May 25, 2018 is just ten days away, will you be GDPR compliant?
We are now just ten days away from the EU General Data Protection Regulation going into effect. You may have heard of it. It’s all anyone has been talking about for the last month or so. But don’t think that’s all the time we’ve had. The GDPR was finalized back in 2016. It just wasn’t until the beginning of April that most companies realized, “hey, we better do something about this whole GDPR thing.”
Hopefully you’re not in that category.
But if you are, don’t worry. We may be able to help. We’ve been covering GDPR compliance since the start of the year in an effort to help our readership prepare for the enforcement date. And our parent company, The SSL Store, has already made the requisite changes needed to be compliant. You should see site-wide updates go live tomorrow. So, with that in mind let’s go over a few final GDPR details, including a small checklist to make sure you’ve got everything covered before next week.
First of all, lets cover all of our bases. By now you should have:
- Created notifications for every page that collects data, these notifications should explain what you’re collecting and what you’re going to be doing with the data.
- Contacted any partners with whom you share data, remember, you’ll need to get a Data Processing Addendum that outlines what is being shared and what that shared data will be used for.
- If you are outside the European Economic Area, in a jurisdiction without an adequacy judgment (like the US), you should have already self certified under EU-US Privacy Shield or a similar framework to allow for cross-border data transfers.
These are the big things that are going to be necessary right out the gate on May 25, 2018.
But there are some smaller items that might slip through the cracks. Let’s go through over a few of those, too.
Don’t forget about your email lists
Best practices are to send your email subscriber list a re-opt-in email to ensure that they want to continue receiving messages from you. If you’re operating your list under a different legal basis than consent – for instance you have a subscriber list of customers and the newsletter provides them with support – you’re probably OK. But if you’re using consent you’re going to want to go ahead and start your re-opt-in campaign now. Remember, consent requires an affirmative action, so you can’t pull the old, “we’re keeping you subscribed unless you object” routine. They have to choose to continue with you.
This might seem like a bummer, but HubSpot is quick to point out that this is actually a good way to get more out of your lists. You’ll shave a lot of extra fat and shed a bunch of bounces and unopens. And by starting your re-opt-in campaign before the 25th, you can send the email a couple of times to try to get it maximum exposure. After the 25th that email is a one-off.
Double-check your partners list
You’re probably pretty sure that you contacted all of your partners and got data processing addendums on file, but let’s be honest, it’s easy to forget someone. Anyone that you share data with, that processes that data on your behalf, or for whom you process data with, needs an agreement. And sometimes we lose track of where all the data is going. Some of the easiest partners to miss are the ones that handle your analytics, your web security and your advertising. The fortunate part is that most of these vendors are going to have ready-made agreements for you to sign and file, but it’s easy to lose sight of just how many relationships you have. So take a moment and try to track the way the data flows out of your organization one more time. Missing something here could be disastrous.
Prepare your Support Team
If you have customer-facing support, chances are they’re going to have to field questions about your GDPR efforts. Make life easier for your support team by creating a cheat sheet with answers to some commonly asked questions. You’ll want your support staff to be able to explain the steps you’ve taken, who they contact about exercising their data rights and whether your partners are compliant. They don’t need to know too many specifics, just enough to put your customers and clients at ease.
Those are just a few things to consider in the final days before GDPR becomes enforceable. If you’d like some more guidance, have a look through our GDPR compliance series. I hear the author is a really handsome guy…
Hashed Out GDPR Compliance Series
- GDPR: Introduction to a Series
- GDPR: How it affects the Domain Industry
- GDPR: How it affects Web Hosts
- GDPR: Problems for ICANN/WHOIS?
- GDPR: Complying with EU-US Privacy Shield
- GDPR: What is a Data Protection Officer?
- GDPR: Best Practices for Privacy Notices
- GDPR: What you need to know about Cookies
- GDPR: What is the Right to be Forgotten?
- GDPR: How to perform a Data Audit
- GDPR: Encryption Best Practices