GDPR Checklist

This article was republished from AdPushup.com 

Come 25th of May, GDPR will come into effect and any website not complying with the new norms will be liable to pay heavy fines. While the web is full of GDPR guides right now, actionable information is hard to find. In this post, we’re outlining some of the most important steps you need to take to ensure compliance.

> Audit your existing data: You have to sort all the user data you have according to type, i.e., name, addresses, phone number, and so on, and then explicitly state the source of the data. Delete any data that you don’t need. If your user database is disorganized, this is the time to do some spring cleaning.

> Document why you need the data: GDPR requires organizations to establish a legal basis for the data they are holding, so you need to update your privacy policy to define what user data you are collecting, the purpose for which it is being collected, and how long you plan to hold the data.

> Define how you store and process data: Now you’ve established a legal basis, but GDPR requires you be transparent about every touchpoint in the data processing lifecycle—when, where and how it is collected, details about any third party data sharing, and how the data is ultimately being used.

> Refresh user consent: You will require new consent from users to continue holding or using their data, the request must be clear, non-ambiguous and active, i.e., you can’t use pre-ticked boxes or opt-out notices. You will also have to seek separate consent for every use of the data that you intend to make.

> Third-party disclosure: Users have to be informed about any third-party processor or controller who has access to your customer data; for publishers, this would mean ad networks, ad exchanges, analytics software, and any marketing automation tools that you are currently using.

> Open access to data: Users have the right to inquire about the data that you are holding about them, such requests are called Subject Access Requests (SARs) and must be responded to within 30 days. Users can also ask you to rectify or erase their data and you have to ensure compliance.

Nuke option! If your website or business activity doesn’t rely on European visitors, and there can be many cases for this. For instance, if you are a US website selling beauty products only to US residents—you can simply get around the whole compliance business by blocking all EU traffic on your website. You can also use this option as an interim solution if your compliance plan is not ready but you’re working on it. Thanks to Himanshu Sharma of Optimize Smart for this tip.

While numerous GDPR compliance startups have suddenly mushroomed everywhere and larger organizations are being recommended to hire a Data Protection Officer—depending on your scale of operations and the amount of data that you have, it is possible to ensure compliance on your own by just following the guidelines and doing what you need to do.