Last minute gdpr checklist

Last Minute GDPR Compliance Checklist

The GDPR deadline is just days away, and no organization that collects personal data is exempt from its new rules. As the deadline approaches, it’s a good idea to run through your checklist, and to compare it to another compliance checklist to make sure that you haven’t left anything out. This is not something to take lightly, as failure to comply could result in damage to your company’s reputation, its relationship with its customers, and, ultimately, its finances. Assessing your plan and getting help where needed will ensure that you can get a framework in place for data protection.

Comprehensive Data List

When speaking about being able to manage your data, it’s first important to understand your data. You should have a list of the personal data points that you have collected, where the data comes from, how you use and share that data, and the age of that data.

Privacy Policy

You should already have a privacy policy that is publicly available to anyone that wants to view it. You should review that policy and update it to comply with the new GDPR regulations. Remember to notify your customers and web site visitors about the changes that you make to your policy.

Consent Forms

If your company uses consent forms, those need to be reviewed and updated so that users have clear control of their data and how it is going to be used. Under GDPR, it’s important for people to be able to say “no” just as easily as they can say “yes.”

Future Data Management

Beyond the May 25, 2018 GDPR deadline, you’ll have to continue to manage your data in a compliant way. You need to assess if you already have someone in-house that can do that job, if you need to hire someone for that job, or if you need to get help from a third party to manage your data moving forward.

Internal Communications

Has everyone and anyone that touches your data or makes decisions about your data been informed of the GDPR measures taking effect, and received internal communications about how your company is implementing the changes and how you’ll proceed moving forward?  It sounds tedious, but you’ll want to make sure all your SOPs have been updated to cover your new policies, to define the purpose for your data, and to review who and how access is gratned to that data.

New Procedures

Have you laid out new company procedures for communicating data breaches, performing data audits, and handling customer inquiries and request to be forgotten?

Existing Contracts

If you have contracts with other companies, make sure those partners are aware of your policy updates, and also ensure that they have updated their policies to be compliant with GDPR. Update any and all contracts and get each company involved to sign the addendum.

Don’t Forget

There are special categories of personal data, including that of children, anything genetic, and employees. Be sure to double check the GDPR standards for this information so that your policies on collection, processing and storing are compliant. You’ll also want to keep up with any changes to GDPR, so that you can adjust and adapt as needed.

Be sure to also check out Part 1 and Part 2 of our GDPR series if you haven’t already!

DISCLAIMER: This website is neither a magnum opus on EU data privacy nor legal advice for your company to use in complying with EU data privacy laws like the GDPR. Instead, it provides background information to help you better understand how Digital Style has addressed some important legal points. This legal information is not the same as legal advice, where an attorney applies the law to your specific circumstances, so we insist that you consult an attorney if you’d like advice on your interpretation of this information or its accuracy. In a nutshell, you may not rely on this paper as legal advice, nor as a recommendation of any particular legal understanding.

Why GDPR Good

Stop Panicking: Why GDPR is Actually a Good Move

By now, we’ve all heard of the European Union’s General Data Protection Regulation (GDPR) – which is taking effect on May 25, 2018 – and we’ve all witnessed or personally experienced some amount of panic in relation to the new law.

But…have you ever stopped to consider that GDPR might actually be a good move that will have some really positive impacts on marketing, and business in general?

Continue Reading

GDPR Email Permission

What The Impacts Of GDPR On Email Consent & Permission Really Are


• Your business must now compliant with GDPR, which imposes fines of up to 4% of your annual global revenue if your business fails to meet certain GDPR obligations
• Even if your business isn’t in the EU, the GDPR likely applies to your business if you process the personal data of EU data subjects
• For consent to serve as the lawful basis for processing personal data for electronic marketing purposes, such consent must be GDPR-compliant, i.e., be freely given, specific, informed, unambiguous, obtained from the data subject prior to beginning processing, and distinguishable from other matters.
In addition to consent, under limited circumstances, a company’s legitimate interests may also serve as the lawful basis for processing personal data for electronic marketing purposes  

Introduction and Overview

Marketers have long tried to balance the quality vs. quantity issue for their databases. As email software and technology has evolved and allowed for better targeting, marketers have had to continuously defend their decisions to leave chunks of email addresses off their lists.

A new development relevant to such decisions is a new law that updates the regulations concerning EU customer privacy and imposes obligations affecting how marketers are able to build and manage their databases.

The new data protection regulation in the EU, the General Data Protection Regulation (GDPR), brings new focus to the protection of personal data in the age of technology. This new law replaces the 1995 EU Data Protection Directive and must be read together with the current EU ePrivacy Directive in determining whether a business has a lawful basis (consent or other lawful basis, such as legitimate interests) for processing personal data for electronic marketing purposes.

The GDPR regulates how companies process the personal data they have, including how they collect it, store it, use it, protect it, transfer it, and dispose of it. The law  applies not only to companies located in the EU, but also to companies that are not located in the EU but that process the personal data of EU data subjects in connection with offering goods or services or monitoring the behavior of EU data subjects. The GDPR has a broad definition of ‘personal data,’ that includes any information relating to an identified or identifiable natural person (e.g., an email address or online identifier). The new regulations also imposes obligations that cover the handling of EU personal  data security and personal data breach notifications.

Consent and Legitimate Interests as Lawful Bases for Processing of Personal Data for Electronic Marketing Purposes, and the GDPR’s Impact on Email Permission

There is an exception to the ePrivacy Directive’s consent requirement for electronic marketing communications if an opt-out opportunity was provided at the time the EU customer’s contact details were collected and in future messages.  If instead of obtaining consent, a company has provided an opt-out opportunity that was compliant with the ePrivacy Directive, the company may be able to rely on legitimate interests as its lawful basis for such processing under the GDPR.  The lawful basis of legitimate interests may apply if the processing is necessary for the legitimate interests of the data controller or a third party unless such interests are overridden by the interests or fundamental rights and freedoms of the data subject[s].

Data Subject Rights and Related Obligations

The GDPR also provides for a number of data subject rights that would be applicable in the context of data subjects to whom a company sends direct marketing communications.  For example, a data subject has a right to erasure of his/her personal data under the circumstances set forth in the GDPR, including where the personal data is no longer necessary to the purposes for which it was collected or otherwise processed, or where consent is the only lawful basis for processing and the data subject has withdrawn such consent.

The GDPR also allows data subjects to obtain a copy of the personal data that has been collected about them.

Under the GDPR, companies will generally not be able to charge customers for obtaining this data (there are exceptions that can be made if the requests from a data subject are repetitive, manifestly unfounded, or excessive). Other data subject rights set forth in the GDPR include the right to rectification, the right to restriction of processing, the right to data portability, and the right to object to processing. The GDPR Businesses will be requires data subject requests to be responded to within one month of receipt of the request, subject to a limited exception that allows such period to be extended by two further months where necessary, taking into account the complexity and number of the requests.


Companies to which the GDPR applies that do not comply with the new regulations may be fined up to 4% of their annual global revenue. While this new law might seem intimidating, compliance with its obligations can actually help businesses improve their marketing efforts and increase both ROI and sales. Fear not, you will survive the new obligations imposed by the GDPR.

Check out part 2 of our GDPR series, “Stop Panicking: Why GDPR is Actually a Good Move.”

DISCLAIMER: You should seek independent legal advice concerning your company’s status and obligations under the GDPR and ePrivacy Directive because only an attorney can provide legal advice that is specifically tailored to a particular company’s situation.   Our comments on this blog post are not intended to provide companies with legal advice, and they should not be used as a substitute for legal advice.