In this 24 step GDPR compliance checklist, we’re spoon feeding you everything you should know to become compliant by the May 25th deadline!
Disclaimer: Keep in mind we are NOT lawyers and you should definitely not view this guide as legal advice. Consult with your legal teams and GDPR advisors to ensure you are protected.
Why We Built This GDPR Compliance Checklist
If your organization deals with suppliers, partners, or customers from the European Union (EU), then the full implementation of the General Data Protection Regulation (GDPR) on May 25 could cause apocalypse-scale jitters if you haven’t done your homework.
That’s because GDPR — the EU’s policy framework on the access, use, and management of personal data — completely changes the game for any company doing business with individuals and entities in the region, regardless of where the company is officially domiciled.
All the terms under GDPR are legally binding and non-compliance carries penalties and fines of up to €20 million (or nearly $25 million).
You don’t need to look further than Cambridge Analytica’s epic downfall to know that regulators are dead serious about protecting personal data.
This is likely your one last chance to revisit your GDPR compliance checklist and ensure you have every item ticked so you can confidently transition into a new and much stricter data paradigm — without fear of encountering any nasty and costly surprises down the road.
Why You Need A GDPR Compliance Checklist
The core principles of GDPR may be simple to understand but getting your organization to legally meet every provision and standard under its broad scope can be quite complicated. That is why business owners, compliance officers, and third party consultants tasked to lead an organization’s data compliance efforts need a checklist.
An overlooked item can easily become a serious roadblock later on. Checklists help ensure you don’t miss any step, item, or information relevant to a process, task, or project that involves personal data in any way.
Given the seriousness of GDPR, having a questionnaire-formatted checklist would be a step in the right direction.
1) GDPR Ownership – Have you designated a GDPR compliance manager to lead transition efforts or appointed a permanent Data Protection Officer (DPO) to lead a new mandated unit for companies that handle large volumes of personal data (including employees, customers, and business contacts)?
2) Policy Review – Have you conducted a comprehensive review of your organization’s policy on data and privacy?
3) Implementation – Have the necessary changes in your processes been implemented prior to the GDPR deadline on May 25 2018?
4) Consent must be default opt-out – Permission to collect data (called opt-ins) should be clear, specific, and voluntary. Opt-ins should be acquired in transparent environments, without the use of coercion or trickery.
5) Control – People should have full access to the data they are willing to share as well as to easy procedures for opting out. They should have the ability to edit, update, modify, or delete any data they share.
6) Connection – The data you collect should be directly relevant to the service you provide.
7) Review Your Data Collection Process:
- Which type and elements of personal data do you collect?
- Do you store some or all of these data indefinitely?
- Are the data relevant to your services?
8) Have you audited data-sharing relationships and services with third-parties? (Note that data-related agreements with non-GDPR compliant third parties is illegal under GDPR).
9) Have you examined workflows/processes, content, user experiences, and other aspects of your business that are impacted by GDPR? (Note that data lists acquired from third parties without data owners’ expressed opt-ins into your organization is illegal under GDPR).
- Have you obtained the data fairly, transparently, and without collusion/coercion/trickery?
- Are individuals or entities clearly aware of the purpose for which they are being asked to share data?
- Can individuals or entities withdraw consent at any time?
- Do you transfer personal data outside the EU?
10) Have you identified data sets associated with citizens and residents of EU?
(Note: For purposes of GDPR determinations, consider UK to be part of EU despite Brexit. For one thing, GDPR would have been in place well before the UK’s official exit on April 2019. Moreover, UK has stated that it will appropriate GDPR into UK law and there will be very few differences in how companies should manage EU and UK residents’ personal data.)
12) Internal Processes – Have you started implementing GDPR-compliant documentation protocols for internal processes?
13) 3rd Party Contacts –Have you updated contracts with third-party data controllers you engage with to ensure they comply with GDPR standards?
14) Contract Updates – Have you updated contracts with third-party data processors to ensure they comply with relevant provisions of the GDPR?
15) Role of Executive Leadership –Are the leadership and specific unit to spearhead your organization’s GDPR-related efforts already in place to provide continuity from transition to long-term data protection management?
16) Budget –Have you allocated the required budget and tools for sustained compliance?
17) Internal Education –Have you educated your entire organization about GDPR? Are your people fully aware of the dire consequences of non-compliance? (Severe fines on non-compliant data controllers and data processors are just the tip of the iceberg. Brand reputation, customer loyalty, and attrition rates will also incur significant impact.)
18) Accountability –Have you began to establish a corporate culture of data accountability?
- Greater consumer consumer control over their personal data.
- Transparent and clear consent protocols.
- Direct relevance of personal data being collected to your services.
Responsibilities of Data Controller and Data Processor
In its General Provisions section, the GDPR defines two key roles that relate to the handling of personal data: Controller and Processor.
Data controllers are persons or entities who determine the purposes and means of processing personal data.
On the other hand, Data Processors are persons or entities who process personal data on behalf of data controllers.
For both data processors and data controllers, the GDPR prescribes definite rules and standards in data management and protection, with both accountable and responsible for relevant staff training and the establishment of data security protocols within their respective domains.
Chapter 4 of the GDPR expounds on these responsibilities.
What both data controllers and processors should do:
19) Data controllers should implement technical and organizational measures that clearly demonstrate compliance of data processing to GDPR standards, specifically in the protection of human rights and freedoms.
20) Data controllers should only engage data processors who provide sufficient guarantees that they comply with GDPR guidelines.
21) Data processors should operate under a legal and binding contract within EU- or member state law, clearly defining the subject matter; the nature, purpose, and duration of processing; the type of personal data and categories of data subjects; and the obligations and rights of the data controller.
22) Data processors should not engage other processors without written authorization of relevant controllers.
GDPR Impact On Sales & Marketing
Because sales and marketing have integral customer-facing components, the impact of GDPR for salespeople and marketers cannot be overstated.
For non-EU domiciled sales and marketing organizations, much of their operations, workflows, contracts, content, and mindset need a major shift to get aligned with the vision and standards of GDPR.
Two big “no brainers” that are worth pointing out before the list below are the following:
23) Must Respect Opt-Outs – Salespeople must respect opt-outs and data subject access or deletion requests, even if delivered by email. Don’t blow them off!
24) No Data Trading Policy – Sales Ops Leaders – Enforce a no data trading policy! Train your salespeople not to trade data, under any circumstances, period!
The processes, documentation, and user experiences surrounding customer opt-ins and data sharing must be thoroughly redesigned to comply with relevant GDPR provisions.
GDPR Compliance Recap
To avoid getting penalized once GDPR takes effect, sales and marketing organizations — especially those in the US and other non-EU countries — should have already taken the following actions months ago:
- A thorough review of data and privacy protection policies.
- An audit of data sets associated with EU residents.
- A complete audit of data-sharing arrangements with third-party data controllers and processors.
- An audit of processes and documentation for sales and marketing operations.
- Implementation of remedial measures across the board to comply with GDPR.
- Education of workforce on GDPR and its core tenets and provisions.
- Commencement of programs aimed at establishing a culture data accountability and protection.
GDPR Is Here For Good
Whether you like it or not, GDPR is here to stay. If you are still in the stage of pondering its impact and what to do about it, then you’re a bit too late. Your organization should have already acted on the impending sea change months ago to future-proof your brand.
The possibility of theft and misuse of data has been clearly demonstrated around the world, and people — especially in the EU — have become more aware of the issues and highly protective of their personal data. The GDPR strongly guarantees these people’s rights to sue organizations that fail to meet data protection standards.
Given this shift, no modern organization that engages entities and individuals in the EU can afford to ignore GDPR. Yet, as a proactive organization, your company should not be motivated by fear but by the positive impact this new policy regime will deliver. Transparency, accountability, and instinctive respect for customers’ personal data are good things in themselves. In addition, data quality and security would be enhanced as a consequence of GDPR.
The key to succeeding under GDPR is to understand the rationale behind the change and to embrace its uplifting benefits.
Please be advised that while Sales Hacker is committed to providing helpful and tactical information, we are not lawyers and any information posted here should not be construed as legal advice! Please consult your own legal advisors on GDPR and ensure you have proper protection in place. Any decisions you make that impact your operations should be double-checked by a qualified licensed professional and are done at your own risk.
Also published on Medium.