You’ve probably seen a lot of news related to the GDPR, but you might not know what all the fuss is about. I’m going to break it down for you and provide you with a GDPR compliance checklist to boot.
What does GDPR stand for?
GDPR stands for General Data Protection Regulation. It’s the European Union (EU) response to data protection reform.
Don’t get scared, though. It’s easy to make sure your business is GDPR compliant (and we’re going to help you through the process).
What is the GDPR?
The GDPR is a set of rules designed to help consumers protect their data.
Essentially, it’s designed to help consumers control when and how companies collect personal information about consumers.
It also provides some guidelines for business owners small and large who want to use data fairly.
Why does the GDPR exist?
Consumers value their privacy. As the number of Internet-connected devices grows, they find it increasingly difficult to maintain that privacy.
The GDPR exists to protect consumers’ data and to give consumers rights to determine how that data gets used.
For instance, if one of your prospects provides their email address to get your lead magnet, that person might not really want your newsletter. The GDPR will help make sure businesses and consumers are on the right page.
And that’s not a bad thing. If someone doesn’t want to get your newsletters, do you really want to keep contacting them? Maintaining your list purity will help your conversion rates and your reputation.
What is GDPR compliance and its requirements?
We’ve prepared our GDPR compliance checklist because we want our customers and other companies to understand what GDPR compliance means and what’s required of you.
The GDPR isn’t just for businesses that operate within the EU. It also applies to businesses and organizations that conduct transactions or collect user data from people who reside in the EU.
For instance, let’s say that you collect email addresses, phone numbers, or other information from prospects. Even though no money exchanges hands, you still need to follow the GDPR.
In other words, most businesses need to set up strategies now to become GDPR compliant.
You’ll have to report any data breaches that put your customers’ personal information at risk. Additionally, you must store and manage data based on minimum GDPR requirements.
What is protected under the Data Protection Act?
Under the GDPR guidelines, companies must cast a wide net when deciding what to do with personally identifiable information. Data that you might not view as sensitive might still be protected under the GDPR.
Some of the most common types of data include the following:
- Names
- Addresses
- Social security numbers
- Credit card numbers
- Bank account information
- IP address
- Sexual orientation
- Race or ethnicity
- Political stance
According to the GDPR legislation, companies must take “reasonable” precautions to secure this information from outside intrusion.
Which companies does the GDPR affect?
Most businesses will have to follow the GDPR guidelines. If any of your customers — whether consumers or businesses — live or do business on European soil, you have to comply.
Maybe you have an e-commerce store based in the United States, for instance. If you sell your widgets to folks in Germany, you’ll have to be GDPR compliant.
It’s not just about sales, though. If you collect information from anyone in the EU, you need to make sure you’re GDPR compliant.
What happens if my company is not in compliance with the GDPR?
The EU can level fines against companies that don’t achieve compliance. Since the legislation is quite broad right now, it’s important to be conservative with your use and storage of data.
The most serious infringements can result in extraordinary penalties. The offending company might have to pay the greater of €20 million or 4% of global annual turnover.
What is the GDPR compliance deadline?
GDPR goes into effect on May 25, 2018. After that date, companies that aren’t in compliance can find themselves subject to penalties.
What are the GDPR key takeaways?
To help you better prepare for May 25, let’s look at the most important things to consider:
- Update your privacy policy and terms and conditions to reflect the GDPR rules.
- Use GDPR-compliant opt-in pages, such as those you can create with Hello Bar.
- Get in touch with email subscribers in the EU so they can opt in again before May 25.
- Go over your opt-in offers to make sure they’re irresistible and compliant.
How can Hello Bar make GDPR compliance simpler for you?
One of the most important aspects of GDPR compliance relates to how you collect information. If you want to build your email list with lead magnets, for instance, you need a way to make sure you’re only reaching consumers who really want to hear from you.
We’ve created a helpful tutorial on how to enable GDPR through your Hello Bar account.
Hello Bar allows you to include any necessary information before you collect email addresses, names, and other data. For instance, if you plan to use the information provided for both marketing and data sharing, you need separate opt-ins for each consumer.
You can do this with a Hello Bar. Make it clear, for instance, that you only intend to use the information collected for marketing purposes and that you won’t share it with any third party.
It’s as easy as the click of a button. When you’re setting up a Hello Bar, just switch the “GDPR Compliant” toggle to “ON.”
Hello Bar can also help you incentivize marketing without penalty. For instance, if your lead generation strategy involves asking for email addresses in exchange for an e-book, consent isn’t sufficient. However, if your email content includes coupons, discount codes, giveaways, and other advantages, you remain compliant.
GDPR Compliance Checklist
Now that we’ve covered the basics of GDPR compliance, let’s go through the GDPR compliance checklist to make sure your company is ready for May 25.
1. Getting your team on board
Start by having conversations with your employees about GDPR compliance. You might even pass around this article so they can read up on the topic and note any further questions they might have.
This is particularly important in companies where employees operate autonomously. You might know all about GDPR compliance, but if your marketing department doesn’t, they might slip up.
2. Make sure you’re using GDPR-compliant software
If you’re like most businesses, you use software to maintain your email list. If you’re using a company that isn’t GDPR-compliant, you might want to consider switching.
Hello Bar, for instance, has already put in place helpful tools so you don’t have to put so much effort into compliance. In fact, you can show that you’re compliant on your Hello Bars.
Just access your Hello Bar account, click on the Settings tab, and click on Privacy.
Then, just add the URLs to your terms and conditions and privacy policy pages.
That way, when prospects fill out your forms, they’ll see the request for GDPR consent.
3. Evaluate your opt-ins
Opt-in forms are at the heart of the GDPR. The EU wants consumers to give explicit consent before they receive communications, such as emails or SMSs, from companies.
Hello Bar makes it easy. As mentioned above, you can enable GDPR compliance right from your account. Since you can’t have consumers opt-in for two things (such as a lead magnet and your newsletter) at the same time, you can use the Hello Bar thank-you page to allow prospects to sign up for your newsletter.
This is a great time to audit all your landing and opt-in pages. Make sure you’re using the ideal wording and images to attract new prospects and stay within the GDPR.
4. Clarify your terms and conditions
We’ve all run across terms and conditions that seem to be written in a foreign language. If your customers can’t understand your policies, they can’t consent to give you their data.
If you’re using Hello Bar, you must upload your own terms and conditions and privacy policy to demonstrate compliance. Now’s a great time to review those documents and make sure they’re ready for the May 25 GDPR launch.
Make sure your terms and conditions are written in plain, straightforward language. You might have some legalese in there, but use parenthetical asides to further explain those phrases or terms.
5. Get in touch with your list
You probably already have an email list. Now’s the time to get in touch with everyone who currently subscribes. Ask them to click a link and opt-in again if they want to continue receiving messages.
You don’t want to delete email addresses or contact subscribers after May 25. At that point, the GDPR is already in effect.
But don’t look at this as a bad thing. Now’s a great time to clean up your list and make sure all your subscribers still want to hear from you.
6. Audit your business for compliance
The GDPR provides for specific rights for consumers. There are three main categories:
- Right to Access: Consumers have the right to access the information you have collected on them in a readable format.
- Right to Be Forgotten: They can also request to have their information removed from your system at any time. The right to be forgotten requires you to comply with that request.
- Right of Data Portability: Additionally, consumers have the right to obtain the information you’ve collected, then transport it to a third party of their choosing.
Make sure that your company has created policies and protocols for addressing these rights when they become an issue.
7. Create a complete process to report data breaches
Reporting data breaches might be uncomfortable, but it’s essential. As soon as you learn of a data breach, you must immediately report it to the EU. You need a system in place for reporting everything you know about the breach, including the people impacted and other information.
8. Will your company need to hire or appoint a Data Protection Officer (DPO) to be GDPR compliant?
Larger companies will have a bigger need for DPOs than their smaller counterparts. However, only you can decide whether you need to create such a position for your business.
Many experts recommend hiring a dedicated DPO. This person is responsible for protecting the data your company collects, ensuring that you remain GDPR compliant, and reporting any vulnerabilities to senior staff.
Bobby Klinck, an attorney and the founder of Your Online Genius, even has free resources to help you remain compliant.
9. Up the ante
If you have a ho-hum offer, now’s the time to sweeten the pot. Consumers will have to take more steps to opt-in for your newsletters, webinars, and other purposes, so you need a slam-dunk incentive.
Plus, you need your headlines and CTAs to communicate effectively with your audience. Speak in their language and make sure they understand the benefits of what you’re offering.
10. Segment your list
Ideally, you’ll want to segment your email list into two categories:
- People from the EU or whose origins are unknown
- People outside the EU
Those in the first category need to hear from you soon. Give them the opportunity to re-opt-in.
Hello Bar makes this process easy. You can import your email list from a CSV file or from other email services, then segment them based on the data you know.
Extra Points to be aware about GDPR compliance
In addition to the above GDPR compliance checklist, I want to make you aware of a few best practices to keep in mind while you’re setting up your data protection plan and preparing for GDPR.
First, when designing a plan to maintain GDPR compliance, make sure you involve all stakeholders. Everyone needs to be on the same page moving forward so there aren’t any glitches in the process.
Second, make sure you consider mobile technology and access when designing your data plan. For instance, do you have a mobile app? If so, does it ask for unnecessary access to data? If so, you might need to change it.
As mentioned above, small companies might not want or need to hire dedicated data protection officers. However, you might consider hiring a consultancy instead. Getting outside specialized help can ensure you don’t drop the ball or miss an important aspect of data security.
GDPR Latest Updates
One of the most important things you need to know is that consumers are aware of the GDPR. In fact, a recent study revealed that 40 percent of consumers expect to exercise their rights under the GDPR.
In other words, if you’re not compliant, you risk getting reported by a concerned consumer. You don’t want that to happen, and not just because you risk a lengthy investigation and a potential penalty. You could also damage your brand’s reputation.
You should also know that major companies have already hired DPOs. Salesforce, for instance, recently appointed Lindsey Finch as its own DPO.
Conclusion
Using the GDPR compliance checklist I prepared can help you move toward May 25 with confidence rather than fear. As long as you’re acting in the best interests of your customers and not collecting data illegally, you have nothing to worry about.
However, as criminals get smarter, so too must IT experts. The more precautions you take against data breaches, the better.
Hello Bar can help you collect consumer information lawfully and communicate more effectively with your audience. Use other resources, such as an in-house DPO, to make sure you remain compliant.
Has your business begun preparing for GDPR?
I really can’t believe how great this site is. Keep up the good work. I’m going to tell all my friends about this place.