an individual organization’s structure and products and services) that there is no one-size-fits-all GDPR compliance solution.
That being said, there are some basic guidelines that can point you in the direction of compliance. We’ve created a 5 point checklist that you can use as a starting point for your own GDPR compliance journey.
The GDPR Checklist
Designate a GDPR Team or Lead Contact – Preferably within your Marketing Department. This person (or team) should review your data handling procedures, including:
- Reviewing Current Mailing Lists
- Documenting Current Data Collection Funnels
- Reporting on status of GDPR compliance
Actions To Take When Collecting Personal Data From Users (e.g. Web Forms) – Some things to include:
- Clear consent wording
- Cookie consent
- Age verification process (if applicable)
Managing Existing Contacts in a Database – If you have a current customer database (leads, email subscribers, etc.) be sure to:
- Send a double opt-in re-verification email
- Allow users to manage their own preferences
Prepare a Data Breach Strategy – In the event that you experience a data breach, GDPR regulations require that the organization notifies users of the breach in no more than 72 hours after the breach is discovered. We recommend you take a proactive approach and create an action plan BEFORE disaster strikes.
While this checklist is by no means comprehensive, this should give you a good starting point getting your organization into GDPR compliance.
Disclaimer: This blog post is intended to give an overview of this complex topic. It is not intended to give detailed, professional-level consultative guidance that would be applicable to your specific situation. You should retain the (paid) services of a trained professional before implementing changes to your website, business or policies, in order to comply with the GDPR standards.