GDPR Compliance Checklist
Please note: Alchemy+Aim does not provide legal advice. The best route for you to ensure that you are compliant with all laws pertaining to your business is to consult a legal professional.
GDPR goes into effect on May 25, 2018, which means it is time to audit your business for compliance with the new regulation (not sure what GDPR is? Start here). Though the regulation goes into effect this week and does need to be addressed within your business as soon as possible, there is no need to panic.
Taking the time to systematically address the new regulations and ensure full compliance will set your business up for success in the long run. We compiled a checklist to serve as a starting point for you to create your own GDPR compliance plan based on your business’s own unique needs.
1. Audit your newsletter lists.
This is crucial for every single business that collects emails. Every member of your email list who resides in the EU must have willingly consented to have their name, email, and any other info added to the list, regardless of when they were added.
First, segment your list into two segments: IP addresses within the EU (include unknown IP addresses in this segment) and IP addresses outside the EU. If you did not have explicit language next to your email signups in the past or added clients to your email list that provided their email elsewhere without asking them specifically about your general list, you need to ask the EU segment to confirm that they do in fact want to be on your list.
Send out an email to the EU segment asking them to consent to being included on your newsletter list by May 25, 2018. If they do not engage with your email, their data must be deleted.
If you are unsure how to segment your list, start by looking at your email newsletter provider’s GDPR information. Mailchimp has introduced some new tools for GDPR and ConvertKit has great documentation to get you started.
2. Ensure that future email newsletter opt-ins will be GDPR compliant.
- Enable double opt-in if available on your newsletter provider.
- Make sure that your contact info is at the bottom of every email.
You may not want to add a checkbox to every newsletter opt-in form, so we have created a plugin to allow you to show the new GDPR compliant opt-in form only to IP addresses located in the EU, while showing your regular opt-in form to IP addresses outside the EU. If you would like to have this plug-in installed and configured for your site, please send an email to firstname.lastname@example.org.
3. Make a list of all data collection points on your website.
This includes anywhere a customer’s personal information, IP address, or browsing history is collected or processed. Here’s a short list to get you started:
- Contact forms
- Client information forms
- Payment portals
- Membership software
- eCommerce software
- Google Analytics
- Newsletter opt-in forms
- Scheduling software
Add a checkbox with a consent statement anywhere your client submits information. This checkbox must be a required field and cannot be pre-checked.
Additionally, if you have an eCommerce component to your website, you must provide your customers an option to stop the processing of their data once the sale has been completed (i.e. you will not store their information after the sale for any reason).
Here’s an example of a consent statement you can add to the bottom of forms and checkout pages:
Under GDPR, cookies are considered to be processing data (and therefore require consent) if they are associated with personal information (e.g. name or IP address). This means that most tracking cookies require consent to be GDPR compliant.
We recommend utilizing a plugin to manage your cookie consent notice. Our favorite is GDPR Cookie Compliance, which allows you to easily customize the colors and settings of your cookie notice, and generates an unobtrusive consent bar at the bottom of your website.
- What information is collected (name, email, IP address, etc.)
- How that information is collected (e.g. using a form on your website)
- Where that information is stored and what 3rd parties have access to the information (e.g. under password protection in Gravity Forms and Mailchimp)
- How that information is used (e.g. for marketing or accounting)
- How long that information is held
- How to lodge a data access request with your business
- Contact information for your business
6. Have a plan to deal with clients who want to access or delete their data.
First, take your data collection point list and investigate which of these third party software systems allow customers to access their own data or will require you to provide the customer with their data. For example, Mailchimp does not allow customers to view all of their own data on your email list, but does provide a one click option for exporting that data to provide to the customer.
There are several new plugins for WordPress websites which will allow customers to access data collected by other plugins like Gravity Forms or WooCommerce. Each integrates with different plugins, so check your data collection point list before looking for a GDPR plugin for your site.
- WP-GDPR supports Gravity Forms, WooCommerce, Contact Form 7, Flamingo, and Mailchimp through paid add-on features.
- WP-GDPR Compliance supports GravityForms, WooCommerce, Contact Form 7, and WordPress blog comments.
- GDPR-WP does not offer any plugin support currently, but does provide user submission logs on your website and cookie consent options.
Write a checklist for gathering the information from all of your data collection points and specify a secure method for your business to share that information with the customer (do not send this data in an email) within 1 business day of submitting the request form. Don’t forget that you need some method to verify the client’s identity so you do not provide information to the wrong person.
7. Have a plan to protect yourself from a data breach — and deal with it should it ever happen.
To keep your customers’ data secure, it’s important to ensure your business is actively working to prevent a data breach.
- Secure stored data – All sensitive data for yourself or your clients should be password protected, and the passwords should be stored securely (we recommend LastPass or OnePassword). It’s also a great idea to add a password to your computer and work phone for an extra layer of protection against theft.
- Install anti-virus software on your computer – Make sure this software is turned on and performing regular scans.
- Share data securely – If you share sensitive data among team members, do not send it in an email. Invest in a password protected project management software, or better yet, use a self destructing message software like One Time Secret.
- Train your staff – Create a company-wide policy regarding data security and ensure your team follows the same standards you do.
- Keep your website and plugins updated – This ensures that you are utilizing the latest versions and not leaving yourself open to attacks on security vulnerabilities in older versions. We offer monthly maintenance packages to help you stay on top of website security.
- Make sure you have an SSL Certificate –This is a security measure to encrypt sensitive information your customers submit on your website. Read more about SSL Certificates here.
Make a plan for what you will do if data is breached. Your plan should include how you will inform your customers, who will investigate the data breach, and how you will ensure future security of your data (this includes, but is not limited to, changing passwords to all affected software systems for all members of your team).
This is not an exhaustive checklist, but is intended to be a starting place on your path to GDPR compliance. If you need help with the technical aspects of this checklist (we know it may feel overwhelming), please contact us for additional support or help executing these items.