7 Steps for GDPR Compliance

General Data Protection Regulation, or GDPR, is a new law going into effect on May 25th that aims to protect the privacy of EU citizens in an increasingly data-driven world. It will replace the EU’s outdated data protection laws, which were last updated in 1995, when the internet was still a recent invention. The 1995 law didn’t account for technologies that have developed over the last 25 years, including cookieless tracking, big data, and mobile device tracking. Data privacy and protection have risen in public consciousness in recent years thanks to large data breaches tied to companies like Equifax, Target, and JP Morgan Chase, as well as to questionable use of private data illustrated in examples like the recent Facebook and Cambridge Analytica scandal. These infractions underline the need to update legislation surrounding companies’ storage and use of personal data.

Personal data includes any information relating to a person that can be used to identify an individual. This can include name, identification number, IP address, physical address, email address, or any other identifier linked to more qualitative attributes of an individual such as physical, economic, social, or genetic identifiers.

GDPR has repercussions for businesses outside of the EU that store personal data of EU residents or who have company websites that EU residents could potentially visit. Failure to comply with GDPR could result in fines of up to €20 million or 4% of gross total revenue, whichever is greater.

This article includes 7 actions that we recommend all our clients take before GDPR goes into effect. If your company is storing personal data of EU or UK citizens or is considering doing so in the future, complete the following steps by May 25th to ensure that your company is compliant with the new law.

Step 1: Conduct an Inventory of Your Company’s Data Processing of Contacts in the EU and UK

  • Have they provided consent to have their data stored by your company? If not, you’ll need a communication plan to request consent from these contacts.
  • If you do not work with contacts in the EU or UK and do not foresee doing so in the future, GDPR compliance is not something you need to worry about presently. However, there are benefits to complying with GDPR even if you do not store data of EU contacts. Given consumers’ heightened anxiety about how companies use their personal data, U.S. companies that adopt GDPR-compliant practices they’re not required to by law arguably can gain a competitive advantage by positioning themselves as companies who a) are transparent about their use of customers’ personal data and b) adhere to a standard of data use not yet adopted broadly in the U.S.
  • Fully understanding the contents of your company’s data inventory ensures you aren’t overlooking any that could put you at risk for fines.

Step 2: Organize Your Data

  • If your company is ever investigated by GDPR regulators, you will need to demonstrate understanding of exactly what personal data your company stores.
  • Create a process that allows you to easily supply an individual’s personal data if he or she asks for it. If a contact requests all personal data you have stored on them, you need to be able to retrieve it easily.
  • Get rid of any personal data you’re storing unnecessarily.

Step 3: Update Your Privacy Policy

  • Your privacy policy should explain clearly (no legalese) what data you’re storing from your contacts, how and why you’re collecting it, and how you’ll be using it.
  • If you have questions on how to make your privacy policy GDPR-compliant, contact a lawyer and ensure he or she deems your updated privacy policy up to par.

Step 4: Put a Process in Place So If Someone Asks You to Delete Their Data, You Can

  • Data may be stored in hard copies, in your email contacts, and other places in addition to a centralized CRM. Having a process in place ensures that you wipe data from all possible storage sources.
  • If you receive a request to delete an individual’s data, you have 30 days to respond to the request and confirm that his or her data has been erased. This includes confirming that any third parties your company has shared the data with (e.g. Facebook for advertising) have also erased the data from their environments.

Step 5: Create “Clear Affirmative Actions,” or Opt-Ins, Communicating Use of Cookies, Email Marketing, and Any Other Marketing Activities

  • Allow all users to take a “clear affirmative action” to consent to having their data used for marketing purposes. There are three areas we’re recommending our clients update with affirmative actions:
  • Website Cookies: If your website uses tags or codes (cookies) from third-party advertising services like Google to measure advertising results or remarket to visitors to your website, your website must now have a consent message on it that discloses what data is being collected and for what purpose, such as the example below.
    • Even if you do not do business in the EU or UK, residents of those geographies may find their way to your website, so your company must have compliant consent measures.
  • Email Marketing: If you send email campaigns of any kind to your contact database, we strongly encourage sending an email to all EU and UK contacts in your database about the changes your company has made to align with GDPR. This email should include a Call to Action (CTA) where recipients can reaffirm their consent to receiving email communications from your company.
    • The below example from Slack includes links to the company’s updated privacy policy and user terms, as well as an easy-to-follow bulleted summary of the changes. This makes it very easy for recipients to understand the updates without having to scroll through an intentionally complex, technical policy.
  • Website Form Submissions: GDPR explicitly prohibits the use of pre-checked consent or permission requests. Users must actively opt in to provide consent by taking an action such as checking a box (in the below example), clicking a call-to-action button, or replying to an email to confirm that they’ve opted in. The below example cited by Econsultancy in a recent blog post shows what an active opt-in looks like and does a great job articulating what type of information a user would receive if they opt in to receiving future communications from Walmart Canada.

This form also includes a link to Walmart’s privacy policy, making it easily accessible to anyone creating an account on its website.

Step 6: Verify That Third Parties Your Company Partners With Are GDPR Compliant

  • This includes companies that provide commercial data or insights to your business such as a company you’d purchase a mailing list from or a marketing firm like TribalVision. Under GDPR, the data processes the third party uses must be compliant with the law.

Step 7: Create and Deliver A Communication Plan to Your Employees Regarding the New Processes You Put In Place to Comply With GDPR

  • To ensure compliance, data protection should be the entire team’s responsibility.
  • Your plan should include details like:
    • How personal data should be stored moving forward
    • Process for sending all personal data to an individual if requested
    • Process for deleting all personal data of an individual if requested
    • Process for ensuring that any third-party partners the company works with are GDPR compliant
    • Financial consequences of not complying with GDPR
    • Process to follow if a data breach occurs

One additional recommendation as a result of updates Google Analytics is making to comply with GDPR: review the data retention settings in your Analytics account and modify the retention period so that your user and event data does not automatically expire. Beginning May 25th, Analytics will automatically delete this data if it’s older than the default retention period.

The below screenshots show the steps to take from your Analytics homepage to modify the retention period to “Do not automatically expire.”