At this point in time, most businesses have already taken the steps needed in order to fully comply with the new EU GDPR regulations. Everyone with an internet connection has been flooded with privacy policy update notifications for what seems like an eternity. Over the last few weeks, we have attempted to demystify the GDPR laws that came into effect on May 25, 2018, for you. We explored the basics of GDPR regulations. Then we took a closer look at how those laws affect you and your business even if you don’t live in the EU.
We can’t stress enough how important it is that your marketing processes be compliant with the General Data Protection Regulation. And so, today, we’ve put together a basic checklist to help you make sure that you’re covered all your bases. If you haven’t already, here’s what you need to do.
First things first – Determine if GDPR laws affect you and your business.
If you do business on the internet and use the world-wide-web to market your company’s products, it is safe to say that you most likely are affected by GDPR. Ask yourself this question:
“Do I collect any personal information (email addresses, phone numbers, IP addresses, locations, physical characteristics) on people based in the EU?”. If you’re not sure, consider the following scenario:
You are an online marketer who targets United States citizens in your online advertising campaigns. You are sending traffic to a webpage that collects email addresses from those who opt-in to receive your monthly newsletter. Even though you are only targeting people outside of the EU, your web form is accessible to those who reside within the European Union. Since they do have the option to subscribe, you are responsible for compliance with GDPR.
As a JVZoo Seller and/or Affiliate, the probability is high that you do need to be GDPR compliant. This is because you are considered a Data Controller – someone who decides what happens to the personal data you collect.
Now that you’ve determined that you are responsible for complying with GDPR, what do you do?
Educate Your Team – Make sure that the decision makers and key team members in your organization are educated about the new GDPR. It is important that they understand the importance of complying with these new regulations and how the changes impact your company, its users, and your overall approach to data collection.
Audit Your Current Database – Document the personal data that you already hold, including where it came from and who you share it with. The GDPR requires that you maintain records of all data processing activities. The documentation of your database will help you to comply with the GDPR’s accountability principle. The accountability principle requires you to be able to show exactly how you comply with the data protection regulations. So, make sure that you are able to prove that you have effective policies & procedures in place.
With this information, you may find the need to reach out to people in your current database to re-confirm their consent. You’ve probably seen how many marketers either purged their list completely or had you opt in again in order to continue receiving their emails. This is how they are making sure everyone on their list had given proper consent according to the new privacy regulations.
Update Your Privacy Policy – There are strict specifications concerning how your privacy policy is written, what it contains, and where it is located. Seeking the help of a legal professional is encouraged for proper wording and placement. Under the previous data collection policy, you would need to give people certain information about who you are and how you planned to use their information. Now, there are additional things that must be disclosed. For example, you must explain your lawful basis for processing the data, how long you keep the data you collect, and that people have a right to complain to the ICO, (Information Commissioner’s Office) if they think that you are handling their data in a way that isn’t appropriate.
Things to keep in mind when you are updating your privacy policy:
- It must be written in concise, clear, transparent, easy to understand language.
- Explain exactly how you’ll be using the data you collect.
- Provide the identity of the data controller and data protection officer in your organization with their contact details.
- Identify any third-parties you share data with and the safeguards used to protect data being transferred.
- Disclose how long you intend to keep the data you collect & how you came to decide upon that time frame.
- Explain the rights of access, correction, and deletion of an individual’s personal data.
- Give details on the individual’s right to withdraw consent for any reason.
- Explain the right to make a complaint to a supervising authority.
- Give details about any third-party software providers or automated systems and the potential consequences of their use.
Create A New Process For Opt-In Consent – Going forward, you will want to ensure that all new contact information that you add to your database is gathered in adherence to the new regulations. Consent must be given by actively opting in. You may no longer set consent to default with pre-checked boxes on your web pages and lead capture forms. Examples of how an individual may actively give consent are:
- Placing a check in an opt-in box
- Clicking on an opt-in link or button
- Selecting ‘Yes’ from a drop-down list or button
- Clicking the opt-in confirmation link in an email request
- Signing a consent form
- Giving a verbal agreement to a clear consent request either by phone or in person
Remember that you will need a separate opt-in consent for each way you wish to use someone’s data, be that for sales, marketing research, emailing, retargeting, etc. When obtaining consent, be sure that you:
- Adjust all of your subscription forms to match the specific opt-in for its particular purpose
- Include a link to your privacy policy on all consent forms
- Make unsubscribe instructions clear and understandable for each type of contact
- Document the process for deleting all contact information for each type of contact.
Protect The Individuals’ Rights
The GDPR includes the following rights for individuals:
- The right to be informed;
- The right of access;
- The right of rectification;
- The right to erasure;
- The right to restrict processing;
- The right to data portability;
- The right to object; and
- The right not to be subject to automated decision-making, including profiling
Look at your current policies and procedures. Do they work to protect the individual’s rights under GDPR? If not, make the changes and revisions necessary.
Access Requests
Should someone request access to the personal data that you have collected on them, you must comply within 30 days. Personal data must be provided depending upon the facts in writing, electronically or verbally. And, you must provide this information free of charge in most cases. The only time you may charge a fee or refuse a request is if they are made unfoundedly or excessively. If you do so, however, the reason must be made clear and it must also be conveyed that they have the right to complain to the supervising authority.
Age Limitations
The GDPR has set the age when a child can give their own consent. Currently, this is 16 years of age, though it may be lowered to 13 in the UK. This could have significant ramifications should you collect data on someone who you are required to obtain consent from their parent or legal guardian. If your opt-in forms are open to everyone, be sure to include an age verification process to avoid mistakenly collecting data from children.
Prepare For Data Breaches
Under the GDPR, all organizations must report certain types of data breaches to the ICO, and in some cases, the individuals. Cases that require the notification of only the ICO are those where the breach is likely to result in a risk to the rights and freedoms of individuals. Results such as these include discrimination, reputation damage, financial loss, loss of confidentiality or other significant results causing economic or social disadvantage. If a breach is likely to result in high risk to the rights and freedoms of individuals, you will need to notify those concerned as well.
Make sure that you have policies and procedures in place to detect, report and investigate any personal data breach. Failure to report a breach when it is required may result in a fine, and may also result in a fine for having the breach occur.
Data Protection Officers
Consider whether you are required to formally designate a Data Protection Officer or DPA. Questions to ask yourself to determine the answer are:
- Are you a public authority?
- Are you an organization that carries out the regular and systematic monitoring of individuals on a large scale?
- Are you an organization that carries out the large-scale processing of special categories of data, such as health records?
If so, it is highly important for you to designate someone as your data protection officer. This could be someone within your company already, or an outside data protection advisor who has the knowledge, support, and authority to hold such a position.
Document Your Progress
Documentation is of utmost importance during every step of GDPR compliance. Being able to prove that you are doing everything you can to meet the regulations set forth in GDPR is your best protection. Many people are confused by all of the steps they need to take in order to be GDPR compliant. This list is not exhaustive and we highly recommend contacting a legal consultant to make sure all your T’s are crossed and I’s are dotted.
As in most cases, knowledge will be your most valuable tool when dealing with GDPR compliance and we hope that our blog series has helped you navigate these new waters. For more detailed information on GDPR, please see the following links:
The Official General Data Protection Regulation
To find out the steps JVZoo has taken and will continue to take with GDPR please visit the links below:
2 replies to "ARE YOU COMPLIANT? FIND OUT WITH THIS GDPR CHECKLIST!"
Thanks for this checklist!
You’re very welcome!