Develop a GDPR Compliance Checklist (Even if You’re Late to the Party)

What would happen to your company if it were audited for data privacy compliance? Do you have privacy policies in place and in practice? Do you have data expiry dates? What happens if a customer wants to be erased from your database?

Some large companies didn’t take these concerns seriously, and we’re seeing a new wave of regulation in the digital marketing and advertising space as a result (largely a good thing, too).

Enter Europe’s General Data Protection Regulation (GDPR for short), which came into effect on May 25, 2018. It’s a big deal, too, even if you aren’t operating in Europe.

Mishandling a European citizen’s data can have serious consequences for your company even if that citizen isn’t in Europe when it interacts with your website or digital channel. This is meant to keep ultra-large digital companies in check rather than the little guys—but it never hurts to keep up with best practices.

The flow of data doesn’t stop at municipal, provincial, or even national borders, but Europe’s new legislation forces every organization (including yours) to implement a detailed system of accountability for collecting and processing personal data related to the European Economic Area and the people who live within it.

A Quick GDPR Review

GDPR expands and clarifies the scope of what is considered “personal data.” It also packs severe penalties for organizations that fail to comply with its rules—we’re talking 4% of your revenue or a maximum fine of ‎€20 million (whichever number comes first).

It needs to be taken seriously, but don’t panic—like I said, the intention was to make large advertisers like Google, Facebook, and Twitter take security seriously. They’re not going to go after some mid-sized American or Canadian tech company because the unsubscribe button didn’t work as intended.

What Counts as Personal Data?

Personal data encompasses a lot of things that most consumers don’t even think about. But marketers and advertisers do.

Cookies, in particular, are used for ad retargeting campaigns, but companies have also been caught collecting information simply because they could. The analyst in me sees the opportunity to discover new trends, but the the consumer in me also shivers at the thought of how much privacy we give up (even if the data is just used for aggregate trends).

Write down this list and see if your company records any of this information:

  • Email address
  • IP address
  • RFID code
  • Telephone number
  • Street address and postal code
  • Name
  • Contacts list
  • Purchase history or preferences
  • Any financial information
  • Age, sex, or gender self-identification
  • Personal messages
  • Actions taken on a web page
  • Web pages visited
  • Interests
  • Social media likes or engagements

That’s not an exhaustive list, but it should indicate what to watch for in your marketing stack if you’re going to do a serious audit.

What Does GDPR Mean for Marketing?

GDPR limits the the extent to which companies can collect and process data, but it would only affect companies that collected reams of personal data without justifying why.

Still, this is an important aspect of digital marketing because that data is what lets marketers deliver relevant messages and offers at scale. Targeting according to segments (backed by data) has become a best practice to avoid spamming people.

The good news is that you don’t need to stop collecting personal data—far from it. But your organization should start following a new set of best practices with that data if it hasn’t already.

Remember these key best practices for your GDPR compliance checklist:

  • Cookies Notification: websites need to notify visitors whom it tracks upon landing on the site.
  • Data Storage Limits: data collected from anywhere in the European Economic area can’t be stored indefinitely, and it needs an expiry date.
  • Justify Everything: organizations with a presence inside the EU need to codify why they collect certain data points (and the reasons need to be fair). This includes everything in the list above, in the previous section.
  • Cite Data Sources: organizations can’t continue to use Europeans’ personal data without a clear record of where and how it was obtained. CRM software in email clients will usually take care of this.
  • The Right to Be Forgotten: European citizens have a right for their data to be deleted from private databases, and they have the right to withdraw their consent for marketing communications at any time.

What’s the Difference Between GDPR and CASL?

GDPR is European legislation, but it will have legal ramifications for companies with a digital presence in the EU—even if they operate on a different continent.

CASL (Canada Anti-Spam Legislation), on the other hand, is entirely separate legislation from a different country. American and international companies have adopted mechanisms and policies to comply with these anyway, because it’s just easier to cover their bases everywhere and avoid lawsuits.

In the case of CASL, this generally just manifested as clear opt-in and opt-out mechanisms for email recipients. Basic stuff, really, and every email marketing software worth it’s salt has those features built in by default.

GDPR redefines personal data and processes surrounding it while also introducing heavy penalties for multinationals who fail to follow them.

To be honest, companies following best practices and respecting their customers are already covered (or 80% of the way there). Companies spamming customers or buying lists of cold email leads usually get the boot from their email marketing vendors anyway.

The GDPR Compliance Checklist for Marketing

If you’re a large company or thinking of scaling up beyond a regional customer base, then you’ll want to use this checklist just to get started (but please don’t take it as legal advice—talk to a lawyer if this is a concern).

The rest of the world may adopt similar legislation sooner than you think, given the recent scandal with Facebook and Cambridge Analytica, so it pays to keep these things in mind:

  • Document your data privacy model for the entire company
  • Include data privacy metrics in relevant audit processes
  • Update your marketing policy to include GDPR provisions
  • Notify visitors of cookies on your website
  • Codify the purpose of storing specific data points
  • Adopt a CRM to track personal data collection histories
  • Notify users when collecting additional data
  • Put  intentional limits on collecting unspecified or irrelevant data
  • Place consent withdrawal mechanisms in all marketing touchpoints
  • Cite sources for every piece of personal data collected
  • Eliminate or archive personal data without a source
  • Flag and archive anything connected with the right to be forgotten
  • Record all data disclosures on a personal basis
  • Review your ability to conduct criminal background checks
  • Identify cross-border data transmission mechanisms and review them for security
  • Appoint a European Correspondence Representative
  • Appoint a GDPR Compliance Officer in some capacity

GDPR Articles for Further Reading

Stay informed, both as a consumer and a company representative. You can learn more about the General Data Protection Regulation from these sources. Just remember that many of these pieces try to get a rise out of readers with some alarmist language.

Andrew Webb

Andrew Webb

SEO and Content Marketing Consultant

Andrew is the digital marketing consultant at Webb Content and currently the in-house Search Engine Marketing Specialist at aha insurance. He's worked in a few different agencies full-time and with another seven or eight as a consultant.

He's usually writing new content, finding new ways to optimize his websites, and fixing bad digital marketing wherever he sees it.

Andrew’s Recent Posts

Let’s Start the Conversation

Feel free to send an email if you’d like to chat. I love talking shop over a cup of coffee, even if you just want a second opinion on a marketing or advertising plan.

2 + 7 =