The simple fact is this: If you are handling or tracking personal data of any prospects or customers in Europe, then the GDPR applies to you.
Personal data includes anything that relates to a person who is capable of being identified. It’s intentionally broad.
One of the pain points marketers and advertisers are up against is that the GDPR is an 88 page legal document. With so much else to work on, we wanted to help you understand the rights of individuals and their personal data by creating a simplified GDPR Compliance Checklist for you.
We are going to give you a fast, high-level understanding of the regulation with “Yes” or “No” questions so you can determine how compliant your organization is.
Click here to download the GDPR Compliance Checklist and go over it with your teams today.
Keep in mind, this blog post is not a substitute for legal advice, but it will help you if you have been procrastinating around GDPR compliance. Questions are also sourced by a direct link to the relevant Article within the GDPR.
Data Responsibility — Company and Employee Accountability
Data Subject Rights — User Consent and Access
Data Infrastructure and Security — Processes, Systems, and Documents
3.1 Data Protection by Design/Default and Retention
3.2 Data System Documentation
3.3 Data Processor Documentation
3.4 Data Subject Documentation
3.5 Data Security Documentation
3.6 Data Breach
3.7 Data Transfer
GDPR Data Responsibilities — Company and Employee Accountability
If your company has decided how and why to process personal data of individuals in the EU, even if it does not do the processing itself, it is a data controller. Data controllers are responsible for getting consent from data subjects and ensuring compliance with the GDPR, including protecting the data and complying with requests from individuals to disclose, rectify or erase data. [Source: Article 4, 24]
Data controllers may contract with data processors to perform some portion of the actual collection, processing or analysis of the personal data. Data controllers must protect data and be able to comply with requests from individuals to disclose, rectify or erase data. [Source: Article 1, 28]
If your business is processing personal data related to either offering goods/services in the EU or monitoring behavior of individuals within the EU, then an EU representative must be appointed unless the processing is occasional and does not use certain demographic information. [Source: Article 3, 27]
While this isn’t explicitly requested in the GDPR legislation unless a DPO (see below) is required, understanding proper ways to handle data is the first step to compliance.
If your core activities include the regular and systematic processing of personal data of individuals within the EU then you will need to appoint a DPO to oversee your data protection activities. [Article 37, 38]
GDPR Data Subjects — User Consent and Access
Have you removed all “pre-checked” boxes (if any) from your site on contact submission forms? Have you removed “auto-add to newsletter” for whitepaper downloads? Do you request consent from data subjects to accept cookie tracking? [Article 7]
For example – do you make it clear that those who sign up for your newsletter are also consenting to be advertised to? [Article 7]
Is appropriate email or contact information in your terms of service/privacy?
The right to data portability applies to the data an individual has provided to a data controller. Such data needs to be readable and understood — think about the casual user of the internet. [Article 20]
GDPR Data Infrastructure (Processes and Systems)
While not explicitly stated, this is implied.
Pseudonymization is the use of pseudonyms so that the substitute identifiers are used in place of certain identifiable information. Data minimization is the concept that only the minimum required data should be used and excessive data should not be collected, stored or repurposed. Similarly, data should only be processed when required, should be stored for the shortest period of time required to accomplish a task and only those employees who need to access and process the data should have the ability to do so. [Article 6, 12, 32]
You need documentation. [Article 30]
Do you tag submission dates and exactly what type of communication the user opted-in for consent for? [Article 30]
This shouldn’t be too big of a deal (as who moves data without a contract in place?), but it’s important to understand you need a contract – Article 46(3)(a) – with whoever you transferring the data across borders.
Special provision: Do you require a “data protection impact assessment” (DPAI)?
If a data controller systematically monitors a publicly accessible area on a large scale, processes certain demographic information on a large scale, or processes data that risks the rights and freedoms of individuals, then a formal DPAI is required to be filed with the authorities [Article 35]
Disclaimer: This is not legal advice for your company to use in complying with the GDPR. Consult an attorney for advice on applying the law to your specific circumstances. You may not rely on this post as legal advice, nor as a recommendation or consultation of any particular legal understanding. This post was authored by Tim Chard and Morgan Malino.