Are You GDPR Compliant? Find Out What You Need to Know!
Design & Development | Strategy
As you have probably heard by now, the EU’s General Data Protection Regulation (GDPR) will come into force on May 25th. What’s GDPR you say? In short, the GDPR is a legal framework that sets guidelines for the collection and processing of personal information of individuals within the European Union (EU). It is the biggest shake-up in data privacy in 20 years and it is pretty certain to apply to you.
The biggest misconception when interpreting the new regulation is that it only applies to companies that operate or do business in the EU. Actually, the scope of the GDPR is actually far wider and applies to any business that monitors the behavior of people in the EU. So even if your company is based outside of the EU but you process the data of EU citizens, the GDPR will apply to you.
- Have a website that can be visited by anyone (including users in the EU)?
- Use forms to collect user data?
If your company can answer ‘yes” to any of those questions, you could be found in violation of the new rules. And depending on the type of violation, companies who mishandle personal data or otherwise violate data subject’s rights could incur fines of up to €20 million or 4% of their global annual revenue (whichever is greater). So it’s not just a slap on the wrist or something that should be taken lightly.
No matter what point in the planning process you are currently at, there are going to be some questions and confusion about the steps to take to get your website compliant. The good news is, you’re not alone. Throughout all of the discussions we’ve had in the past weeks months with lawyers, consultants, vendors, and data protection/privacy experts, the only thing that everyone knows for certain is that the new regulation is coming at the end of next week and it will change the way we operate as Digital Marketers.
For this guide, we will be focusing solely on the new regulation and how it relates specifically to your website and digital marketing practices. Which makes sense, because we are, after all, a Digital Marketing Agency. If you are looking for other information regarding the regulation, the good news is that there is no shortage of articles, blog posts, and other helpful pieces of content out there, including our “CliffsNotes” version of the full regulation. In addition, you can always reach out to one of our Digital Marketing Experts to set up a time to talk more.
Now before we get into the checklist on what steps we recommend taking, it is important to note that this is not legal advice, but only our recommendations to help get your website compliant with the new regulation.
All data and information provided in this blog post are for informational purposes only. Top Floor makes no representations as to the accuracy, completeness, currentness, suitability, or validity of any information contained herein. This information and recommendations are not the same as legal advice, where an attorney applies the law to your specific circumstances. We insist that you consult an attorney if you would like advice on your interpretation of this information or its accuracy. In a nutshell, you may not rely on this blog post as legal advice, nor as a recommendation of any particular legal understanding.
GDPR Compliance Checklist
- Create a list of all marketing and tracking software, website forms, 3rd party agency and services, and any other tools used that collect and process user information. Note what data is being collected, how it’s used, where it’s stored, who has access to it, and for how long the data needed. Here’s a quick list to get you started:
- Google Analytics
- Social Media pixels and tracking scripts
- Email Marketing Software
- Website RFQ and Contact Forms
- Call Tracking Services
- Update all web forms to:
- Collect only data that is necessary to the purpose at hand
- Use clear and plain language to tell users what they are consenting to and what you are going to do with the data at the point of collection (on the form itself)
- Provide details on how to withdraw consent
- Include a mechanism for the user to signal consent (a checkbox that is not pre-checked)
- Update your website CMS and any third party module or plugins and keep them up to date
- Implement online security tools such as firewalls, security monitoring, HTTPS Encryption, etc. to help prevent hacks and data breaches
- Create a documented plan to be able to remove and allow the editing of personal/sensitive data
- Provide a page with instructions that includes an email address for users to contact you to manually remove or edit data
- Or provide an automated method for a user to edit or remove their own data
- Or provide a form a user can fill out form to provide information so that you can delete their data
- Create a documented plan to export and provide user data when requested within the 30 day time period and in a reasonable format
- Ensure sensitive data is not being sent by the website over email, or if it must be, that the data is encrypted and easily able to be deleted. For example, send form notifications to the necessary recipients within your organization via links that require a login to view rather than personal data being sent in the body of an email.
- Perform an audit of your website’s current permission levels and which users have access to what information. Lock down the site and to ensure that a user has no way to view or access information not meant for them.
- Create and implement a Cookie Notification banner on your website that:
- briefly explains the purpose of the installation of cookies that the site uses
- is sufficiently conspicuous so as to make to make it noticeable
- prevents the collecting/processing of data before user consent is given (this is a big one that could have a lot of implications if not done right)
- describes in detail the purpose of installation of cookies
- Encrypt sensitive data wherever it’s stored when possible (such as in the website database, and in site backups)
- Document a plan to handle data breaches that informs the people affected and also the supervising authority within 72 hours of the breach
- Document what you’re doing to comply with GDPR and be and be able to prove that in cases where it’s not self-evident.
- Keep records of GDPR trainings, procedures, steps taken, etc. Get data sharing agreements in writing and clearly spell out responsibilities if sharing data with different organizations
Still have questions or need help on making sure you are GDPR compliant? We’re happy to chat to review your current situation and provide some feedback on what you need to comply.