10 Quick Checks for GDPR Compliance
Along with many of our clients, the WebEnertia team has been tracking the May 25, 2018 compliance deadline for General Data Protection Regulation (GDPR) launching in the European Union (EU). We’re a bunch of designers and developers, not lawyers, so don’t mistake this for legal advice, but we have put together a list for marketers to get a sense of whether they might face trouble if they don’t make some adjustments before the deadline:
You’re not sure whether any of it applies to you.
If you or any of your website users or email recipients reside within the European Union (EU), you are responsible for compliance. Fines can be up to €20 million, or 4% of your company’s total global annual turnover.
You don’t know which of your users are European.
This isn’t just about poor user information data capture…with GDPR marketers are expected to either be compliant with all users or have users organized such that EU-only users can be addressed separately.
Your opt-in form checkboxes are prefilled.
After the deadline this will put you in violation. Present an unchecked opt-in box to EU users. Or better yet, provide unchecked opt-in to all users.
You are not storing consent records.
In order to demonstrate compliance, companies must maintain more-detailed records of user consent under GDPR. The user consent data could be especially problematic, and have many companies reaching out to users to clear up ambiguity in advance of the deadline.
This is one of the simpler provisions in the regulation, which requires details around data use to be explicit and in relatively simple terms. Include a required field for permission to collect and store personal data. The field should link to your privacy notice and require the visitor open your privacy notice to confirm consent.
You are “gating” content.
If you are using content gating to build a list of marketing leads — and the form information you gather isn’t required to deliver that content (such as an email address to deliver a link or PDF would be) — you’ll be in violation once GDPR takes effect. You either need to give access to your European visitors for free or block them completely to be in compliance.
You haven’t checked your automated email sends for compliance.
Be sure you’ve covered your automated email bases. If you’re utilizing automated programs, you’ll want to make sure that all EU users have opted in to your program. If you’re not sure, consider a repermissioning campaign before the deadline.
You don’t have a way to remove user data upon request.
Under GDPR, users who ask to have their data erased will need to have their data erased. If you don’t have a way to make this happen today, get it ready before the deadline.
You don’t have a way to send users their data upon request.
Similar to the item above, GDPR allows users to request their data set and companies will be required to provide it. Not having the right setup to do it won’t be an excuse.
If this is the first you’ve heard of any of this, here are a few additional resources to help you get up to speed: