Have you checked off all the rules in the GDPR?

Are all your company’s processes already in line with the General Data Protection Regulation (GDPR)?

There’s just a little over three months to go until the end of the transition period for this new regulation (25th May), so if they aren’t, it’s time to get a move on, and we’re going to help.

Before moving on to the checklist, let us remind you of the article where we explain what this new regulation – which is designed to protect the personal date of EU citizens – is all about.

Look at the checklist prepared by the blog “Tudo sobre Ecommerce” (and which we’ve posted here for you) to see whether your company’s ready for when the GDPR comes into force. Take note: these rules mostly apply to both digital marketing and direct marketing.

1. Management

In summary, the GDPR will ensure that companies take the management and protection of their clients’ personal data seriously, starting with their privacy which has been ignored until now. So try to instil the following concerns in your employees’ minds:

- Update internal regulations: try to convey all measures taken to bring your company’s actions into line with this new regulation, including a list of all employees dealing with personal data.

- Update the terms and conditions of the website: most website terms and conditions are long and confusing. Try to present the new data protection policies transparently and directly.

- Assess data collection: stop and think if your company really needs all the data it collects. If it doesn’t, why keep asking for it? There should also be a clear explanation of why all data was collected in the internal regulations.

- Assess the need to train employees: complying with the new GDPR is not hard, but it is a delicate matter. If not handled well, it could lead to large fines. Assess if training is necessary.


2. Proof

This is a key aspect of the GDPR: your company must, in the event of an audit, have documentation to prove that all data was consented to and complies with the law. So it is also important to show the internal regulations (see previous point) to any auditor to show your company has adapted to the GDPR and adopted new personal data protection policies.


3. Consent

While the new GDPR is very similar to the law on processing personal data in force since 1995, it demands a further requirement to ensure valid consent. The following points must not therefore be neglected:

- Be sure all data on your database were collected with prior consent. If not, think of a means in which you can obtain this consent so you can keep communicating with customers in the future.

- Certify the digital platform you use allows this consent to be managed, as it is crucial the user can change this permission in their client area at any time, or even delete their account. For direct marketing, an offline process must be set up that also allows consent to be managed.

- Be as precise as possible when collecting a customer’s consent. Replace “I authorise company X to send me marketing emails” with “I authorise company X to send me emails about promotions”; “I authorise company X to send me emails with discount vouchers”; “I authorise company X to send me emails about my orders”. Simply consenting to a website’s terms and conditions is not proof of consent if the user does not opt-in. The same applies to direct marketing.


4. Cookies

On digital platforms, cookies, which until now have been treated as a simple means of accepting company policy or not, can be used to identify a person by means of cross checking information, even though they are not directly linked to personal data collection. For that reason, although cookies only identify a person indirectly, the GDPR deems them to be personal data. The major concerns in this area then are:

- Cookie management: we recommend your cookie management allows users to accept or refuse cookies partially or entirely. Users must be informed about each kind of cookie and access to the website must never be refused even if they don’t accept all of them.

- If users have no reaction to the cookies, the website must not store any on their browser, and we recommend the warning remains visible until users take some form of action.


5. Personal Data (Database)

According to the GDPR, there must be a legal basis for processing the personal data on your side, be it a name, email or any other data identifying a person. As such, check the following:

- Database sharing: if you’ve habitually shared your database with third parties, forget it if a user has not given their consent. If you’ve been used to buying or renting databases, forget it too if they aren’t compliant with the GDPR. If you want to create your own database, reassess your marketing strategy to build a database of customers who are really interested in your brand and benefit from a GDPR-compliant database.

These are the key points you must think over before the end of the GDPR transition period in May if you want to follow all of its guidelines to the letter. We advise you to start implementing or improving them now so you can get everything done in time and your company and its employees can gradually adapt to them.