Our GDPR Checklist

GDPR checklist

With the new General Data Protection Regulations (GDPR) coming into force on 25th May 2018, it is key that your e-commerce business is ready for the new law before then. If you’ve not heard of the GDPR, then we can explain it as such: the GDPR is intended to replace the existing data protection laws in place with a more robust and extensive regulation which ensures that individuals have more privacy rights.

As such, we’ve put together ten tips for ensuring that you’re compliant with the new regulations both before they’re implemented, during their implementation and after their implementation in 2018. Read on for our recommendations.

1. Check each process of personal data and align it to a relevant lawful basis

Simply put, you need to identify your lawful basis for processing data, which can include retaining customer records, or newsletter sign ups. These are often referred to as the “conditions for processing” under the Data Processing Act, and include conditions such as gaining consent from the data subject, processing being necessary for the performance of a contract or compliance with a legal obligation amongst others.

As such, it is necessary for you to check every single process that involves personal data in your business to ensure that you’re complying with the relevant lawful basis.

2. Check all data collection points (e.g. sign-up forms) to ensure they meet the requirements of GDPR

This is important to keep in mind across your entire business, as you’ll need to ensure that all data collection points are compliant with the new GDPR. This includes account creation during the checkout process, as well as newsletter sign up forms and other data collection points.

Additionally, if you’re using data to send electronic communications, you’ll need to remember to adhere the Privacy and Electronic Communications Regulations (or PECR for short) as well as the new GDPR.

3. Ensure you can react to a withdrawal of consent at any time and show customers how to do so

If an individual decides to withdraw their consent, such as opting out of receiving newsletters from your e-commerce business, then you need to be able to ensure that they are fully opted out of your database. You also need to give clear instructions on how to unsubscribe or withdraw consent in general, so that the entire process is as simple and clear as possible.

4. Do not bundle consent as a precondition of your service

You need to ensure that you don’t bundle consent alongside a condition, e.g. a customer wins a prize draw, but to claim the prize they must consent to receive direct marketing, as this falls under being an unlawful basis.

5. Have you made it easy for individuals to access their personal data and update it as necessary?

Often individuals change their address, or change their name, or any other part of their personal data, so this point is mainly to ensure that it’s easy for individuals to update their personal data where appropriate. This ensures that you’re also complying with the lawful processes mentioned in the first point and second point as well.

6. Ensure you collect the minimum data and have processes in place to delete data after use

This is also about good housekeeping in your e-commerce business, as email marketing for example often relies on you keeping your marketing lists up to date, so ensuring that you only collect as much data as you need, use it appropriately and then have processes in place to delete it when it becomes outdated should be considered best practice in your e-commerce business.

7. Keep a record of when and how you obtain consent and record exactly what you were told at the time

Keeping records of when and how you obtained consent is generally good practice in case an individual questions how you obtained their data and removes their consent. It may take a bit of extra time to ensure that your database is compliant with the rest of GDPR when it comes to storing customer and individuals’ data, but it is worth making the extra effort.

8. If sharing data with third-parties, be clear to the individual who we are sharing the data with (naming the brands)

This ties into the above points about data cleansing and general record keeping, but is an important point to have separately. If you share data with third-parties, you should make it extremely clear to the individual that you are sharing their data and who you are sharing it with so that they have a chance to opt-out should they choose to do so.

It may also be worth noting in your terms and conditions if you share data with third-parties or not, just to make it explicitly clear that this process may happen.

9. Check that when profiling individuals via automated decision-making process, you have provided explicit consent via an unticked opt-out with clear copy explaining the implications

This point is again to do with ensuring that you have explicit consent from the individual in all cases and without attempting to influence them in any form. An automated decision can include such situations like an individual applying for a personal loan online, and the website using algorithms and auto credit searching to provide an immediate yes/no decision on the application.

As such, you need to ensure that if your business is profiling individuals that they are fully and explicitly opted in.

10. Do not email anyone if you are not sure they have consented or if they have unsubscribed

Lastly, a rather simple point – if you’re unclear as to whether someone has consented to let you use their data, or if they’ve unsubscribed from your database, then don’t use it!

For a handy checklist of the above points, why not download our GDPR checklist? If you’re wondering how to improve your data lists so that they are GDPR compliant, then why not get in touch with us? We’re happy to have a chat either on the phone at 01793 238 697 or emailing us at chat@infinitynation.com