GDPR Implementation Checklist

Appoint a Chief Data Officer (CDO)

In larger enterprises or ones with deep profiling this person needs to have a direct to board reporting line

Seek Legal Advice

You will want to seek legal advice, particularly prior to and to validate your LIAs and PIA (see below)

GDPR Training

It is recommended that key staff are trained on GDPR, including board members from the outset so that they are fully aware of the GDPR requirements and support the rollout

Customer Data Source Audit

Identify the sources of the existing customer data and what fields / type of data is being kept, as well as the quantity, including: systems, CRMs, website platforms, ecommerce platforms, marketing platforms, spreadsheets, accountancy solutions etc.

Customer Data Audit

Identify the quality of the data, and the specific permissioning of the data sets and individual customer data records

Work through your Legitimate Interest Assessments (LIAs)

LIA is to identify where ... processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data ...

Work through the Data Privacy Impact Assessment (DPIA)

A Data Protection Impact Assessment, also known as a PIA, is an assessment to identify and minimise non-compliance risks, this needs to be firmly in place.

Customer Data Workflow Analysis

As part of the PIA and LIAs you should have identified all the customer data workflows, and either have identified which ones need changing or which datasets need to be removed, as well have having all the remaining ones being fully justified.

Identify GDPR platforms and compliant Processes

Identify which will be the core GDPR system where the customer GDPR permissioning is stored and available

Identify all the other systems which will contain data affected by GDPR and identify the data routing / workflows you will need to have in place

Change Management

Identify all the changes in working practices and systems, along with the integrations that are required.

Data Cleanse

Ensure you have cleansed your datasets as far as possible prior to any re-permissioning campaigns.

Re-permissioning Campaigns

Running ‘wild’ email re-permissioning campaigns is likely to affect your email / campaign deliverability, or potentially to have you suspended by some email service providers, and will affect your audience engagement. Cleaning up the data as far as possible in advance will minimise these risks.

Use online and offline means to re-permission, including 3rd party data bureaus and services, in particular prior to the 25th May. Ensure all marketing re-permissioning is against the specific GDPR grade permissioning statements and that all are fully audited.

Preference Centre

Make sure that all customers can update their personal permission through an online preference centre. These then have to be distributed to all your internal systems and for all your customer data / marketing / sales workflows and platforms.

Also make sure that you have a cookie preference centre and proper control over cookie permissioning for non identified / permissioned users (this still requires legal clarification in the UK)

Integration

Identify and execute on all the technical API integrations and import / export workflows. Cease using the workflows / systems / processes which cannot be made GDPR compliant.

Data Best Practice Policy

Ensure you create a data policy that is shared with all the staff.

Ensure that everyone is trained and aware of the new data policy and that it is part of any staff contract and onboarding process

Privacy Policy

You will need to update your Privacy Policy to be GDPR compliant. You can see Affino’s here.

Cookie Policy & Dashboard

You will need to update your Cookie Policy to be GDPR compliant. You can see Affino’s here. Make sure that your Cookie Dashboard is also in place and that you have fully documented all the cookies in their correct categorisation. Ensure that the cookie bar also has the correct text as per your chosen GDPR strategy.

Data Breach Policy

Ensure you have a Data Breach Policy in place and make sure you have effective reporting workflows in place. You can see Affino’s here.

Terms and Conditions

Ensure that your website and service Terms and Conditions are updated to be GDPR compliant. You can see Affino’s here.

Set up your GDPR Forms

Depending on how you are set up to handle personal data requests you will want to ahve in place a host of GDPR related forms, potentially inlcuding: Forget me, Send me my data, and Do not profile me. You can see Affino’s here.

Lead Capture

Review your approach to Lead Capture and sharing. To be fully GDPR compliant, contacts whose details you are sharing (or selling) must have explicitly signed up to the third party’s company’s marketing / comms voluntarily (and un-bundled), and provided both permission and given you their preferences.

Auto Contact Archiving

If your platform, like Affino SaaS, supports auto contact archiving then explore putting it in place to ensure that you only have the personal data in your database that you should have.

Insurance

We strongly recommend insuring against GDPR related incidents. Note also that there is a high likelihood that you will need to update your working practices to be able to get appropriate insurance, e.g. 3 month enforced password updates for team members who have access to your CRMs.

Ongoing Review

Ensure that all the systems, workflows, and policies are continuously reviewed and updated, in particular when new processes and systems are on-boarded.

GDPR Implementation Plan

A key requirement is to have your GDPR implementation plan in place, and steadily reviewed and updated as milestones are hit. In the absense of full compliancy, having a plan in place is absolutely essential.

Other Checklists

If you are an Affino user you will want to follow the Affino GDPR Help Guide. It is packed with useful pointers as to the exact steps and elements which are essential to being fully GDRP compliant when using Affino.

The ICO has two useful checklists as well, one for Data Controllers and one for Data Processors, see them both here, and if you want to see how Parliament is doing with shaping the legislation, now not due until the last minute ... see here