GDPR compliant? Here's a handy five-step preparation checklist

Ensuring compliance with GDPR means all departments that collect and handle personal data must comply with GDPR. Here's how to ensure the marketing department is ready for GDPR.
Written by Cindy Zhou, Contributor

Burden or opportunity? How do businesses see new EU data privacy regulation

There is no lack of content and information about General Data Protection Regulation (GDPR) out there, but most marketing professionals I spoke with about the regulation were confused about what GDPR is or how they should prepare their marketing programs, website, and data collection process before the enforcement date, May 25, 2018.

Many marketers mistakenly assumed that their marketing automation or CRM provider will take care of any and all changes. Others thought that because their organization doesn't have an office in Europe, GDPR doesn't apply to them. It is confusion over the impacts of GDPR and my mission to help marketers that propelled me to write a report explaining how marketers should prepare for GDPR.

Also: Companies may think they are ready for GDPR, but their employees are not | Microsoft: We're giving you all Euro-style GDPR rights over how we use your data | GDPR in real life: Fear, uncertainty, and doubt | TechRepublic: General Data Protection Regulation: A cheat sheet |

Marketers are often the first department to collect personal data from customers. Marketing departments are also often responsible for communicating with stakeholders after a data breach. A successful GDPR compliance strategy necessitates the incorporation of the marketing department. Here's how to ensure your marketing department is ready for GDPR enforcement.

This is an excerpt from A Guide to GDPR Compliance for Marketers.

Five-Step GDPR Preparation Checklist

Constellation recommends that marketers conduct an audit of the avenues through which they interact with personal data. Create a custom GDPR preparation checklist taking appropriate recommendations from the list below.

1. Appoint a GDPR Lead or Team within Marketing and Review Data-Handling Procedures

Constellation recommends that CMOs appoint an individual or team to oversee the handling of data in the marketing function of the organization. The primary marketing data lead should work closely as part of a data governance team with the DPO (if applicable) to review and approve marketing campaigns with European contacts before execution.

A thorough review of current mailing lists as well as data collection and handling procedures must occur.

  • Review current mailing lists: Check contacts in EU countries for records of consent. Remove individuals without a proactive consent notice. Those with marketing automation should create a separate segmentation list for these contacts to secure consent in the future.
  • Document all the data collection channels and steps: Document all the channels from which the marketing department receives contact data such as events, website registrations, partners, sales, list purchases, etc., and ensure there is a consent process for each channel.
  • Communicate within the marketing team the seriousness of GDPR: Ensure that each team member understands the potential consequences of not following the regulations. Constellation suggests working with learning and development teams to roll out a data-handling course to all employees.

2. Actions to Take When Collecting Personal Data

On Websites and Web Forms

  • Provide clear consent wording: Organizations are obligated to use clear, non-legalese language that allows the person to provide unambiguous consent. If your company collects personal information through a web form, Constellation recommends posting clearly how the information will be utilized.
  • Include a cookie consent notice: As a best practice, include consent verbiage similar to the cookie consent notice on all web forms.
  • Example from the EU Internet Handbook: "This site uses cookies to offer you a better browsing experience. Learn more about how <name of organization> uses cookies and how to change your settings."
  • Create an age-verification process: GDPR requires parental consent to collect or process the personal data of children under the age of 16. Create a dependent verification process such as a form and automated email notification to collect the parent's email and process a separate consent.

In Person

Obtain consent to collect personal data in person. If collecting personal data in person, such as at an event, for a testimonial video or at an in-store sign-up, ask for consent and include a check box or other field for the person to check or initial when the individual has agreed to be emailed. Constellation recommends that event organizers distribute an explanation of how personal data will be collected and used to individuals during the registration.

Validate Country

Marketers should seek to ascertain whether a person's data is regulated by GDPR by adding a "Country of Residence" field to web forms. If at an in-person event, also ask for the individual's "Country of Residence." Note that on web forms this is a separate field from organizations that collect the "Country" of the company office or headquarters address. Organizations may need to create this as a new field in marketing automation or CRM solutions.

Reminder for Organizations Using IP Addresses for Country Validation: The Court of Justice of the European Union has ruled that IP addresses are considered "personal data" in certain circumstances. For GDPR consideration, if the IP address can identify an individual through logins, cookies, etc. (which many marketing automation systems can), then the IP address is covered under GDPR personal data. Constellation recommends that in this scenario, organizations remove the IP address validation from their marketing automation workflow.

3. Actively Manage Existing Contacts and Leads in a Database

  • Send a reverification email (double opt-in): Consider sending all active EU contacts a new request to reverify their email address and renew their consent to receive email, mobile in-app, phone or direct mail communication. Constellation reminds marketers that the predecessor to GDPR, the EU Data Protection Directive, is still active and, under the threat of fines, it prohibits emailing individuals who previously unsubscribed.
  • Create a preference center: Organizations should consider creating a communications preference center that empowers customers to manage their communication preferences. A communications preference center is a central web destination where customers can opt in or opt out of subscriptions such as newsletters or notification emails about discounts or new products. GDPR mandates unambiguous consent to be obtained using clear and specific language. Thus, to ensure compliance with GDPR, the communications preference center should include clearly written descriptions of the subscriptions and the frequency at which the email will be sent. For B2B organizations, consent can be divided by product line and clearly indicate how often the individual will be contacted.
  • See Figure 1 for an example of a well-designed email preference center from the retailer Bonobos. As a best practice, a "snooze" feature allows the email recipient to take a 30-day break from emails without unsubscribing completely. In Figure 4, Gigya provides an example for a privacy management section within its mobile application.

Figure 1. Bonobos Email Preference Center.

Bonobos unsubscribe gdpr

4. Update Privacy Policy Regularly and Notify Proactively

Include clear privacy policy directions on the website, including what information is being collected, how data is stored and how to contact the organization. For example, Expedia.com's privacy policy page is clearly worded, straightforward and comprehensive. All categories are outlined with links that drop to the appropriate section; this is better than putting that information on one long page, as seen on many websites.

Figure 2. Expedia.com Privacy Policy Page.

Expedia privacy GDPR

In addition to organizations building or modifying the privacy policy page, Constellation recommends that they proactively send notification of policy updates to customers. Specifically, keep a running list of the ways in which the business interacts with personal data and conduct quarterly audits to ensure the list is accurate. Use the list to guide regular updates of the privacy policy. Send proactive notifications about changes to the privacy policy to all parties whose personal data is covered by it. If necessary, ask constituents to opt in again. Below is an example email sent by retailer Nordstrom. This email demonstrates the clear language and directions mandated by GDPR. Note how Nordstrom included the effective date, a link to the privacy page and instructions on how to contact the customer service department if the recipient chooses to close an online account.

Figure 3. Privacy Update Email Sent by Nordstrom.

Nordstrom email gdpr

5. Design a Data Breach Plan

GDPR requires organizations to report data breaches no later than 72 hours after the organization becomes aware of the breach. Constellation advises CMOs to be proactive and design a data breach action plan as a precaution.

The following are recommended best practices for marketers responding to a data breach.

  • Communicate internally to all employees and provide training to all customer-facing employees on how to respond and assist customers.
  • Have a social media response plan in place, ensure enough staff is available to respond to social media posts.
  • Publish as much information as possible, as quickly as possible, about the breach on the company website or direct customers to a microsite designed to dispense information about the breach.
  • Notify affected parties. Send an appropriate form of communication, whether through email, paper mail or a phone call, notifying affected parties about the breach.
  • Communicate to affected parties and media that the business is taking all measures to mitigate the damage of the breach.
  • Inform affected parties and media that they should report any suspicious activity with regard to use of their personal data to the business and the proper authorities (if applicable).
  • Engage the public relations firm or external communications to issue a press release and/or hold news conferences to inform the public about the breach. Be as transparent as possible.
  • Provide clear instruction about how to file complaints, get assistance or reach the customer service department.
  • Provide assistance to customers who are suffering negative consequences resulting from the breach.
  • Update affected parties and media about how the company will prevent future breaches.
  • Coordinate with internal stakeholders to ensure compliance going forward.

For more information about GDPR compliance for marketers read A Guide to GDPR Compliance for Marketers.An excerpt of the report including the table of contents is available to download here.

Previous and Related Content:

GDPR in real life: Fear, uncertainty, and doubt

Why are most organizations still not ready for GDPR? And what are the implications and mechanisms of applying GDPR provisions for companies, individuals, and regulators?

GDPR: A boon for privacy or choking regulation? Businesses weigh in

IBM says that while many firms view GDPR as a catalyst for new business models, few will be ready in time.

Phishing alert: GDPR-themed scam wants you to hand over passwords, credit card details

Attackers know that companies are sending a lot of emails to customers about GDPR - and that makes them prime opportunity for phishing attacks.

Editorial standards