The General Data Protection Regulation (GDPR) is a new regulation under European Union (EU) law that aims to provide data security and privacy to all EU citizens and give them control over their personal data. Adopted on April 14, 2016, it is meant to replace the 1995 Data Protection Directive. It applies to any and all companies that handle the data of EU residents, even if the company itself is not based within the EU.
Enforcement of the GDPR started on May 25, 2018. Since it is a regulation—not a directive like the 1995 version—it does not require enabling legislation from national governments. This means it is directly binding and applicable.
Does your organization deal with user data as part of its regular business operations? Then you need to ensure your company is compliant with the GDPR by reviewing this GDPR compliance checklist.
- What type of consumer data are we collecting and storing?
- Have we cleared our databases of consumer data that is not necessary for our services?
- Have we verified whether we have consent from our customers regarding the processing of their personal data?
- Have we executed an opt-in campaign?
- Can customers easily access, modify, and/or delete the personal data that we store?
- Have we ensured that our third-party vendors are GDPR-compliant?
1. Identify the type of data you are storing.
Under the principle of data minimization defined in Article 5 of the GDPR, you can only collect and store data that is absolutely necessary for you to render your service.
If your business is carrying any consumer data that you don’t need, relay this information to your users and give them the option to have their personal data deleted from your system.
2. Get consent from your customers.
Article 7 of the GDPR states that a company must be able to demonstrate that subjects have consented to the processing of their personal data. Consent may be given via a written declaration and users have the right to withdraw consent at any time should they choose to do so.
The GDPR is retroactive, so it applies to customers you got in the past as well as those who become customers after the regulation comes into effect. This means that in order to comply with GDPR requirements, you must get the consent of your entire customer base. Prepare a GDPR consent template and consider the following:
1. Verify that you have your customers’ consent.
Check if your customers have been fully informed regarding the use and collection of their personal data, and that they have consented to such (in writing).
If you don’t have their consent, move on to the next step.
2. Execute an opt-in campaign.
An opt-in campaign is basically asking your customers for consent on the collection and storing of their personal data, which must be in writing as per GDPR rules.
What you can do is send your customers an email asking for consent and then putting “I agree” and “I disagree” buttons that they can click depending on their choice.
Even if you already have prior consent from your customers, it’s still helpful to your company to ask for it again. That way, you cover your bases with the GDPR and increase your customer engagement at the same time.
3. Make data processes easier for your customers.
One of the goals of the GDPR is to give users control over their data. This is made apparent in Article 15 of the new regulation, which states:
“The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data…”
In terms of user control, your company can be GDPR-compliant by restructuring its data protection policy template to include the following stipulations.
- Allow your customers to unsubscribe.
It needs to be easy for your customers to unsubscribe to your mailing lists or any other offers. Simplify the process by making “Unsubscribe” buttons or links highly visible, since obscuring them from customers could result in hefty fines.
- Allow your customers to delete their data.
Customers should have the right to edit or delete their personal data at any time. If customers choose to have their data deleted, it should be removed from your systems permanently. Otherwise, your company could face not only financial penalties, but legal ramifications as well.
- Allow your customers to access their own personal data.
Article 15 of the GDPR explicitly states your customers have the right to obtain a copy of their data, which you must provide upon request. However, your company also has the right to charge a reasonable fee to cover any administrative costs.
4. Ensure that your third-party providers are also GDPR-compliant.
If your company is like most other businesses today, then you utilize the services of one or more third parties. You need to make sure that all your vendors are also GDPR-compliant because you are responsible for your customers’ personal data.
Third parties include the providers of any software you use to process your customers’ data, the companies behind the marketing tools that you use, and even your website host.
Do you want to know how well your company’s inbound marketing strategy is performing? We can help you with our IM audit. Click on the button below to learn more.
Comments