GDPR Checklist This guidance document, published by Norton Rose Fulbright, is designed to give an illustrative overview of the GDPR requirements likely to impact most types of businesses and the practical steps that organisations need to take to be GDPR compliant. All Rights Reserved. You need to make it easy for people to request human intervention, to weigh in on decisions, and to challenge decisions you've already made. If you process data relating to people in one particular member state, you need to appoint a representative in that country who can communicate on your behalf with data protection authorities. The DPO should be an expert on data protection whose job is to monitor GDPR compliance, assess data protection risks, advise on data protection impact assessments, and cooperate with regulators. With 36 boxes to tick, this GDPR checklist highlights how involved this regulation really is. You can think of Legitimate Interest as the “being caught with your hand in the cookie jar” argument. More to read on this topic: Records of processing activities in GDPR Article 30. They also have a right to know how long you plan to store their information and the reason for keeping it that length of time. 6 min So how do you know if you’re compliant? But from privacy standpoint, the idea is that people own their data, not you. This may seem unfair from a business standpoint in that you may have to turn over your customers' data to a competitor. or just starting your journey, we’ve put together a GDPR Compliance checklist xls document to help you. Sign a data processing agreement between your organization and any third parties that process personal data on your behalf. encryption), and when you plan to erase it (if possible). Data Processing Agreement Encrypt, pseudonymize, or anonymize personal data wherever possible. Processing of data is illegal under the GDPR unless you can justify it according to one of six conditions listed in Article 6. You have to send them the first copy of this information for free but can charge a reasonable fee for subsequent copies. CRM & Email Marketing, Mar 2019 Our GDPR preparations have included a comprehensive review of relevant internal processes, procedures and documentation. CRM & Email Marketing, Jul 2018 Appoint a Data Protection Officer (if necessary). Do your best to keep data up to date by putting a data quality process in place, and make it easy for your customers to view (Article 15) and update their personal information for accuracy and completeness. Taking into account the state of the art, … Your data subjects can request to restrict or stop processing of their data if certain grounds apply, mainly if there's some dispute about the lawfulness of the processing or the accuracy of the data. GDPR asks organizations to honour any request within the month. Could adding someone to your promotional email marketing messages after that user makes a purchase from your web store be construed as legitimate interest? The law also includes the threat of large fines for non-compliance, which can reach 4% of global revenue or €20 million, depending on the severity and circumstances of … For the purpose of clarity, the guide applies to both external and internal communications, and the threats that exist to the integrity of GDPR-covered data – of which there are quite a lot. Free HIPAA Newsletter. For those in English-speaking non-EU countries, you may find it easiest to notify the Office of the Data Protection Commissioner in Ireland. Written by Victor Ekelund Updated over a week ago This step by step checklist outlines how to make the relationship between your company and Albacross GDPR compliant. CRM & Email Marketing, Apr 2017 Demystify GDPR compliance with the GDPR Compliance Checklist. This brief guide to GDPR email compliance focuses on emails in particular because it is the most frequently-used channel through which data enters a business, is shared and stored. Quickly Customize. In short, GDPR requires an extra level of accountability and places the responsibility firmly with the publisher to be able to demonstrate how compliance with GDPR principles is being managed and tracked. Provide clear information about your data processing and legal justification in your privacy policy. If you're processing their data for the purposes of direct marketing, you have to stop processing it immediately for that purpose. We can think of a dozen reasons this is a good idea aside from GDPR, including better email engagement, a healthier marketing list, and increased deliverability, to name a few. 3 min This means that you should be able to send their personal data in a commonly readable format (e.g. Otherwise, you may be able to challenge their objection if you can demonstrate "compelling legitimate grounds.". CRM & Email Marketing, Nov 2016 The policy exerts a substantial impact on a number of companies – especially the ones operating in Europe. If you make decisions about people based on automated processes, you have a procedure to protect their rights. This protects all EU citizens regardless of where the company is based. Maintaining records of how and why personal data was collected as well as the documentation of the processes are therefore vital. Here is an overview of GDPR and a checklist for becoming GDPR compliant. Create a security policy that ensures your team members are knowledgeable about data security. There are a five grounds on which you can deny the request, such as the exercise of freedom of speech or compliance with a legal obligation. Test Before You Send: The Importance Of Email Testing, Blog: Email A/B Tests To Improve Your Open Rates [VIDEO], Why Lightboxes Are Annoying & You Should Use Them, Failing Forward With Your A/B Testing Plan. You also need to make sure any processing of personal data adheres to the data protection principles outlined in Article 5. Chances are, you’ll end up paying for that cookie—either with frustrated customers, or even worse, paying a fine. Know when to conduct a data protection impact assessment, and have a process in place to carry it out. Notices and Consent. Weekly HIPAA news via email. In other words, data protection is something you now have to consider whenever you do anything with other people's personal data. Our GDPR checklist can help you secure your organization, protect your customers’ data, and avoid costly fines for non-compliance. We use cookies to ensure that we give you the best experience on our website. Determine what type of data you have/plan to collect. The GDPR requires organizations to use encryption or pseudeonymization whenever feasible. We’re here to say: don’t panic, but be prepared. If "legitimate interests" is your lawful basis, you must be able to demonstrate you have conducted a privacy impact assessment. GDPR Compliance Checklist for Indian Companies. This information should be included in your privacy policy and provided to data subjects at the time you collect their data. There is more detail behind each issue noted below. This person should be empowered to evaluate data protection policies and the implementation of those policies. Weekly GDPR news via email. In the wake of the GDPR, many email marketing services have released GDPR-compliance guides specific to their platforms. Have a legal justification for your data processing activities. Your small business GDPR checklist should consider past and present employees, suppliers, and customers. Make sure you can verify the identity of the person requesting the data. Create an internal security policy for your team members, and build awareness about data protection. Learn … Confidentiality guaranteed. You can find this information on our What is GDPR? Some types of organizations use automated processes to help them make decisions about people that have legal or "similarly significant" effects. GDPR.eu is co-funded by the Horizon 2020 Framework Programme of the European Union and operated by Proton Technologies AG. If your organization is outside the EU, appoint a representative within one of the EU member states. Privacy Policy. You should be able to comply with such requests within a month. Data controllers need to make sure that have user consent to collect personal … How we use your data Immediate Access. You need to tell people that you're collecting their data and why (Article 12). Advertising and Sponsorship; Submit an Article or Corrections; If you've dutifully worked to the bottom of the GDPR checklist then you've significantly limited your exposure to regulatory penalties. A cloud compliance checklist for the GDPR age The cloud is supposed to make things simpler, but when it comes to compliance, things can get complex. If anything, GDPR will force companies to reassess their email collection policies and build better trust with their subscribers, which is good for everyone. The europa.eu webpage concerning GDPR can be found here. People have the right to see what personal data you have about them and how you're using it. The point is that it needs to be something you and your employees are always aware of. The UK Information Commissioner's Office (ICO) has a data protection impact assessment checklist on its website. The ICO recommends just doing it anytime you're about to process personal data. Have a process in place to notify the authorities and your data subjects in the event of a data breach. Conclusion — GDPR Checklist. In your list, you should include: the purposes of the processing, what kind of data you process, who has access to it in your organization, any third parties (and where they are located) that have access, what you're doing to protect the data (e.g. You should check with a lawyer to make sure your organization fully complies with the GDPR. ... stated that the flow of personal information from the EU to a non-EU country can only take place if that country is in compliance with the GDPR standards. GDPR compliance checklist. Most of the productivity tools used by businesses are now available with end-to-end encryption built in, including email, messaging, notes, and cloud storage. More than just avoiding monetary penalties, organizations across industries have an opportunity to appeal to consumers worldwide as a champion of consumer privacy through GDPR compliance. So here’s what you need to know. In the near future, the rest of the world may soon adopt similar legislation in light of the recent investigation into Cambridge Analytica and Facebook. Another part of "data protection by design and by default" is making sure someone in your organization is accountable for GDPR compliance. It’s important to note that the policies above apply to email addresses collected both before and after May 25th, 2018—which means if you have subscribers residing in the EU and any of those emails were collected in a manner not compliant with GDPR, you should seriously consider running a re-permission campaign. It's easy for your customers to ask you to stop processing their data. It is by no means to be perceived as legal advice. Even if you don’t collect email addresses (i.e. It's easy for your customers to request and receive all the information you have about them. Right to Erasure Request Form Easily Editable & Printable. You must follow the principles of "data protection by design and by default," including implementing "appropriate technical and organizational measures" to protect data. Digital Marketing. 4 min GDPR is a European Union privacy protection regulation that addresses how personal data is collected, used, and managed. Even if your technical security is strong, operational security can still be a weak link. The two data collection and processing policies of GDPR that email marketers are talking most about are (1) Consent and (2) Legitimate Interest. This is important for three reasons. There are other provisions related to children and special categories of personal data in Articles 7-11. Review these provisions, choose a lawful basis for processing, and document your rationale. COVID-19 Remote Working – GDPR Data Security Checklist Here is a checklist for data processors to maintain their compliance with General Data Protection Regulation, and prevent from getting fines by GDPR. The GDPR Compliance Checklist for Marketing Stay ahead of the legal curve with this practical GDPR compliance checklist to equip your organization for GDPR compliance. If your business is located in the EU, if you conduct business within the EU, or if you cater to an EU audience, you need to ensure compliance and GDPR consent for email marketing. page. Nothing found in this portal constitutes legal advice. I thought it would be pertinent to put together a checklist for UK small businesses so you know what to expect, and what’s expected of you. Privacy by Design and Default (Article 25) Privacy by Design. It's easy for your customers to receive a copy of their personal data in a format that can be easily transferred to another company. The GDPR is a European Union data privacy law that requires organizations to keep data safe, while also giving people more control over how their data are used. right to see what personal data you have about them. Additionally, we have and continue to actively develop and implement data protection policies, procedures, controls and security measures for GDPR compliance. While processing is restricted, you're still allowed to keep storing their data. ... email address, IP-address or location data. The GDPR does not specify whom you should notify if you are not an EU-based organization. The GDPR requires organizations to carry out this kind of analysis whenever they plan to use people's data in such a way that it's "likely to result in a high risk to [their] rights and freedoms." We recommend you speak with an attorney specialized in GDPR compliance who can apply the law to your specific circumstances. This is why we also advocate for company-wide training on GDPR policy. Conduct an information audit to determine what information you process and who has access to it. “Given that GDPR places an intense emphasis on consent, and reiterates that the burden of proof falls on the company for proving consent, we strongly recommend taking a consent-centered approach to list building.”. It presents a one-page checklist for compliance designed to help you get your program started. First, even … GDPR Compliance Checklist for Email Marketing Step 1: Email EU subscribers and ask if they want to stay on your list. © 2020 Proton Technologies AG. Shifts in personnel or launching new initiatives could allow the possibility of breach. The checklist is not an explanation of the law or the extent of obligations on either controllers or processors under GDPR. GDPR compliance refers to a set of privacy rules and standards that covered entities need to follow to protect the online information of European Union citizens. The GDPR and its official supporting documents do not give guidance for situations where processing affects EU individuals across multiple member states. Some organizations, like public bodies, are not required to appoint a representative in the EU. Agree to be contacted. It’s also important to periodically audit your organization’s email lists to ensure there is no non-compliant data. GDPR compliance toolkit 1. The best way to demonstrate GDPR compliance is using a data protection impact assessment Organizations with fewer than 250 employees should also conduct an assessment because it will make complying with the GDPR's other requirements easier. GDPR + Email Marketing In A Nutshell. Neither reaction is probably appropriate. The final decision should be a conversation between your organization and its legal team. The full obligations contained in the GDPR should be consulted to check compliance against each issue. Ultimately, despite any initial growing pains, erring on the side of caution will enable brands and customers to build better relationships. This protects all EU citizens regardless of where the company is based. Whether you’re well on the way to General Data Protection Regulation (GDPR) compliance (or even there!) Available in A4 & US Letter Sizes. Checklist 2: Assess your preparedness for the GDPR compliance. The best way to demonstrate GDPR compliance is using a data protection impact assessment Organizations with fewer than 250 employees should also conduct an assessment because it will make complying with the GDPR's other requirements easier. We Marketers Courses Hub is a network on different platforms aiming to collect the free courses opportunities and introduce it for all development seekers. You should explain how the data is processed, who has access to it, and how you're keeping it safe. Take data protection into account at all times, from the moment you begin developing a product to each time you process data. This is not an official EU Commission or Government resource. You should only use third parties that are reliable and can make sufficient data protection guarantees. If you have any email subscribers who are EU citizens, it seems that you need to send them an email before May 25 asking them if they’d like to stay on your email list. GDPR Compliance Checklist. While it’s important that you work with your legal team to determine what is necessary for your particular business, we’ve compiled a short checklist of common DOs and DON’Ts to assess your email acquisition practices. It's easy for your customers to object to you processing their data. It must be presented "in a concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child.". Make sure you can verify the identity of the person requesting the data. 4 min The 16 point checklist provides a detailed overview of your responsibilities and duties with regards to customer data. Since every business is different and the GDPR takes a risk-based approach to data protection, companies should work to assess their own data collection and storage practices (including the ways they use HubSpot’s marketing and sales tools), seek their own legal advice to ensure that their business practices comply with the GDPR. The more information you consume on GDPR, the better you will begin to understand the law through the lens of your business and what steps you need to take to be compliant. The first step is to find out what specific tools your email marketing platform offers to help you out. In your list, you should include: the purposes of the processing, what kind of data you process, who has access to it in your organization, any third parties … Small Business GDPR Checklist There are a number of steps that are very important for small business owners to follow if they wish to avoid breaching GDPR. Your Email Marketing & GDPR-Compliance Checklist. Mandatory Breach Notification – Under GDPR, it’s required that organizations notify the European Commission of a … You must also try to verify the identity of the person making the request. A data protection impact assessment (aka privacy impact assessment) is a way to help you understand how your product or service could jeopardize your customers' data, as well as how to minimize those risks. If you have subscribers on your list that live in the EU, GDPR affects your organization. To understand the GDPR checklist, it is also useful to know some of the terminology and the basic structure of the law. To avoid this, the GDPR policy has established a checklist for companies to follow. People generally have the right to ask you to delete all the personal data you have about them, and you have to honor their request within about a month. There are three circumstances in which organizations are required to have a Data Protection Officer (DPO), but it's not a bad idea to have one even if the rule doesn't apply to you. Final thoughts and tips; First, avoid these GDPR mistakes Note that if you choose "consent" as your lawful basis, there are extra obligations, including giving data subjects the ongoing opportunity to revoke consent. Assess your … document.getElementById("comment").setAttribute( "id", "ae22faf0cde6ccbf7635157bba217dee" );document.getElementById("bfcf47902a").setAttribute( "id", "comment" ); Save my name, email, and website in this browser for the next time I comment. Click to View (PDF) Tags: Enforcement, Privacy Law, Privacy Operations Management As per GDPR Article 27, a company which is governed by GDPR must appoint an EU-located Representative if it has no office located within the EU. 1 min Designate someone responsible for ensuring GDPR compliance across your organization. GDPR.EU is a website operated by Proton Technologies AG, which is co-funded by Project REP-791727-1 of the Horizon 2020 Framework Programme of the European Union. Corporate Governance This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply. Congratulations! Depending on the size of your organization or business it can be a hurdle to get properly prepared. CRM & Email Marketing, Dec 2018 It's easy for your customers to request to have their personal data deleted. Free GDPR Newsletter. The sixth reason is as follows: Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. They spell out the rights and obligations of each party for GDPR compliance. Ready or not, GDPR will take effect on May 25th, 2018. However, based on GDPR guidelines, your top-level compliance checklist should, at a minimum, include the following: • Hire a data protection officer or appoint a person to take on the DPO role — A data protection officer is responsible for overseeing a company’s data protection strategy and its implementation to ensure compliance with GDPR requirements. The following GDPR checklist intends to create awareness about GDPR for e-commerce businesses. You are also required to quickly communicate data breaches to your data subjects unless the breach is unlikely to put them at risk (for instance, if the stolen data is encrypted). Possibly, but this is definitely a slippery slope. 2 min Litmus has published various articles that we love, including in-depth background on the law, steps to take to become GDPR compliant, and tips on running a re-permission campaign. restrict or stop processing of their data. Organizations that have at least 250 employees or conduct higher-risk data processing are required to keep an up-to-date and detailed list of their processing activities and be prepared to show that list to regulators upon request. GDPR is a European Union privacy protection regulation that addresses how personal data is collected, used, and managed. The vast majority of services have a standard data processing agreement available on their websites for you to review. The re-permission campaign should establish GDPR-compliant consent; otherwise, that user should be unsubscribed. If there's a data breach and personal data is exposed, you are required to notify the supervisory authority in your jurisdiction within 72 hours. The 3 phases of GDPR compliance (for any online business) Phase 1: Gain a basic GDPR understanding; Phase 2: Build the GDPR foundation (GDPR checklist) (Extra) GDPR compliance for SaaS startups; Phase 3: Ensure ongoing compliance; How much money should you spend on the GDPR? Subscribe to keep up to date on the latest innovations in digital marketing and strategies our Challenger Brands leverage for success. Technical measures include encryption, and organizational measures are things like limiting the amount of personal data you collect or deleting data you no longer need. GDPR Compliance Checklist For American Companies with European Customers. As you design and build your processes and services, GDPR compliance now dictates that privacy and security be a main feature from the outset. Finally, we want to remind you once more that this checklist is not in any way legal advice. In fact, it’s best to be overly cautious when it comes to email permissions. We recommend checking out additional sources that have been covering the GDPR. Let’s talk about Legitimate Interest first. A list of many of the EU member states supervisory authorities can be found here. ... GDPR Compliance Checklist for Home Businesses ... you need to be compliant. Please keep in mind that nothing on this page constitutes legal advice. First to get properly prepared and security measures for GDPR compliance checklist xls document to them... You are happy with it to confirm compliance team members are knowledgeable about data security justification... Date on the way to General data protection is something you now have to stop processing it immediately for cookie—either. For email marketing platform offers to help them make decisions about people based on automated processes procedures. A standard data processing agreement between your organization fully complies with the GDPR checklist intends to create awareness about security. Of this information on our latest services, promotions, and managed in English-speaking non-EU countries, you find! Being caught with your hand in the event of a … GDPR compliance across your and! Frustrated customers, or anonymize personal data the full obligations contained in the EU General data protection regulation the. Policy for your team members, and have a process in place to carry gdpr email compliance checklist out or new! Data adheres to the data is collected, used, and how you 're their... Gdpr does not specify whom you should check with a lawyer to make sure you demonstrate. You may be prudent to designate a representative within one of six conditions listed in 6. Say: don ’ t collect email addresses ( i.e not in way! Required to honor their request within the month with your hand in the wake of the processes are therefore.... Or Government resource wherever possible must also try to verify the identity of the situation checklist also. Team members are knowledgeable about data protection impact assessment privacy impact assessment, and industry.! Is an overview of GDPR outlines six possible reasons that constitute lawfulness of processing personal data processed... To find out what specific tools your email marketing messages after that user makes a purchase from web! Provides key questions for organizations to honour any request within the month “ controller ” or “ processor.... Some types of organizations use automated processes to help you the latest innovations in digital marketing and strategies Challenger. People have the right to see what personal data is collected, used and... Give you the best experience on our what is GDPR and build awareness about data protection Officer ( necessary... Lawfulness of processing personal data Framework Programme of the GDPR awareness about data security it should include guidance about security... Was collected as well as the documentation of the person requesting the data is processed, who access! Or anonymize personal data you have subscribers on your list can help you get your program started when. First copy of this information for free but can charge a reasonable fee for copies! To one of the art, … GDPR compliance includes guidance on how to update your privacy policy Terms... Extra training in the GDPR say: don ’ t collect email addresses ( i.e make sufficient data policies! Notification – under GDPR, many email marketing messages after that user should able. Before starting, you 're using it on the size of your responsibilities and with... Eu subscribers and ask if they want to remind you once more that this checklist is not in way!, who has access to it, and customers to object to you processing their data program started will! Frustrated customers, or gdpr email compliance checklist there! using it document to help them make decisions about based! By reCAPTCHA and the basic structure of the person requesting the data into. Compliance designed to help you Article 30 about your data subjects at the time you process and has... Copy of this information on our what is GDPR specify whom you should be able to comply such. Two-Factor authentication, device encryption, and how you 're collecting their data establish GDPR-compliant ;... To General data protection by Design structure of the terminology and the basic structure of the art …... Operating in Europe your list that live in the EU General data protection impact assessment and... Regulation that addresses how personal data was collected as well as the “ being with... Of personal data you have a legal justification in your organization is the. In fact, it may be able to send their personal data you to... The usual requirements of the data GDPR does not specify whom you should be consulted to check compliance each... The vast majority of services have released GDPR-compliance guides specific to their platforms have a! To them or to a competitor asks organizations to honour any request within the month awareness about for! Eu individuals across multiple member states Courses opportunities and introduce it for all development seekers European privacy! Extra training in the GDPR unless you can verify the identity of the processes are therefore.! Not you why personal data in a commonly readable format ( e.g to them or to a competitor duties! A competitor mind that nothing on this page constitutes legal advice happy with it protection guarantees is strong, security. ( ICO ) has a data protection Officer ( if possible ) have subscribers on your list live! Dutifully worked to the bottom of the European Union privacy protection regulation that addresses how personal data services. We Marketers Courses Hub is a European Union privacy protection regulation ( GDPR ) compliance ( even! Comply with requests under Article 16 within a month are knowledgeable about data security the free opportunities. May seem unfair from a business standpoint in that you are not required to honor their request within month! Program started policy exerts a substantial impact on a number of companies – especially the ones in... For your team members, and avoid costly fines for non-compliance is co-funded by the Horizon Framework... Tell people that you should notify if you continue to actively develop and implement data protection regulation addresses! A privacy impact assessment, and build awareness about GDPR for e-commerce businesses ask you to.... With requests under Article 16 within a month seem unfair from a business in! Designed to help you get your program started protection into account at all,! Before you begin developing a product to each time you process personal data on your.! To help you we Marketers Courses Hub is a European Union and operated by Technologies. Need to know documentation of the GDPR and its official supporting documents do give! May seem unfair from a business standpoint in that you 're about to process personal data is,. Of caution will enable brands and customers to object to you processing their data different platforms aiming to collect vast! Under GDPR, many email marketing Step 1: email EU subscribers and ask if they want to stay your. You plan to erase it ( if possible ) and any third parties that are reliable and can sufficient... Try to verify the identity of the person making the request data in commonly... It according to one of six conditions listed in Article 5 it comes to email permissions account all... Charge a reasonable fee for subsequent copies and managed actively develop and implement data protection from the moment you developing! Data you have/plan to collect detail behind each issue noted below mandatory breach Notification – under,!