The simple fact is this: If you are handling or tracking personal data of any prospects or customers in Europe, then the GDPR applies to you.

Personal data includes anything that relates to a person who is capable of being identified. It’s intentionally broad.

One of the pain points marketers and advertisers are up against is that the GDPR is an 88 page legal document. With so much else to work on, we wanted to help you understand the rights of individuals and their personal data by creating a simplified GDPR Compliance Checklist for you.

We are going to give you a fast, high-level understanding of the regulation with “Yes” or “No” questions so you can determine how compliant your organization is.

Click here to download the GDPR Compliance Checklist and go over it with your teams today.

Keep in mind, this blog post is not a substitute for legal advice, but it will help you if you have been procrastinating around GDPR compliance. Questions are also sourced by a direct link to the relevant Article within the GDPR.

Data Responsibility — Company and Employee Accountability

1.1 Data Controller
1.2 Data Processors
1.3 Data Representative
1.4 Employee Training
1.5 Data Protection Officer

Data Subject Rights — User Consent and Access

2.1 Explicit Consent
2.2 Clear Notice of Data Use
2.3 Rights to Access Own Data, Erasure, and To Be Forgotten
2.4 Data Portability

Data Infrastructure and Security — Processes, Systems, and Documents

3.1 Data Protection by Design/Default and Retention
3.2 Data System Documentation
3.3 Data Processor Documentation
3.4 Data Subject Documentation
3.5 Data Security Documentation
3.6 Data Breach
3.7 Data Transfer
3.8 Updated Terms of Service & Privacy Policy

GDPR Data Responsibilities — Company and Employee Accountability

1.1 Does your company have the role of data controller?

If your company has decided how and why to process personal data of individuals in the EU, even if it does not do the processing itself, it is a data controller. Data controllers are responsible for getting consent from data subjects and ensuring compliance with the GDPR, including protecting the data and complying with requests from individuals to disclose, rectify or erase data. [Source: Article 4, 24]

1.2 Does your company use data processors or is your company a data processor?

Data controllers may contract with data processors to perform some portion of the actual collection, processing or analysis of the personal data. Data controllers must protect data and be able to comply with requests from individuals to disclose, rectify or erase data. [Source: Article 1, 28]

1.3 Do you have a data representative located or residing in the EU?

If your business is processing personal data related to either offering goods/services in the EU or monitoring behavior of individuals within the EU, then an EU representative must be appointed unless the processing is occasional and does not use certain demographic information. [Source: Article 3, 27]

1.4 Have you provided all your employees with GDPR compliance training?

While this isn’t explicitly requested in the GDPR legislation unless a DPO (see below) is required, understanding proper ways to handle data is the first step to compliance.

1.5 *Do you have an individual at your company (or outsourced) with the role of data protection officer (DPO)?

If your core activities include the regular and systematic processing of personal data of individuals within the EU then you will need to appoint a DPO to oversee your data protection activities. [Article 37, 38]

GDPR Data Subjects — User Consent and Access

2.1 Do your contacts sign up for your marketing programs with explicit consent to be contacted and/or monitored with cookies?

Have you removed all “pre-checked” boxes (if any) from your site on contact submission forms? Have you removed “auto-add to newsletter” for whitepaper downloads? Do you request consent from data subjects to accept cookie tracking? [Article 7]

2.2 Do you inform prospects (before they opt-in) with a clear notice of how their personal data will be used?

For example – do you make it clear that those who sign up for your newsletter are also consenting to be advertised to? [Article 7]

2.3 Are data subjects able to easily and simply contact you to withdraw consent and with requests to have their data disclosed, rectified or erased?

Is appropriate email or contact information in your terms of service/privacy?

2.4 Do data subjects have the ability to download or transfer their data in an structured, commonly used and machine-readable format?

The right to data portability applies to the data an individual has provided to a data controller. Such data needs to be readable and understood — think about the casual user of the internet. [Article 20]

GDPR Data Infrastructure (Processes and Systems)

3.1 Do you have a document that lists all the systems that house personal details of data subjects?

While not explicitly stated, this is implied.

3.2 Is your system data protection by design (such as pseudonymization, data minimization, and minimum data retention)?

Pseudonymization is the use of pseudonyms so that the substitute identifiers are used in place of certain identifiable information. Data minimization is the concept that only the minimum required data should be used and excessive data should not be collected, stored or repurposed. Similarly, data should only be processed when required, should be stored for the shortest period of time required to accomplish a task and only those employees who need to access and process the data should have the ability to do so. [Article 6, 12, 32]

3.3 Do you have contracts/documents with all of your data processors and have you reviewed these contracts to ensure they are GDPR compliant?

You need documentation. [Article 30]

3.4 Can you document and provide evidence exactly when a user opted in to the marketing programs and exactly what they opted in for (in your CRMs or marketing automation tools)?

Do you tag submission dates and exactly what type of communication the user opted-in for consent for? [Article 30]

3.5 Do you have a documented process for regularly testing, assessing, evaluating, and ensuring the security of your data (data by design & data by default)?

Article 32

3.6 In the event of a data breach, are you able to notify those affected (in clear and plain language) and the authorities within 72 hours of its occurrence?

Article 33, 34

3.7 Do your data processors or data controller move or transfer data across borders? If so, do you have a contract with the receiving party?

This shouldn’t be too big of a deal (as who moves data without a contract in place?), but it’s important to understand you need a contract – Article 46(3)(a) – with whoever you transferring the data across borders.

3.8 Do you have an updated Terms of Service and Privacy Policy reflecting your updated GDPR compliance along with contact details for your data controller and, where applicable, your data protection officer?

The ability for a data subject to understand how their data is being used and contact your data controller or representative is mandatory. It is essential you include in this in either your ToS, Privacy Policy, or both.

Special provision: Do you require a “data protection impact assessment” (DPAI)?

If a data controller systematically monitors a publicly accessible area on a large scale, processes certain demographic information on a large scale, or processes data that risks the rights and freedoms of individuals, then a formal DPAI is required to be filed with the authorities [Article 35]

Disclaimer: This is not legal advice for your company to use in complying with the GDPR. Consult an attorney for advice on applying the law to your specific circumstances. You may not rely on this post as legal advice, nor as a recommendation or consultation of any particular legal understanding. This post was authored by Tim Chard and Morgan Malino.