Analyzing data about website visitors or current customers is essential for providing the best possible user experience. However, if any of your visitors or customers are based in the European Union, you need to be in compliance with the General Data Protection Regulation (GDPR)—or risk being fined millions of dollars.
With 11 chapters, 99 articles, and 173 recitals (a statement describing the reason for the act), the GDPR can seem like an overwhelming document to decode, let alone follow. This guide breaks it down into a common-sense checklist to help you understand GDPR requirements and take steps to become compliant.
GDPR is an EU regulation that was implemented in May 2018. It aims to protect the privacy rights of EU citizens by making personal data collection transparent and easy for data subjects—your current and prospective customers—to be aware of and in control of which data they give to you.
Rather than think of the GDPR as yet another data regulation your company needs to be compliant with, consider it an opportunity to strengthen your relationship with customers, whether they live in the EU or elsewhere. With your customers’ desires for privacy at top of mind, interpreting and implementing GDPR requirements becomes more intuitive.
Another benefit of being GDPR-compliant is that it prepares you for regulations from other places. Countries like Brazil, Japan, and South Korea used the GDPR as a model for their own consumer protection regulations. The California Consumer Protection Act (CCPA) is also similar to the GDPR.
Even if your company is based in the US, you must be GDPR-compliant if you’re collecting data about people who live in the EU. According to the GDPR, personal data could include:
Emails from site visitors, like for a newsletter sign-up
Names of leads who have visited your site
Business addresses, telephone numbers, or other info about individuals gathered by lead generation software like LeadBoxer
Any info stored about customers through eCommerce stores
Chances are, if you’re gathering leads for your software-as-a-service (SaaS) company, running an online store, or even have a newsletter sign-up form on your website that is or could collect info about people living in the EU, you should be GDPR compliant.
This checklist offers guidance about what to do to be compliant.
The first step to full transparency is knowing what personal data you collect and who has access to it, which you can do by filling out a GDPR data map like the one above. This includes:
The source of the data
What data you collect
The reason for collecting it
How you store and process it
Who has access to the data
How and when you dispose of someone’s data
You then need to justify and document the legal basis for collecting the data. There are six acceptable conditions for collecting data under the GDPR.
Why you’re collecting data
How the data is handled
Who has access to it
How you’re protecting the data
The official GDPR checklist advises that you secure personal data by taking the following steps:
Minimize the amount of data collected
Have a documented process for disposing of data
Encrypt, pseudonymize, or anonymize data
You should also create a security policy and train employees in how to use it. This security policy can include things like password policies and data processing policies, like how long data is stored and the method for deleting it.
Finally, you need to report any data breaches to the appropriate supervisory authority within 72 hours. Design a data breach reporting process so that the designated employee knows exactly which supervisory authorities to notify.
While protecting customer data is everyone’s responsibility, one employee should be designated as the company’s GDPR authority. This person evaluates data protection policies, oversees implementation, and conducts security policy training for his or her colleagues.
You should also sign a data processing agreement with each productivity tool you use that collects data. According to the GDPR, this agreement “states the rights and obligations of each party concerning the protection of personal data.”
As a US company, you’ll need to appoint a representative within the EU that will help you communicate with the supervisory authorities.
Finally, if your company meets one of three criteria, you’ll need to appoint a Data Processing Officer to monitor the company’s compliance and handle questions from data subjects.
Your data subjects should easily be able to:
Request and retrieve their personal data
Correct or update inaccurate information
Request that you delete their data
Request that you stop collecting their data
Request that you never collect data about them in the first place
Get a copy of their data in an easily transferable file, like a CSV file
The GDPR allows you to choose how to implement these processes. That gives you some wiggle room about how to get site visitors’ consent without disrupting their experience.
At the end of the day, GDPR compliance is all about treating your current or potential customers with respect, which is the hallmark of any successful business. When in doubt about a data decision, consider what would make your customers happiest.
This checklist can get you closer to protecting customers’ data, but you might still want to consult a lawyer, a GDPR compliance specialist, or the official GDPR checklist to make sure your company is fully compliant.