GDPR Compliance Checklist
Please note: Alchemy+Aim does not provide legal advice. The best route for you to ensure that you are compliant with all laws pertaining to your business is to consult a legal professional.
GDPR goes into effect on May 25, 2018, which means it is time to audit your business for compliance with the new regulation (not sure what GDPR is? Start here). Though the regulation goes into effect this week and does need to be addressed within your business as soon as possible, there is no need to panic.
Taking the time to systematically address the new regulations and ensure full compliance will set your business up for success in the long run. We compiled a checklist to serve as a starting point for you to create your own GDPR compliance plan based on your business’s own unique needs.
1. Audit your newsletter lists.
This is crucial for every single business that collects emails. Every member of your email list who resides in the EU must have willingly consented to have their name, email, and any other info added to the list, regardless of when they were added.
First, segment your list into two segments: IP addresses within the EU (include unknown IP addresses in this segment) and IP addresses outside the EU. If you did not have explicit language next to your email signups in the past or added clients to your email list that provided their email elsewhere without asking them specifically about your general list, you need to ask the EU segment to confirm that they do in fact want to be on your list.
Send out an email to the EU segment asking them to consent to being included on your newsletter list by May 25, 2018. If they do not engage with your email, their data must be deleted.
If you are unsure how to segment your list, start by looking at your email newsletter provider’s GDPR information. Mailchimp has introduced some new tools for GDPR and ConvertKit has great documentation to get you started.
2. Ensure that future email newsletter opt-ins will be GDPR compliant.
- Make sure that newsletter opt-in forms on your website are clear about how the clients’ info will be used. Best practice if you are offering a freebie is to offer a checkbox that clients must check (the box cannot be auto-checked) which states you will add them to your mailing list and link to your privacy policy. If they do not check the box, you can still send them the freebie but not add them to your mailing list. If the box was unchecked, their information should be deleted after sending the freebie.
- Enable double opt-in if available on your newsletter provider.
- Make sure that there is a clear option to unsubscribe in each email you send and in your Privacy Policy.
- Make sure that your contact info is at the bottom of every email.
You may not want to add a checkbox to every newsletter opt-in form, so we have created a plugin to allow you to show the new GDPR compliant opt-in form only to IP addresses located in the EU, while showing your regular opt-in form to IP addresses outside the EU. If you would like to have this plug-in installed and configured for your site, please send an email to support@alchemyandaim.com.
3. Make a list of all data collection points on your website.
This includes anywhere a customer’s personal information, IP address, or browsing history is collected or processed. Here’s a short list to get you started:
- Contact forms
- Client information forms
- Payment portals
- Membership software
- eCommerce software
- CRM
- Google Analytics
- Newsletter opt-in forms
- Scheduling software
Add a checkbox with a consent statement anywhere your client submits information. This checkbox must be a required field and cannot be pre-checked.
Additionally, if you have an eCommerce component to your website, you must provide your customers an option to stop the processing of their data once the sale has been completed (i.e. you will not store their information after the sale for any reason).
Here’s an example of a consent statement you can add to the bottom of forms and checkout pages:
“I consent to the collection and secure storage of this data by <business name> as described in <business name>’s Privacy Policy. I understand that I may modify or delete my data at any time.”
4. Review your use of cookies.
Cookies are small files that your website places on the computer of someone who visits the website to be able to quickly access information again the next time your website is accessed. For example, online shopping carts use cookies to remember which items you have in the cart if you close out of the page and open it again. It is likely that several different aspects of your website utilize cookies including WordPress, various plugins, Google Analytics, and social media links.
Under GDPR, cookies are considered to be processing data (and therefore require consent) if they are associated with personal information (e.g. name or IP address). This means that most tracking cookies require consent to be GDPR compliant.
If you use Google Analytics, any type of advertising, or social media links on your website, we recommend adding a cookie consent notice to your website. This usually looks like a notice at the top or bottom of the page which states that your website uses cookies and summarizes why, allowing the website user to opt out of the cookies.
We recommend utilizing a plugin to manage your cookie consent notice. Our favorite is GDPR Cookie Compliance, which allows you to easily customize the colors and settings of your cookie notice, and generates an unobtrusive consent bar at the bottom of your website.
5. Audit and update your Privacy Policy.
GDPR requires that you include information in your Privacy Policy about where you collect customer data, why you collect it, how it will or will not be used, and how long it will be stored. For each place or way that you collect data, you must state how clients my remove or delete their data from your system(s).
Take your list of data collection points and write a short summary in plain english about how the data is processed for each. Provide instructions for how clients can obtain access to their data (this may be via emailing you, filling out a form, or through a client portal). Add all of this to your Privacy Policy and ensure there is a link to your Privacy Policy in the footer of your website.
We recommend having a lawyer read your Privacy Policy to ensure compliance with all laws pertaining to your business.
Here’s a checklist for information to include in your updated Privacy Policy:
- What information is collected (name, email, IP address, etc.)
- How that information is collected (e.g. using a form on your website)
- Where that information is stored and what 3rd parties have access to the information (e.g. under password protection in Gravity Forms and Mailchimp)
- How that information is used (e.g. for marketing or accounting)
- How long that information is held
- How to lodge a data access request with your business
- Contact information for your business
6. Have a plan to deal with clients who want to access or delete their data.
First, take your data collection point list and investigate which of these third party software systems allow customers to access their own data or will require you to provide the customer with their data. For example, Mailchimp does not allow customers to view all of their own data on your email list, but does provide a one click option for exporting that data to provide to the customer.
There are several new plugins for WordPress websites which will allow customers to access data collected by other plugins like Gravity Forms or WooCommerce. Each integrates with different plugins, so check your data collection point list before looking for a GDPR plugin for your site.
- WP-GDPR Compliance supports GravityForms, WooCommerce, Contact Form 7, and WordPress blog comments.
- GDPR-WP does not offer any plugin support currently, but does provide user submission logs on your website and cookie consent options.
We recommend creating a data access request form for customers to request all data collected on them by your business. Add a link to this form in your Privacy Policy to make it easy for customers to request data.
Write a checklist for gathering the information from all of your data collection points and specify a secure method for your business to share that information with the customer (do not send this data in an email) within 1 business day of submitting the request form. Don’t forget that you need some method to verify the client’s identity so you do not provide information to the wrong person.
7. Have a plan to protect yourself from a data breach — and deal with it should it ever happen.
To keep your customers’ data secure, it’s important to ensure your business is actively working to prevent a data breach.
- Secure stored data – All sensitive data for yourself or your clients should be password protected, and the passwords should be stored securely (we recommend LastPass or OnePassword). It’s also a great idea to add a password to your computer and work phone for an extra layer of protection against theft.
- Install anti-virus software on your computer – Make sure this software is turned on and performing regular scans.
- Share data securely – If you share sensitive data among team members, do not send it in an email. Invest in a password protected project management software, or better yet, use a self destructing message software like One Time Secret.
- Train your staff – Create a company-wide policy regarding data security and ensure your team follows the same standards you do.
- Keep your website and plugins updated – This ensures that you are utilizing the latest versions and not leaving yourself open to attacks on security vulnerabilities in older versions. We offer monthly maintenance packages to help you stay on top of website security.
- Make sure you have an SSL Certificate –This is a security measure to encrypt sensitive information your customers submit on your website. Read more about SSL Certificates here.
Make a plan for what you will do if data is breached. Your plan should include how you will inform your customers, who will investigate the data breach, and how you will ensure future security of your data (this includes, but is not limited to, changing passwords to all affected software systems for all members of your team).
This is not an exhaustive checklist, but is intended to be a starting place on your path to GDPR compliance. If you need help with the technical aspects of this checklist (we know it may feel overwhelming), please contact us for additional support or help executing these items.