Businesses have been working hard for years to ensure that they comply with the GDPR (General Data Protection Regulation) in the European Union (EU). The legal consequences of not complying with GDPR guidelines have been clearly defined and leave little to the imagination for businesses and entrepreneurs in possession of physical or digital data. Companies in violation of the GDPR may be fined between 2% to 4% of their annual global turnover or up €20 million, whichever is higher. Frequent GDPR violations can raise the level of legal penalties to the €40 million range. The GDPR Compliance Checklist The GDPR is a complex 11 chaptered document with 99 articles that cover a wide range of user privacy issues.
This set of regulations can be hard to digest and interpret, which is where this checklist enters the picture. The ultimate GDPR compliance checklist highlights and lays out all of the main bases that you have to cover systematically to achieve GDPR compliance. Data Privacy Impact Assessment (DPIA) With the GDPR in in full swing, a DPIA can be extremely helpful for online publishers, who are now officially defined as data controllers (fully responsible for GDPR breaches).
In a nutshell, DPIA is a risk management process. It helps map and analyze the privacy risks your operations create, eventually enabling you to come up with an optimization plan. Identify the privacy risks and Evaluate Privacy Solutions with your company. Your first challenge is to map the data collection points where you are collecting Personally Identifiable Information (PII) data from your customers and identify the privacy risks that exist while processing them. Data controllers (such as online publishers) should pay extra attention to PII data that is processed by third party services like Google, web browsers, and advertising networks.
Record the DPIA results and Integrate Into the Project Plan After analyzing and understanding the privacy challenges in the ecosystem, the data controller should record all findings. Your next step should be to implement required mechanisms for enforcing personal data protection. Furthermore, the selected mechanisms need to be demonstrated adequately to prove GDPR compliance. Collaborate with Internal and External Stakeholders Online publishers need to know what exactly the third party vendors are doing with their customers’ PII data and how exactly it is being processed. This collaboration is vital for GDPR compliance.
In a nutshell, DPIA is a risk management process. It helps map and analyze the privacy risks your operations create, eventually enabling you to come up with an optimization plan. Identify the privacy risks and Evaluate Privacy Solutions with your company. Your first challenge is to map the data collection points where you are collecting Personally Identifiable Information (PII) data from your customers and identify the privacy risks that exist while processing them. Data controllers (such as online publishers) should pay extra attention to PII data that is processed by third party services like Google, web browsers, and advertising networks.
Record the DPIA results and Integrate Into the Project Plan After analyzing and understanding the privacy challenges in the ecosystem, the data controller should record all findings. Your next step should be to implement required mechanisms for enforcing personal data protection. Furthermore, the selected mechanisms need to be demonstrated adequately to prove GDPR compliance. Collaborate with Internal and External Stakeholders Online publishers need to know what exactly the third party vendors are doing with their customers’ PII data and how exactly it is being processed. This collaboration is vital for GDPR compliance.
Policies and Procedures for GDPR are as follows. As part of you shiny new privacy policy, your legal department or consultant will require a list of all data processors, why are they being used, how are they being used, and to what extent. You will also be required to ensure that your customers’ data is being processed in compliance and tracking all developments in real time while taking care of the relevant documentation.
Mandatory documents to enforce GDPR compliance include the following: Personal Data Protection Policy (Article 24) – a top-level document for managing privacy in your company, which defines what you want to achieve and how. Privacy Notice (Articles 12, 13, and 14) – this document explains in simple words how you will process personal data of your customers, website visitors, and others. It is recommended to publish this in your website for optimal transparency. Data Retention Schedule (Article 30) – lists all points of PII data collections and describes how long each type of data will be kept and stored. Data Retention Policy (Articles 5, 13, 17, and 30) – it describes the process of deciding how long a particular type of personal data will be kept, and how it will be securely destroyed after the processing is completed.
Data Subject Consent Form (Articles 6, 7, and 9) – this is the most common way to obtain consent from data subjects to process their personal data. Parental Consent Form (Article 8) – if the data subject is a minor below the age of 16 years, then a parent needs to provide the consent for processing his personal data. GDPR treats the breach of this protocol very seriously. DPIA Register (Article 35) – this is where all the results from your Data Protection Impact Assessment (DPIA) will be saved after being recorded and analyzed. The procedure revolving GDPR breaches needs to be clear to avoid any reporting delays. When a PII data leak is detected, the data controller needs to record the event in the Data Breach Register (Article 33). There is also a requirement to notify the relevant Supervisory Authority about the incident, while also updating the affected customers (Article 33 & 34).
Notices and Consent Data controllers need to make sure that that have user consent to collect personal data. The online publisher needs to be able to demonstrate that the data subject has consented to processing of his or her personal data, ideally via an intelligible and easily accessible form, using clear language. Furthermore, users now have the right to withdraw their consent at any time. Employee Training is paramount for compliant action. You will need to identify what your staff respond well to and incorporate these elements to create a successful GDPR staff training program. Common techniques include adding a game or an element of reward. A GDPR awareness programme should be an ongoing process that is reinforced regularly throughout the year and also when staff-related incidents occur.
Data Retention Policy GDPR will introduce laws that will make the storage limitation principle considerably stricter. Soon, it will be illegal for data processing to be excessive in relation to the purpose of acquiring such information. Specific time limits will be set for both the processing and reviewing of data, while the handling of personal data should remain explicit and transparent. It is also important to make sure that all third party vendors are encrypting the data before and after it is processed and/or transmitted to fourth and fifth party providers. Personal Data Collecting and Processing First and foremost, the data controller should assign a Data Protection Officer (DPO) when there are significant amounts of DII data being collected and processed. Online publishers definitely belong to this category. The DPO has the responsibility of advising the company about GDPR compliance and monitoring the activities from the legal standpoint.
Third party vendors are becoming increasingly necessary for modern online publishers to remain profitable. These services can appear to be perfectly functional, they are basically autonomous components that are working independently, often while compromising user privacy. Many also make use of fourth and fifth party services to gain added functionality. Compliance is further complicated due to the way third party solutions work. Your PII data can potentially reach new data processors in the form of fourth and fifth party services. A proper GDPR audit should go beyond first party software on the website and include third party services in Ad Tech and MarTech stacks for a through inspection.
Mandatory documents to enforce GDPR compliance include the following: Personal Data Protection Policy (Article 24) – a top-level document for managing privacy in your company, which defines what you want to achieve and how. Privacy Notice (Articles 12, 13, and 14) – this document explains in simple words how you will process personal data of your customers, website visitors, and others. It is recommended to publish this in your website for optimal transparency. Data Retention Schedule (Article 30) – lists all points of PII data collections and describes how long each type of data will be kept and stored. Data Retention Policy (Articles 5, 13, 17, and 30) – it describes the process of deciding how long a particular type of personal data will be kept, and how it will be securely destroyed after the processing is completed.
Data Subject Consent Form (Articles 6, 7, and 9) – this is the most common way to obtain consent from data subjects to process their personal data. Parental Consent Form (Article 8) – if the data subject is a minor below the age of 16 years, then a parent needs to provide the consent for processing his personal data. GDPR treats the breach of this protocol very seriously. DPIA Register (Article 35) – this is where all the results from your Data Protection Impact Assessment (DPIA) will be saved after being recorded and analyzed. The procedure revolving GDPR breaches needs to be clear to avoid any reporting delays. When a PII data leak is detected, the data controller needs to record the event in the Data Breach Register (Article 33). There is also a requirement to notify the relevant Supervisory Authority about the incident, while also updating the affected customers (Article 33 & 34).
Notices and Consent Data controllers need to make sure that that have user consent to collect personal data. The online publisher needs to be able to demonstrate that the data subject has consented to processing of his or her personal data, ideally via an intelligible and easily accessible form, using clear language. Furthermore, users now have the right to withdraw their consent at any time. Employee Training is paramount for compliant action. You will need to identify what your staff respond well to and incorporate these elements to create a successful GDPR staff training program. Common techniques include adding a game or an element of reward. A GDPR awareness programme should be an ongoing process that is reinforced regularly throughout the year and also when staff-related incidents occur.
Data Retention Policy GDPR will introduce laws that will make the storage limitation principle considerably stricter. Soon, it will be illegal for data processing to be excessive in relation to the purpose of acquiring such information. Specific time limits will be set for both the processing and reviewing of data, while the handling of personal data should remain explicit and transparent. It is also important to make sure that all third party vendors are encrypting the data before and after it is processed and/or transmitted to fourth and fifth party providers. Personal Data Collecting and Processing First and foremost, the data controller should assign a Data Protection Officer (DPO) when there are significant amounts of DII data being collected and processed. Online publishers definitely belong to this category. The DPO has the responsibility of advising the company about GDPR compliance and monitoring the activities from the legal standpoint.
Third party vendors are becoming increasingly necessary for modern online publishers to remain profitable. These services can appear to be perfectly functional, they are basically autonomous components that are working independently, often while compromising user privacy. Many also make use of fourth and fifth party services to gain added functionality. Compliance is further complicated due to the way third party solutions work. Your PII data can potentially reach new data processors in the form of fourth and fifth party services. A proper GDPR audit should go beyond first party software on the website and include third party services in Ad Tech and MarTech stacks for a through inspection.
Remember, GDPR Doesn’t End With Just One Audit. A good GDPR audit doesn’t mean your Ad Tech stacks will stay compliant in the long run. Third party vendors often make code changes that alter the way your PII data is processed or in extreme cases stored, which is a violation of the GDPR guidelines. New fourth and fifth party vendors, who can potentially be completely non compliant, can also enter the fray. The meaning of this ongoing risk is that online publications have to be on the top of things and monitor their ecosystem, especially marketing software stacks, in real time.
At first glance, it may seem that the GDPR only applies to large, global companies that conduct a lot of business overseas. But that's a false perception that could harm a lot of small businesses. No matter the size of your company, if you collect any kind of personal data on citizens in the European Union, from email addresses to medical records, you are legally required to comply with GDPR regulations. Are you prepared? Here are ten simple steps your business can take to be best prepared for the GDPR, even if you are not physically located in the EU.
Even if Your Business is Not Located in the EU The General Data Protection Regulation is a new set of rules amended to the current Data Projection Act that will soon be mandated for those businesses dealing with European consumers. On May 25, 2018 the regulation insists on safeguarding the personal information of all citizens of European Union member states. While many businesses are already aligned with the specifications, it is important to make sure your business has everything covered. This article takes a look at what you need to have in place in order to avoid being found in violation of the GDPR in 2023 or beyond.
At first glance, it may seem that the GDPR only applies to large, global companies that conduct a lot of business overseas. But that's a false perception that could harm a lot of small businesses. No matter the size of your company, if you collect any kind of personal data on citizens in the European Union, from email addresses to medical records, you are legally required to comply with GDPR regulations. Are you prepared? Here are ten simple steps your business can take to be best prepared for the GDPR, even if you are not physically located in the EU.
Even if Your Business is Not Located in the EU The General Data Protection Regulation is a new set of rules amended to the current Data Projection Act that will soon be mandated for those businesses dealing with European consumers. On May 25, 2018 the regulation insists on safeguarding the personal information of all citizens of European Union member states. While many businesses are already aligned with the specifications, it is important to make sure your business has everything covered. This article takes a look at what you need to have in place in order to avoid being found in violation of the GDPR in 2023 or beyond.
The truth is these new rules are aimed at large companies who deal in information as a source of revenue. Smaller businesses aren’t likely to be penalized the 4% of worldwide gross or 20 million Euros that large corporations will if they are found in violation. If you are worried about having a mountain of work ahead of you to prepare, you shouldn’t be. If you are unsure if you will be affected look for these key signals:
1. You deal in information as a commodity;
2. You request user data when they complete a purchase to use the data elsewhere or store the personal data;
3. You deal with 1 or more European nations.
If the answer is no to those questions then your business will be fine! So what can you do just in case? Here’s 10 steps your business can take to be best prepared for the GDPR, even if you are not physically located in the European Union.
1. If your website has an online form that incudes a pre-checked box giving permission to receive promotional emails from 3rd parties, this box now needs to be unchecked.
2. If your business conducts any form of list-building, ensure everyone on that list has given explicit permission to be in it. Under the Canadian PIPEDA, it was enough to have implied permission; however, if any EU residents are in your database, the rules are much more firm that provides subscribers with the right to obtain the information stored on them. This includes the use of 2023 torrents by employees or on company devices.
3. Make sure your entire staff is aware of the new rules. Circulate a memo to all personnel with a follow-up meeting where the points are reviewed. Asking a few questions to key players whose roles would be most affected by the new rules is a great way to ensure they’re aware of what they need to do.
4. Audit all stored client and customer information and track where you got it from and where it has been used. Keep a record of every bit of info and who you may have passed it to at any time, and document the relationship and reasoning.
5. Update your privacy policy so it includes the reasoning for retaining any user data, how it is legally used, and how users can contact your business if they feel their user information is in any way being misused.
6. Have a clear method in place to address requests for erasing a user’s data. Under the DPA, users already had certain rights but the GDPR takes it further with information rights pertaining to their data stored by your business. The rights consist of:
1. You deal in information as a commodity;
2. You request user data when they complete a purchase to use the data elsewhere or store the personal data;
3. You deal with 1 or more European nations.
If the answer is no to those questions then your business will be fine! So what can you do just in case? Here’s 10 steps your business can take to be best prepared for the GDPR, even if you are not physically located in the European Union.
1. If your website has an online form that incudes a pre-checked box giving permission to receive promotional emails from 3rd parties, this box now needs to be unchecked.
2. If your business conducts any form of list-building, ensure everyone on that list has given explicit permission to be in it. Under the Canadian PIPEDA, it was enough to have implied permission; however, if any EU residents are in your database, the rules are much more firm that provides subscribers with the right to obtain the information stored on them. This includes the use of 2023 torrents by employees or on company devices.
3. Make sure your entire staff is aware of the new rules. Circulate a memo to all personnel with a follow-up meeting where the points are reviewed. Asking a few questions to key players whose roles would be most affected by the new rules is a great way to ensure they’re aware of what they need to do.
4. Audit all stored client and customer information and track where you got it from and where it has been used. Keep a record of every bit of info and who you may have passed it to at any time, and document the relationship and reasoning.
5. Update your privacy policy so it includes the reasoning for retaining any user data, how it is legally used, and how users can contact your business if they feel their user information is in any way being misused.
6. Have a clear method in place to address requests for erasing a user’s data. Under the DPA, users already had certain rights but the GDPR takes it further with information rights pertaining to their data stored by your business. The rights consist of:
• the right to be informed
• the right of access
• the right to rectification
• the right to erasure
• the right to restrict processing
• the right to data portability
• the right to object
• the right not to be subject to automated decision-making including profiling
You will need to be able to provide all this information in a clear and machine-readable format (not in hand writing).
7. Have a process in place for handing over large volumes of requests. Previously under the DPA businesses had 40 days to comply with a request. That has been shortened to one month. Any lawful request must be fulfilled though if there are a large number of requests and the suspected reasoning is to cause problems for your business then these requests can be contested legally.
8. Have your lawful reasoning for retaining user data or passing to others clearly stated for users and ensure the opt-in option is not pre-ticked or unclear. Users must have a clear understanding of why you want their data, what you do with it, and who you might share it with. And they must have the option to say no. This is separate from Terms and Conditions.
9. If your business deals with anyone under the age of 16 then you will need a parent or guardian’s permission to process any of the child’s data. This is very important and strictly regulated but at the same time if you are not dealing in information as a commodity then you are likely not going to have to worry.
10. Have steps in place to address a data breach. In the event that user’s data may be compromised you will need to have a way to let all affected users know what was compromised and when. Assigning someone internally the task of coordinating the response is a great idea.
7. Have a process in place for handing over large volumes of requests. Previously under the DPA businesses had 40 days to comply with a request. That has been shortened to one month. Any lawful request must be fulfilled though if there are a large number of requests and the suspected reasoning is to cause problems for your business then these requests can be contested legally.
8. Have your lawful reasoning for retaining user data or passing to others clearly stated for users and ensure the opt-in option is not pre-ticked or unclear. Users must have a clear understanding of why you want their data, what you do with it, and who you might share it with. And they must have the option to say no. This is separate from Terms and Conditions.
9. If your business deals with anyone under the age of 16 then you will need a parent or guardian’s permission to process any of the child’s data. This is very important and strictly regulated but at the same time if you are not dealing in information as a commodity then you are likely not going to have to worry.
10. Have steps in place to address a data breach. In the event that user’s data may be compromised you will need to have a way to let all affected users know what was compromised and when. Assigning someone internally the task of coordinating the response is a great idea.
Final Thoughts On GDPR Compliance
And that’s it for our GDPR law advice! As you can see it is a big business problem and more so rooted in user protection in Europe where social networks have been cited as problematic and susceptible to foreign influence. North America is not really affected much but the issue is still very newsworthy, which can make some SMB owners nervous when they shouldn't be.
For any questions or concerns on please Contact Us
Now Read: How To Set Your Social Selling Annual Goals
I hope you enjoyed this article from Social Selling Entrepreneur.
Interested in reading more posts on social media marketing?
Read Our Blog:
- Why Social Media Marketing Is Key To Business Success
- Get Better Social Selling Results With Professional Outreach
Want To Boost Business More?
Visit Our Partner Websites To Get Growing:
Boostrapped Business | Lean Startup Living
Mastermind Marketing | Divine Designs Blog
More Social Selling Suggestions Below:
For any questions or concerns on please Contact Us
Now Read: How To Set Your Social Selling Annual Goals
I hope you enjoyed this article from Social Selling Entrepreneur.
Interested in reading more posts on social media marketing?
Read Our Blog:
- Why Social Media Marketing Is Key To Business Success
- Get Better Social Selling Results With Professional Outreach
Want To Boost Business More?
Visit Our Partner Websites To Get Growing:
Boostrapped Business | Lean Startup Living
Mastermind Marketing | Divine Designs Blog
More Social Selling Suggestions Below: