Reports show that only 21% of US website owners have taken steps to comply with the GDPR regulation. Since non-compliance attracts stiff penalties, if you’re one of the businesses that are yet to comply, you should be working overtime to get in compliance.
Below is an exhaustive checklist of steps you should take to fully comply with the regulation;
- Determine whether you need to comply
Some of the criteria that may be used by authorities to determine whether you’re within the GDPR scope include: providing content in EU languages, offering transactions in EU currencies, and using EU-based domain names such as .co.uk. If you do this, it’s important to comply.
- Identify and clarify a lawful basis for collecting personal data
Article 6 of the GDPR states that entities must have a lawful purpose for collecting and processing personal information. Collecting or processing user data without clearly documenting lawful reasons for doing so is in breach of the regulation.
- Update your data breach policy to reflect the new regulation
The policy should clarify two main points. First, it must state clearly the steps you’ve put in place to protect personal data. Secondly, it should detail the steps to be taken in the event of a breach. Both points must satisfy GDPR standards.
- Collect only the data you need
To avoid complications, it’s advisable to collect only the data you need to accomplish the task at hand. If you’re collecting personal information for email newsletters, for instance, you’ll probably only need the names and email addresses of the users. Don’t collect what you don’t need.
- Set the default opt-in selection to “No”
For forms that invite visitors to subscribe to newsletters or other forms of emails, there must be an explicit separate opt-in box. More importantly, the default opt-in setting must be set to “No” to give the user a chance to consciously choose to opt in.
- Provide for granular opt-in
Still on forms, the age of bundled opt-ins is over. With GDPR, subjects must know exactly what they are opting into. If you will be calling them, give them the chance to opt-into your call service. If you’ll be sending text messages, the same applies. And so forth. Don’t bundle services together.
- Ensure that all business partners are in compliance
Under the GDPR, both controllers and processors are responsible. To this end, it’s important to ensure that all business partners, including employees and suppliers, are in strict compliance. Employees and contractors must sign an NDA.
- Provide easy, granular opt-out
A subject is allowed to withdraw consent whenever they wish. Data collectors must make the withdrawal process as simple as the opt-in process. More importantly, you should make it possible for subjects to withdraw from individual services, one at a time.
- Understand user rights beyond opt-in and opt-out
Beyond opt-in and opt-out, subjects have a right to data portability as well as full erasure. For this reason, inbound marketers must have a separate box that users can tick if they wish to receive further emails.
- Provide a privacy notice and terms & conditions
Finally, provide a privacy notice on your website and give users the chance to “Agree” to the terms and conditions of the business relationship they’re getting into.
Note: For those using MailChimp and WordPress, the platforms have provided a few solutions to consider. MailChimp, for instance, offers several GDPR tools to get you started. WordPress, meanwhile, has plug-ins that you can use to ensure GDPR compliance. Just keep in mind that those plug-ins aren’t one-click solutions. Even after installing them, you’ll have plenty of work to do.