Learn to navigate the GDPR with this complete GDPR step-by-step guide.
1. What in the World is the EU GDPR?
The General Data Protection Regulation (GDPR) is a new set of “digital rights" for EU citizens (affecting not only EU companies), created to reflect the current changes in the way that personal data is being used in a shifting digital world.
1.1 Who is affected by GDPR
GDPR does not only affect European companies but also non-European companies who handle EU "personal data" (see below). GDPR applies to anyone who’s dealing with data belonging to EU residents. So in a nutshell, it probably affects you too ;)
1. What is GDPR?
2. Positive aspects
3. Crucial 6 Rights & Obligations
4. GDPR Assessment
5. Data Policy Officer (DPO)
6. GDPR Checklists:
6.1 Website Checklist
6.2 Email Checklist
6.3 Facebook Marketing
6.4 Adwords Checklist
6.5 CRM Checklist
6.6 Third Party Operators
=> Get our GDPR Compliance bundle.
1.2 What is meant by "personal data"?
Personal data can be any information relating to individuals, no matter if it relates to their:
- or public life.
In other words:
- home addresses,
- email addresses,
- bank information,
- social media posts,
- medical data,
- IP addresses,
- and everything in between!
Through the GDPR, businesses will have to make sure individual people regain control of personal data. Users will now have the opportunity not just to access data organisations hold on them, but also to change the permissions they granted these organizations.
1.3 How long can you store personal data?
You must store data for the shortest time possible, no longer than is necessary for the purposes for which the personal data are processed” [Art.5(1)(e)]."
Try to always keep in mind what you acquired this data for, and respect the time limits in a way that makes practical sense. For example, returning customers may justifiably repurchase after several years, depending on the longevity of the product you're selling. But if you're an employment agency storing CVs to match short-medium term job searches, these ultimately would be out of date after a few years anyway, so storing them longer than a couple of years does not seem justified.
2. That's Why We Should Like GDPR
The GDPR is really good news for the internet user, who is becoming increasingly concerned with the way her / his personal data is being used - and this rightfully so.
In an age riddled with news of data breaches that have gone unchecked, this new policy addresses users’ concerns and empowers them with rights and data processors with obligations. An urgently needed improvement, not only after the recent Facebook Data Scandal.
GDPR should give internet users more protection and some peace of mind, making them more comfortable and at ease while surfing the web, which is also good news for websites.
3. Six Crucial Rights and Obligations of the GDPR Data Privacy Law
Right of Access
The Right of Access is a data subject right. This grants EU citizens the right to access the personal data stored and have access to information regarding how personal data are being processed
Right to Erasure
A right to erasure means that the data subject has the right to request their personal data be erased on any one of a number of grounds including non-compliance with article 6.1 (lawfulness) that includes a case where the legitimate interests of the controller is overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.
Right of Portability
"The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided."
Anyone should be able to transfer their personal data from one electronic processing system to and into another, without being prevented by data controllers. The only exception is data that has been sufficiently anonymised. Data that has only been de-identified but can be relinked to the individual, is not.
Privacy by Design and Default Obligations - Strictest Privacy Settings at Every Step
Privacy settings on every part of a website, be it through forms, analytics, or anywhere at all where user date is managed or stored, must be set at a high level by default. This means that the user won't have to take any extra steps (clicking on boxes, etc) to make sure their data remains private by default.
The data controller will take technical and procedural measures to ensure that the entire processing lifecycle complies with the regulation. Encryption can take personal data out of scope of the GDPR. This means that that if data is fully encrypted, it is no longer identifiable and therefore out of the scope (unaffected) by GDPR.
Encryption and decryption operations must be carried out locally, to ensure that both keys and data are in the power of the data owner, so that privacy can be achieved. Some encryption techniques may not be sufficient to put the personal data out of scope of the GDPR. Controllers should carefully study the encrypted data and assess whether the data is at risk of being decrypted, taking into account potential future technologies.
Obligation to maintain records of activities
According to gdpr-info.eu, "Each controller and, where applicable, the controller’s representative, shall maintain a record of processing activities under its responsibility."
This means that data processing activity records must be maintained, and these shall very specifically illustrate the purposes of the processing, categories involved and projected time limits.
Obligation to notifie breaches within 72h
The GDPR states a new requirement: controllers must notify their country’s supervisory authority of any personal data breach within 72 hours of knowing about it, unless the data was anonymised or encrypted. Breaches that are dangerous to an individual – (identity theft, breach of confidentiality, etc) – must also be directly reported to the affected individuals.
4. GDPR Assessment and Avoiding Fines
To assess any liability to breaches and fines, take an inventory of all personal data you’ve accrued and examine it under the following 6 questions:
- To what end are you holding this data?
- How did you acquire it?
- What was the original purpose for gathering it?
- How long will you hold onto it?
- Is it secure both in terms of encryption and accessibility?
- Do you share it with third parties, and if so, what for?
Consider the fact that while businesses are not required to submit any forms proving they are compliant, the GDPR has the right to set up audits and inspections, so it's best to be safe than sorry!
5. Who Needs a Data Processing Officer?
Main Takeaways - GDPR Marketing Measures:
The GDPR only calls for the obligatory appointment of a DPO (Data Processing Officer) for any business or organization that stores or processes large amounts of personal data, whether for employees, individuals outside the organization, or both.
Data Processing is managed by a controller whose main activities will be processing operations that require regular and systematic overview of the data subjects, a person with expert legal data protection law and practices should assist and monitor the controller or processor to ensure they are being compliant with GDPR. Said controllers must be able to prove "consent" (opt-in) and ensure that consent may be withdrawn. The identity and contact details of the data controller in your company must be provided.
DPOs must be appointed for all public authorities, and where the main activities of the processor or controller include ‘regular and systematic monitoring of data subjects on a large scale’ or where the entity conducts processing of ‘special categories of personal data,’ like that which details political beliefs, ethnicity, religious beliefs etc.
Even if your website is not a public authority nor processes special categories of data (meaning a DPO is not mandatory), you will probably improve your approach to the GDPR if you do appoint one.
6. GDPR Checklists for Website, Facebook, Email, Google AdWords & CRM
With power comes responsibility, and the GDPR is a fantastic way to ensure that website managers are liable for how they use the data entrusted in them by the users. From now on, websites will have to:
- Educate their website visitors so they know what they’re getting into when they entrust a site with their data. This means that cookie and privacy policies will have to be thoroughly explained to the user. The user should also have to opt into cookies. This means no more pre-ticked boxes or implied consent (soft opt-ins).
- Make sure their users are able to change their minds. Even if they give consent to their data, they should be able to change their minds and retract consent. The user will also have the right to know how their data was used.
Checklist of most important GDPR aspects in short:
- You need to give option/explenation for opt-out cookies (here more on these cookies ;) on website.
- Google Analytics needs IP exclusion.
- Google Analytics: don’t submit personal information.
- Personal information must be stored encrypted and very safely.
- Keep Record of who has access to what data.
- SSL website is a must.
- SSL in email is a must too.
- You need active consent from user that you send them newsletters.
- You need to be able to show when and where someone opted in for newsletters.
- Maybe appoint a DPO.
- Keep record of your data processing.
6.1 GDPR Checklist for Your Website:
SSL certificate: The encryption code process that sits on the hosting space of your website. Without HTTPS, any data, for example from a contact form, is sent “in clear” and could therefore be read if intercepted. A variety of SSL certificates are available, all encrypting the data to the same level (256 bit – 2048). Some are available for free others can be purchased for around EUR 100.- per year. You can use a SSL Certificate Wizard (https://www.sslshopper.com/ssl-certificate-wizard.html) to find your SSL Certificate.
Pseudonymization ensures that that identifiers (points in which you can identify a person) are pseudonomyzed. Google has also pledged to offer data-processing agreements where required in time for May 2018,
Before May 25, Google will also roll out a new user deletion tool that will allow you to delete any data associated with an individual user / website visitor from your Google Analytics and/or Analytics 360 properties, by giving you the ability to erase common identifiers sent to Analytics Client ID (that is, the standard Google Analytics first party cookie), User ID (if enabled), or App Instance ID (if using Google Analytics for Firebase). More details will follow from Google shortly.
Enquiry & contact forms: You must have an SSL on your website, you can only store encrypted data in your website’s SQL database, your email service provider adheres to GDPR rules and that the email is stored and sent according to GDPR secure methods, you must shred any printed emails, and must have no pre-ticked boxes to automatically sign the enquirer up to a newsletter.
6.2 GDPR Email Management:
Now you must give your visitors complete control over their data, and offer clear, optional & understandable opt-in or out choices through your provider such as mailchimp, by:
Newsletters: Whenever someone contacts your company or organisation through your website with an enquiry, this does not mean that you automatically have permission to add them to your mailing list unless they explicitly give consent. You must keep a log of when they agreed to the terms and provide it to the user upon request. The user must be able to withdraw consent at any time. Make sure that the emails you send out all have an unsubscribe link, too.
Do you already have an email list? You can only use addresses from EU citizens if you have the specific consent of the receivers, unlike in other countries. This means you have to be able to prove where and when someone subscribed. The best way to ensure that you're compliant is to send your mailing list recipients email and have them opt-in.
Plain email: Make sure store your email data securely, use good anti-virus applications and archive and delete unnecessary email completely.
6.3 GDPR 2018 and Facebook Marketing
Facebook can be regarded as both a data controller and a data processor, according to their site. As of 23/02/18, Facebook is in the process of updating its terms and policies in connection with GDPR. Where relevant to the particular data processing, Facebook will ensure that it has an appropriate legal basis for that collection under the GDPR. For the time being, Facebook has not proposed a compliant joint controller agreement that would allows the publisher a way to rectify their current set-up to act in accordance with the GDPR.
In most cases, Facebook companies (Facebook / Messenger, Instagram, Oculus and WhatsApp), are considered and act as data controllers, which means they handle personal data as described in their Data Policy. For example, Facebook is the data controller of all on-Facebook activity. Its affiliates (such as WhatsApp, Oculus and Instagram) each handle personal data as described in their own data policies. Facebook promises to ensure that services across the Facebook companies align with GDPR, which may involve making new tools available to users and reviewing existing tools to make sure that we honour our obligations.
In certain cases, Facebook acts instead as a data processor on behalf of advertisers or business partners (who in this case are data controllers), such as for data file Custom Audiences and Workplace Premium. There are specific compliance requirements for data processors that Facebook promises to comply with. For example by refreshing contractual GDRP compliant obligations which must be agreed upon between data controllers and data processors. Facebook may sometimes act as a data processor for affiliate companies.
6.4 GDPR Regulation and Your Google AdWords Campaigns:
In May, Google will be updating their EU consent policy ( as the GDPR takes effect). The revised policy will require that publishers take extra steps in obtaining consent from their users. Before May, they have promised to launch a solution to support publishers that want to show non-personalized ads. Google is working with industry groups, including IAB Europe, to explore proposed consent solutions for publishers.
6.5 Data Privacy and CRM Connection:
6.6 GDPR Requirements and General Third Party Operators:
You should map and document data streams performed by third parties. This means that you must be aware of how third parties manage and process data, and document it. There are data management tools which might help you with this task. Here you find 8 Data Management Solutions or you can just use Excel :)
If you use third-party plugins or pixels, link to the third parties' privacy policies or consent mechanisms.
Remove Personally Identifiable Information (PII) If you have any form on your website which can transmit personal information then you MUST exclude their Personally Identifiable Information from tracking. You are not allowed to send it to Google Analytics and similar tracking systems. This is any information that may be used to identify or trace a someone’s identity, such as (but not limited to) their name, phone number, email, social security number, birth place or date, mother's maiden name, or biometric records; and any further data that is linked or linkable to a person, such as educational, employment, or financial information. Any customer data sent ‘in the clear’ to GA is a clear break of their terms, and can result in Google deleting all your analytics for that period
GDPR & Mouseflow
(or Kissmetrics, Hotjar, Crazy Egg, LuckyOrange)
1: Form Fields: Mouseflow (affiliate link) our favorite heatmap generator, released a feature that excludes content from being recorded, so that personal data doesn’t automatically get captured directly from the user experience. You can now also whitelist form fields for tracking directly from the UI. This ensures Mouseflow will not automatically mask form fields you do wish to track, preserving the original text that was entered. You can set it up under Settings > Advanced Settings > Whitelist Fields using simple CSS Selectors and learn more about it here.
2: Page Content: You can now exclude page content (HTML) from being captured directly from the UI. This makes it easy to block parts of a page which contain personal or sensitive data, so this data is never sent to our platform. You can set it up under Settings > Advanced Settings > Exclude Content using simple CSS Selectors and learn more about it here.
If you're using Hotjar then you also have to make sure to be GDPR complient. Here a Hotjar Settings Guide.
Data Protection and Lookalike Audiences:
You may still use lookalike audiences in your advertising within social media, but with some extra measures. When we as advertisers don’t get to see the actual PII of the audience members, we are not a data controller, then the network that the lookalike audience is created on remains the data controller.
Must I list every cookie and online tracker in my consent banner?
According to the GDPR legislation, every cookie that handles personal data must be clearly identified.
Your site visitors should be able to see the details of every cookie if they want to, with a complete list of all online tracking and active cookies in use on your website. Your site should be scanned through all its pages monthly to detect and identify evert cookies type tracking technologies in use. Within your policy, the cookies should be listed along with a description of their origin, their duration and to what purpose you use them.
Cookiebot has an excellent explanation on this still very murky topic on this link.
As a free Cookie Tool we use CookieConsent on our website, we like it and can recommend it :)
7. GDPR Fines:
Fines have been increased. Depending on the misdemeanor, there are two levels of fines. The maximum fine for not complying with the GDPR is 20,000,000 Euros or up to 4% of your annual worldwide turnover (based on figures from the the preceding financial year), whichever is the larger sum.
The GDPR is good news for the public general, to ensure the safety of the internet and promote fairness and respect in personal data usage. Some questions still remain murky, such as those related to pixels, be it facebook pixels, linkedin pixels, etc. How will these be GDPR compliant? How can we legally and respectfully track audiences to make targeted ads? How about google retargeting? Unfortunately, some questions remain (for the time being) unanswered. Make sure to follow up for updates on this post as answers roll in!
Questions in comments
We understand that you may have some additional questions! We at onlineKarma understand the need for accountability vis à vis these important topics; we are ready to help you with the relevant changes and your online marketing campaign. As always, we look forward to your feedback and wish you happy karma!
*Please note that the information contained in this blog post is for informational purposes only and does not in any way constitute legal advice.
9. GDPR Related Definitions
A page on your website that states what cookies are used on the site, both yours and from third parties and what data you capture with them and what you do with it.
Controller / Data Controller:
‘The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.
Encoding a data or any information to ensure that only authorized parties have access to it.
PII (personally identifiable information ):
Any information relating to individuals, no matter if it relates to their: private, professional or public life.
Privacy by Design and Default:
Strictest Privacy Settings at Every Step
Privacy settings on every part of a website, be it through forms, analytics, or anywhere at all where user date is managed or stored, must be set at a high level by default.
Legal document / statement explaining how a party gathers, uses, discloses, and manages customer / clients information.
Pseudonymisation / Anonymization Definition:
If it can be proven that the true identity of the individual cannot be discovered from anonymized data, then this data is exempt from other methods ensuring the strict confidentiality of the actual data. This means that data is scrubbed for any information that could render the subject identifiable. This does not remove all identifying information from the data but just reduces the possibility of linking a dataset with the original identity of an individual This allows for processing of pseudonymized data for uses beyond the purpose for which the data was originally collected. The GDPR refers to pseudonymisation as a process that transforms personal data in such a way that the resulting data cannot be attributed to a specific data subject without the use of additional information.
Secure Sockets Layer is a protocol that encrypts information such as credit card transactions, data transfer and logins. They ensure secure, encrypted communications are established between websites and internet browsers.
Collection of relevant resources:
- Haufe.de - compliance -recht politik auswirkung der datenschutzgrundverordnung auf website pflichten