Learn to navigate the GDPR with this complete GDPR step-by-step guide.

1.2 What is meant by "personal data"?

Personal data can be any information relating to individuals, no matter if it relates to their:

• private,
• professional
• or public life.

In other words:

• names,
• home addresses,
• photos,
• email addresses,
• bank information,
• social media posts,
• medical data,
• IP addresses,
• and everything in between! 

Through the GDPR, businesses will have to make sure individual people regain control of personal data. Users will now have the opportunity not just to access data organisations hold on them, but also to change the permissions they granted these organizations. 

1.3 How long can you store personal data?

You must store data for the shortest time possible, no longer than is necessary for the purposes for which the personal data are processed” [Art.5(1)(e)]."

Try to always keep in mind what you acquired this data for, and respect the time limits in a way that makes practical sense. For example, returning customers may justifiably repurchase after several years, depending on the longevity of the product you're selling. But if you're an employment agency storing CVs to match short-medium term job searches, these ultimately would be out of date after a few years anyway, so storing them longer than a couple of years does not seem justified.

2. That's Why We Should Like GDPR

The GDPR is really good news for the internet user, who is becoming increasingly concerned with the way her / his personal data is being used - and this rightfully so.

In an age riddled with news of data breaches that have gone unchecked, this new policy addresses users’ concerns and empowers them with rights and data processors with obligations. An urgently needed improvement, not only after the recent Facebook Data Scandal.

GDPR should give internet users more protection and some peace of mind, making them more comfortable and at ease while surfing the web, which is also good news for websites.

3. Six Crucial Rights and Obligations of the GDPR Data Privacy Law

1. Right of Access
   The Right of Access is a data subject right. This grants EU citizens the right to access the personal data stored and have access to information regarding how personal data are being processed

2. Right to Erasure
   A right to erasure means that the data subject has the right to request their personal data be erased on any one of a number of grounds including non-compliance with article 6.1 (lawfulness) that includes a case where the legitimate interests of the controller is overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.

3. Right of Portability
   "The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided."
   
   Anyone should be able to transfer their personal data from one electronic processing system to and into another, without being prevented by data controllers. The only exception is data that has been sufficiently anonymised. Data that has only been de-identified but can be relinked to the individual, is not.

4. Privacy by Design and Default Obligations - Strictest Privacy Settings at Every Step
   Privacy settings on every part of a website, be it through forms, analytics, or anywhere at all where user date is managed or stored, must be set at a high level by default. This means that the user won't have to take any extra steps (clicking on boxes, etc) to make sure their data remains private by default.
     
   The data controller will take technical and procedural measures to ensure that the entire processing lifecycle complies with the regulation. Encryption can take personal data out of scope of the GDPR. This means that that if data is fully encrypted, it is no longer identifiable and therefore out of the scope (unaffected) by GDPR.
   
   Encryption and decryption operations must be carried out locally, to ensure that both keys and data are in the power of the data owner, so that privacy can be achieved. Some encryption techniques may not be sufficient to put the personal data out of scope of the GDPR. Controllers should carefully study the encrypted data and assess whether the data is at risk of being decrypted, taking into account potential future technologies.

5. Obligation to maintain records of activities
   According to gdpr-info.eu, "Each controller and, where applicable, the controller’s representative, shall maintain a record of processing activities under its responsibility."
   
   This means that data processing activity records must be maintained, and these shall very specifically illustrate the purposes of the processing, categories involved and projected time limits.

6. Obligation to notifie breaches within 72h
   The GDPR states a new requirement: controllers must notify their country’s supervisory authority of any personal data breach within 72 hours of knowing about it, unless the data was anonymised or encrypted. Breaches that are dangerous to an individual – (identity theft, breach of confidentiality, etc) – must also be directly reported to the affected individuals.

4. GDPR Assessment and Avoiding Fines

To assess any liability to breaches and fines, take an inventory of all personal data you’ve accrued and examine it under the following 6 questions:

1. To what end are you holding this data?
2. How did you acquire it?
3. What was the original purpose for gathering it?
4. How long will you hold onto it?
5. Is it secure both in terms of encryption and accessibility?
6. Do you share it with third parties, and if so, what for? 

Consider the fact that while businesses are not required to submit any forms proving they are compliant, the GDPR has the right to set up audits and inspections, so it's best to be safe than sorry!

5. Who Needs a Data Processing Officer?

Main Takeaways - GDPR Marketing Measures:

The GDPR only calls for the obligatory appointment of a DPO (Data Processing Officer) for any business or organization that stores or processes large amounts of personal data, whether for employees, individuals outside the organization, or both. 

Data Processing is managed by a controller whose main activities will be processing operations that require regular and systematic overview of the data subjects, a person with expert legal data protection law and practices should assist and monitor the controller or processor to ensure they are being compliant with GDPR. Said controllers must be able to prove "consent" (opt-in) and ensure that consent may be withdrawn. The identity and contact details of the data controller in your company must be provided.

DPOs must be appointed for all public authorities, and where the main activities of the processor or controller include ‘regular and systematic monitoring of data subjects on a large scale’ or where the entity conducts processing of ‘special categories of personal data,’ like that which details political beliefs, ethnicity, religious beliefs etc.

Even if your website is not a public authority nor processes special categories of data  (meaning a DPO is not mandatory), you will probably improve your approach to the GDPR if you do appoint one.

6.  GDPR Checklists for Website, Facebook, Email, Google AdWords & CRM

With power comes responsibility, and the GDPR is a fantastic way to ensure that website managers are liable for how they use the data entrusted in them by the users. From now on, websites will have to:

• Educate their website visitors so they know what they’re getting into when they entrust a site with their data. This means that cookie and privacy policies will have to be thoroughly explained to the user. The user should also have to opt into cookies. This means no more pre-ticked boxes or implied consent (soft opt-ins).
   
• Make sure their users are able to change their minds. Even if they give consent to their data, they should be able to change their minds and retract consent. The user will also have the right to know how their data was used.

Checklist of most important GDPR aspects in short:

1. You need to give option/explenation for opt-out cookies (here more on these cookies ;) on website.
2. You need an accurate privacy policy on your website.
3. Google Analytics needs IP exclusion.
4. Google Analytics: don’t submit personal information.
5. Personal information must be stored encrypted and very safely.
6. Keep Record of who has access to what data.
7. SSL website is a must.
8. SSL in email is a must too.
9. You need active consent from user that you send them newsletters.
10. You need to be able to show when and where someone opted in for newsletters.
11. Maybe appoint a DPO.
12. Keep record of your data processing.

6.1 GDPR Checklist for Your Website:

• Cookie policy: ‘By using this site, you accept cookies’ notices are no longer compliant. If a user cannot genuinely choose, then there is no valid consent. A page on your website that states what cookies are used on the site, both yours and from third parties and what data you capture with them and what you do with it. A Cookie & privacy popup notice must be enabled on your site when a user first visits your website. Soft opt-in is likely the best consent model.
  
  This means giving an opportunity to act before cookies are set on a first visit to a site. The use of the website must not be limited to those who accept the use of the cookies. The user must be given the option to use the site without the use of cookies and decline the use of cookies for their session. It must be explained to them the cookie notice that if they decline the cookies the site may lose some functionality. Sites will need an always available opt-out when it comes to cookies.

• Privacy Policy: Document that states the website owner’s full statement of what data is captured, when it was captured, what the data is used for, the third party’s details and the process, including the DPO’s details as well as the process of requesting the user’s details and request that they be permanently deleted.

• SSL certificate: The encryption code process that sits on the hosting space of your website. Without HTTPS, any data, for example from a contact form, is sent “in clear” and could therefore be read if intercepted. A variety of SSL certificates are available, all encrypting the data to the same level (256 bit – 2048). Some are available for free others can be purchased for around EUR 100.- per year. You can use a SSL Certificate Wizard (https://www.sslshopper.com/ssl-certificate-wizard.html) to find your SSL Certificate.

• Google Analytics: Google analytics will only be GDPR compliant if you set it up to be so. You cannot send certain data to google with informations like email addresses names, social security numbers, etc. You must ensure that you are not transmitting any PII (Personally Identifiable Information), that IP Anonymization is turned on and that you update your privacy policy to reflect all of this.
  Pseudonymization ensures that that identifiers (points in which you can identify a person) are pseudonomyzed. Google has also pledged to offer data-processing agreements where required in time for May 2018,
  
  Before May 25, Google will also roll out a new user deletion tool that will allow you to delete any data associated with an individual user / website visitor from your Google Analytics and/or Analytics 360 properties, by giving you the ability to erase common identifiers sent to Analytics Client ID (that is, the standard Google Analytics first party cookie), User ID (if enabled), or App Instance ID (if using Google Analytics for Firebase). More details will follow from Google shortly.

• Enquiry & contact forms: You must have an SSL on your website, you can only store encrypted data in your website’s SQL database, your email service provider adheres to GDPR rules and that the email is stored and sent according to GDPR secure methods, you must shred any printed emails, and must have no pre-ticked boxes to automatically sign the enquirer up to a newsletter.

• Live chat: If you use this, you must refer to this third-party service in your cookie policy and privacy policy stating that you review their GDPR/Privacy Shield policy.

• For E-Commerce: If your website is an eCommerce one or allows a user to set up an account for access to services behind a login area, you will need to ensure that you have both SSL installed and also pseudonomize data. When using popular payment gateways, such as PayPal, Sagepay, Worldpay or Stripe, you need to make sure that their privacy policies are checked and referenced inside your own privacy policy. If they are UK (or European) based, they will have to comply with GDPR. When they are US-based, the must be Privacy Shield compliant. Storing of payment details on a website falls under  and  is regulated by PCI compliance.

6.2 GDPR Email Management:

Now you must give your visitors complete control over their data, and offer clear, optional & understandable opt-in or out choices through your provider such as mailchimp, by:

• Newsletters: Whenever someone contacts your company or organisation through your website with an enquiry, this does not mean that you automatically have permission to add them to your mailing list unless they explicitly give consent. You must keep a log of when they agreed to the terms and provide it to the user upon request. The user must be able to withdraw consent at any time. Make sure that the emails you send out all have an unsubscribe link, too. 
  Do you already have an email list? You can only use addresses from EU citizens if you have the specific consent of the receivers, unlike in other countries. This means you have to be able to prove where and when someone subscribed. The best way to ensure that you're compliant is to send your mailing list recipients email and have them opt-in.

• Plain email: Make sure store your email data securely, use good anti-virus applications and archive and delete unnecessary email completely.

6.3 GDPR 2018 and Facebook Marketing

Facebook can be regarded as both a data controller and a data processor, according to their site. As of 23/02/18, Facebook is in the process of updating its terms and policies in connection with GDPR. Where relevant to the particular data processing, Facebook will ensure that it has an appropriate legal basis for that collection under the GDPR. For the time being, Facebook has not proposed a  compliant joint controller agreement that would allows the publisher a way to rectify their current set-up to act in accordance with the GDPR.

In most cases, Facebook companies (Facebook / Messenger, Instagram, Oculus and WhatsApp), are considered and act as data controllers, which means they handle personal data as described in their Data Policy. For example, Facebook is the data controller of all on-Facebook activity. Its affiliates (such as WhatsApp, Oculus and Instagram) each handle personal data as described in their own data policies. Facebook promises to ensure that services across the Facebook companies align with GDPR, which may involve making new tools available to users and reviewing existing tools to make sure that we honour our obligations.

In certain cases, Facebook acts instead as a data processor on behalf of advertisers or business partners (who in this case are data controllers), such as for data file Custom Audiences and Workplace Premium. There are specific compliance requirements for data processors that Facebook promises to comply with. For example by refreshing contractual GDRP compliant obligations which must be agreed upon between data controllers and data processors. Facebook may sometimes act as a data processor for affiliate companies.

6.4 GDPR Regulation and Your Google AdWords Campaigns:

In May, Google will be updating their EU consent policy ( as the GDPR takes effect). The revised policy will require that publishers take extra steps in obtaining consent from their users. Before May, they have promised to launch a solution to support publishers that want to show non-personalized ads. Google is working with industry groups, including IAB Europe, to explore proposed consent solutions for publishers.

6.5 Data Privacy and CRM Connection:

• Client Relationship Management: It is your responsibility to ensure that your data collection process is secure, and refer to this third-party service in your privacy policy. If your site sends the enquiry directly and automatically into your CRM, the date, time, reason for capture and consent details are also captured. Your users will have the legal right to ask you where / when their details were captured and how the data will be used and how the details can be permanently deleted (also known as ‘request to be forgotten’) must be explicit.

6.6 GDPR Requirements and General Third Party Operators:

You should map and document data streams performed by third parties. This means that you must be aware of how third parties manage and process data, and document it. There are data management tools which might help you with this task. Here you find 8 Data Management Solutions or you can just use Excel :)

• Compliant connected systems: Google, Mailchimp, Salesforce, Mizmoz, Facebook etc are processing organisation’s data on their behalf. Most of these sites and systems are based in the US. Although they have a requirement to become GDPR compliant if they cater to any EU citizens come May 2018, they will be already compliant with the US-equivalent called Privacy Shield. You need to make sure that your processes and privacy policy clearly states which third party data processors you use and to whom data is passed onto. Although you may not have to seek permission from each person who ‘likes’ your page or ‘follows’ you on facebook, you must make sure that any information gathered directly from people you interact with on these sites is handled in accordance with the GDPR privacy guidelines.

• If you use third-party plugins or pixels, link to the third parties' privacy policies or consent mechanisms.

• You will need to make sure that it is referred to in the cookie policy and the privacy policy if you use any of these systems, and that you ensure you check the third party’s own privacy policy to ensure they comply. Whilst we know that Google Analytics will offer data-processing agreements where required in time for May 2018, other, lesser-known tracking services may not be.

• Remove Personally Identifiable Information (PII) If you have any form on your website which can transmit personal information then you MUST exclude their Personally Identifiable Information from tracking. You are not allowed to send it to Google Analytics and similar tracking systems.  This is any information that may be used to identify or trace a someone’s identity, such as (but not limited to) their name, phone number, email, social security number, birth place or date, mother's maiden name, or biometric records; and any further data that is linked or linkable to a person, such as educational, employment, or financial information. Any customer data sent ‘in the clear’ to GA is a clear break of their terms, and can result in Google deleting all your analytics for that period

Data Protection and Lookalike Audiences:

You may still use lookalike audiences in your advertising within social media, but with some extra measures. When we as advertisers don’t get to see the actual PII of the audience members, we are not a data controller, then the network that the lookalike audience is created on remains the data controller.

That said, if your lookalike audiences are created from your website visitors then this must clearly be stated in your website privacy policy and cookie opt-ins.  Same thing goes when you use your customer databases of emails and phone numbers to create lookalike audiences, then you must have clear consent from the seed audience to use their data to create lookalike audiences.

7. GDPR Fines:

Fines have been increased. Depending on the misdemeanor, there are two levels of fines. The maximum fine for not complying with the GDPR is 20,000,000 Euros or up to 4% of your annual worldwide turnover (based on figures from the the preceding financial year), whichever is the larger sum.

8. Conclusions:

The GDPR is good news for the public general, to ensure the safety of the internet and promote fairness and respect in personal data usage. Some questions still remain murky, such as those related to pixels, be it facebook pixels, linkedin pixels, etc. How will these be GDPR compliant? How can we legally and respectfully track audiences to make targeted ads? How about google retargeting? Unfortunately, some questions remain (for the time being) unanswered. Make sure to follow up for updates on this post as answers roll in!

Questions in comments

We understand that you may have some additional questions! We at onlineKarma understand the need for accountability vis à vis these important topics; we are ready to help you with the relevant changes and your online marketing campaign. As always, we look forward to your feedback and wish you happy karma!

*Please note that the information contained in this blog post is for informational purposes only and does not in any way constitute legal advice.

9. GDPR Related Definitions

Cookie Policy:

A page on your website that states what cookies are used on the site, both yours and from third parties and what data you capture with them and what you do with it.

Controller / Data Controller:

‘The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.

Encryption:

Encoding a data or any information to ensure that only authorized parties have access to it.

PII (personally identifiable information ):

Any information relating to individuals, no matter if it relates to their: private, professional or public life.

Privacy by Design and Default: 

Strictest Privacy Settings at Every Step
Privacy settings on every part of a website, be it through forms, analytics, or anywhere at all where user date is managed or stored, must be set at a high level by default.

Privacy Policy:

Legal document / statement explaining how a party gathers, uses, discloses, and manages  customer / clients information.

Pseudonymisation / Anonymization Definition:

If it can be proven that the true identity of the individual cannot be discovered from anonymized data, then this data is exempt from other methods ensuring the strict confidentiality of the actual data. This means that data is scrubbed for any information that could render the subject identifiable.  This does not remove all identifying information from the data but just reduces the possibility of linking a dataset with the original identity of an individual This allows for processing of pseudonymized data for uses beyond the purpose for which the data was originally collected. The GDPR refers to pseudonymisation as a process that transforms personal data in such a way that the resulting data cannot be attributed to a specific data subject without the use of additional information.

SSL certificate:

Secure Sockets Layer is a  protocol that encrypts information such as credit card transactions, data transfer and logins. They ensure secure, encrypted communications are established between websites and internet browsers. 

Collection of relevant resources: