Watch the video below to learn considerations you should keep in mind (note the following does not constitute legal advice, and you should consult your own lawyers for what applies to your particular business).

1. Legal Implications (EU & European Local Law)

Key to the GDPR, individuals have the right to:

Access their personal data, correct errors in and erase their personal data, object to the processing of their data, and also export it whenever they want

What this means for businesses is that you will need to review and update your Privacy Policy and make sure this policy is then updated on your website. All tools that are used for tracking need to be indicated on the privacy policy itself (including Google Analytics and other tools, such as marketing platforms, SaaS, etc.) and also whether the tools used comply with the GDPR.

The Privacy Policy will essentially need to be able to answer the following questions:

• • What information is being collected?
  • Who is collecting it?
  • How is it collected?
  • Why is it being collected?
  • How will it be used?
  • Who will it be shared with?
  • And what will be the effect of this on the individuals concerned?

Also key is addressing the Notification of Breaches: If there is a data breach, the users whom you have access to need to be notified immediately. 

2. Governance & Management

In terms of governance, organizations will need to:

• • Protect personal data using appropriate security,
  • Notify authorities of data breaches within 72 hours,
  • Obtain appropriate consents before processing data,
  • And keep records detailing data processing.

They will also be required to

• • Provide clear notice of data collection,
  • Outline processing purposes and use cases,
  • And define data retention and deletion policies.

3. Operations, Policies, & Procedures

All organizations will need to:

• • Train privacy personnel & employees,
  • Audit and update data policies,
  • And create & manage compliant vendor contracts

It’s also recommended to Employ a Data Protection Officer for larger organizations.

4. IT & Technology Infrastructure

For businesses that have contact forms and email subscription forms on their website, this may mean that: 

• Every form needs a checkbox where the user accepts the Privacy Policy of the website,
• And in the privacy policy, the user needs to be told how their data will be used, how and where their data will be stored, and how it will be processed. This checkbox needs to be disabled by default (and not already selected).
• To comply with the Right to be forgotten
  • A business should give the user the option to ask for the deletion of their data at any point in time – either a user profile or that data which is submitted via a contact form or other form submission.
  • As a lot of websites use backups, in the privacy policy it needs to be communicated that a user’s data will be kept up to 12 months for business and operations reasons.
• To comply with the right to download & change data
  • The website should also have a mechanism for users to download or change their data electronically.

5. Alignment Across the Whole Organization

Last of all, you’ll need to ensure that everyone within your business understands how the GDPR works, and what are the procedures and policies at your company so that they are able to follow them accordingly. This includes team members across all departments, including HR, marketing, IT, Finance and otherwise, as it will affect operations for everyone. 

—

Now that you know more about the GDPR and how it can have an impact on your business, please check out other recent blog posts covering useful Inbound Marketing tips.

If you liked this video, subscribe to the Umami Marketing YouTube Channel and the monthly Digital Marketing Postcard. I’ll be back again in May to answer more of your questions. See you soon!