GDPR actionable steps

Intro to actionable areas of GDPR compliance on your website

Also available as PowerPoint Presentation and PDF Slides

Cliff Notes what is GDPR?

GDPR is concerned with the collection, storage and processing of personal data

The two sets of rules to be aware of are General Data Protection Regulation 2016 ("GDPR") and Privacy and Electronic Communications Regulations 2003 (“PECR”), electronic marketing communications.

It is for all people in EU member states, even if the company is not located there. GDPR comes into force May 25 2018 and as a Regulation does not need member countries to make it law first (though each country will then add it to their own laws). It replaces the Data Protection Act 1998 with the General Data Protection Regulation.

Each country has its own authority, each company must register at one. If you have offices in multiple countries then choose one where your head office and legal council is located. Otherwise you will be accountable to each country.

In the UK the organisation is called ICO and their website contains the regulations and many other guides and 12 step programs.

The GDPR provides the following rights for individuals:

  • The right to be informed
  • The right of access
  • The right to rectification
  • The right to erasure
  • The right to restrict processing
  • The right to data portability
  • The right to object
  • Rights in relation to automated decision making and profiling

These come with the following levels of HANDLES

  1. Warning
  2. Reprimand
  3. Suspension of data processing
  4. Top level Fine: €20 million or 4% of global annual turnover

more on gdpr

Clear what’s inside

clear listing of use and audible processes

Toothpaste with clear label of what each ingredient is for

Reason for each ingredient

With the new regulations data collection and partners who process any of your personal data need to be listed clearly in your Terms or Privacy statement.

more on being clear for gdpr

Visitor Opt-In

  • Log the location and time of opt-in
  • Each form should be screen grabbed and filed
  • Provide link to Privacy Policy from the form
  • Use email double opt-in

more on visitor opt-in

Visitor Opt-In Controls

  • Clear, natural language
  • Granular
  • Opt-Out by default
  • Group same intent

more on granular opt-in

Cookie and Services

  • Audit your current cookies and 3rd party services
  • Cookie and Services
  • Be able to disable services based on Opt-In

more on cookies pop-up


  • Where no record of opt-in
  • Wake non-active email
  • Warm a subscriber action

more on re-engagement campaign

Separate Personal Data

  • Storage should be encrypted at rest
  • Data should be secure in transit
  • Extract personal data to separate and control
  • Consider Single Sign on system

more on separating personal data

Export requests (The right of access)

  • Develop a process to:
    • Receive customer requests
    • Process personal data to machine format (csv)
  • Start with just a form and a process, add automation later
  • Can not charge for access

more on the right of access

Removal requests (Right to be forgotten)

  • Develop a process to:
    • Receive customer requests
    • Remove personal data
    • Unsubscribe from own automation
    • Unsubscribe from 3rd party email and systems
  • Keep business record, by anonymising emails
  • Can not charge for process

more on request to be forgotten

On-going process so bake in Privacy by Design

The description that best summarises this evolution to a better set of practices is, Privacy by design. Starting these processes to every new point of data collection or processing will make it a more transparent and easier to implement. Company and systems buy in from the planning stage up bakes it in for the users too.

Privacy by Design

_Photo: Reddit: annon _

Mautic Tags

See also