How to be GDPR compliant

The importance for companies to be GDPR compliant cannot be overstated. Avoid fines and embrace the opportunities that GDPR will bring to the PR industry by staying updated. In this blog post, we will cover what you need to know about GDPR compliance.

The definitive GDPR compliant checklist

Even if you are a small business, you will not be exempt from the rules. Don’t make the mistake of thinking that GDPR is irrelevant; not complying with it could result in a substantial financial drain on your company.

Additonally, streamlining and protecting data will benefit the people you work with and be critical to the relationships you build and grow with journalists. Being transparent about what data you hold on them and protecting that data will build trust and strengthen relationships.

So, where do you begin?

1. Update your privacy policy

Make sure your privacy policy is up to date, with specifics stated such as:

  • The data retention period
  • The identity of the controller
  • The purposes of data processing
  • Who will have access to that data
  • Data transfer policies
  • An overview of the right to request
  • Consent withdrawal
  • How to lodge a complaint

Make sure it’s in a visible place on your website for individuals to reference at ease.

2. Know your data 

Being GDPR compliant means you will need to know what data you hold, where it is stored, and who has access to it. The following steps are a good starting point:

  • Determine the duration for retaining data
  • Understand the objectives behind processing the data
  • Identify who will have access to the data
  • Clarify your policies on data transfers
  • Familiarize yourself with the right to make requests
  • Learn the process to file a complaint

If you want to learn more about how to ensure you own your data, read our guide about it.

3. Define your legal ground for processing data

Make sure you have defined the legal ground for processing data, whether that’s consent or legitimate interest. Also, ensure you have the documentation you need to prove compliance. If you opt for the legitimate interest route, ensure you carry out a Legitimate Interests Assessment (LIA) – this is risk assessment based on your specific context and circumstances – and that it’s available for everyone in your organisation to reference.

4. Secure the website 

Ensuring that your website is secure is absolutely essential. This means that the data stored on the website must be protected, and the website itself needs to be protected from outside attacks. However, following these steps will help your website get the protection it needs:

  • By installing an SSL Certificate you encrypt any information sharing between the site and server
  • Use strong passwords and store them in a cloud-based platform, such as 1Password
  • Make sure you don’t collect, use or store personal data that is not necessary for your website, also make sure to remove data once your website does not need them
  • Backup your data

5.  Audit third party websites

It is not enough to assume that third parties and suppliers are compliant — you must ensure that they adhere to the new regulations. Audit your vendors/sub-processors for GDPR compliance.

6.  Enable consent for emails 

Do you use email marketing services to send out newsletters or for any communication? Great! However, you need to get permission from your users to send these emails. A great way to do this is to use double opt-in. By doing this, your visitors and users have to verify their email address after submitting it to your website.

7.  Add a cookie banner to your website 

A cookie banner on your website ensures that you comply with privacy regulations and inform your website visitors about the use of cookies, enhancing transparency and user trust while avoiding potential legal issues.

8.  Check all your forms on your website

Does your website have any forms that collect personal data? Then, you must include a privacy statement explaining why you’re asking for their details. Add an opt-in option, such as an unticked checkbox. Also, add a link to the Privacy Policy if your visitors search for further information.

9.  Prepare your staff

Train staff on best practices when it comes to GDPR. Make sure they know your privacy policy, as well as how they should be sharing and storing data. They should also be made aware of how GDPR will affect their day-to-day work. It’s essential they understand that relatively routine tasks, such as email blasts, may need to undergo greater scrutiny to ensure compliance before being sent.

In communications, the most significant impact of GDPR will be on how the marketing industry operates. Spam mail and obtaining consent before marketing to people are two troublesome aspects. Of course, however, some of this will spill over to PR.

Personal data can include anything from a name or email address to more sensitive data such as passport information, bank details, and so on. However, it’s what you do with this data that is of utmost importance. What legal ground do you have to use it?

As a communicator, you handle personal data daily. It could be retrieving journalists’ details and email addresses, or sending personalized emails and mass press releases. In short,  you’re manipulating data. Under the new regulations, you will need to both process and store data carefully.

Worryingly, many companies aren’t taking the changes seriously. According to TrustArc only 27% of businesses believe GDPR applies to them, and 7% fail to ask for consent to collect customer data.

If you would like to learn more about the implications of GDPR on the PR and communications industry, please get your copy of “GDPR – The Ultimate Guide for PR pros.”

Summarized

Compliance with the GDPR is mandatory for all businesses, regardless of size. Ignoring it could have financial repercussions. Proper data management strengthens relationships and builds trust.

Firstly, it is essential to update your privacy policy. This policy should be visible on your website and detail aspects like data retention periods, the controller’s identity, data processing intentions, accessibility of data, transfer policies, rights of request, methods to withdraw consent, and the complaint process.

Being GDPR-compliant also necessitates understanding the kind of data you hold, its location, and those with access to it.

Defining the legal basis for data processing, whether by consent or legitimate interest, is essential. When leaning towards legitimate interest, it’s crucial to conduct a Legitimate Interests Assessment (LIA), accessible to all in your organization.

Website security is also paramount while discussing GDPR. This encompasses protecting data stored and safeguarding the site against external threats. Implementation measures include SSL certificate installation, using robust passwords, ensuring minimal data collection, and consistent data backups.

Regular audits of third-party websites for GDPR compliance are another necessary part. Assuming their adherence needs to be more. For those utilizing email marketing, obtaining user consent through methods like double opt-in is vital. Similarly, websites should have cookie banners. Any website form collecting personal data must include a privacy statement and an opt-in option. Staff should be adequately trained on GDPR nuances and be familiar with the company’s privacy policy. It’s alarming that many companies underestimate GDPR’s reach. PORT.im reported that only 27% of businesses believe GDPR concerns them, with 7% neglecting to request data collection consent.

GDPR’s introduction will primarily alter the marketing industry, affecting spam mail and consent-based marketing practices. As communicators handle personal data routinely, the new regulations demand careful data processing and storage.