The General Data Protection Regulation, or GDPR, goes into effect on May 25, 2018. Are you ready? Here are 5 tips you can use to help prepare for GDPR. Note that in this article we're focused on GDPR's impact on your web properties and cross-channel marketing automation. While Listrak does not provide legal guidance, the goal of this article is to pass along ideas and best practices. Always consult your company's legal team and the European Union General Data Protection Regulation Official Site for advice specific to your business.
Tip 1: Update your privacy policy.

Use clear, concise wording to describe how data is collected, how it will be used, and how long it will be kept. Ask yourself, is my company's privacy policy clear enough that my own family and friends would understand how my company uses personal data? If not, look for ways to simplify the words you use and always be transparent. Put yourself in your visitor's shoes. If you were a visitor on your site, what would you want to know about how your data is being used? Also, make sure your privacy policy is located where it can easily be accessed by your visitors and customers. Looking for ideas? See how Listrak is handling our own Privacy Policy.

Tip 2: Add consent-gathering steps to customer touchpoints on your web properties.

To determine when and where to ask for consent, you could start by making a list of where and how data is collected on your web properties. Next, make note of how each data point is used.  You are likely to see themes or clusters form around areas in the user journey such as when a visitor first lands on your site or during your checkout process. These clusters become good checkpoints to stop to ask for visitor consent to proceed. A few natural places to consider include the first page a user hits when they land on your site, signup forms, preference centers and the checkout process. Each site is unique, so look to add consent-gathering steps where it makes sense for your business.

Here are two common places you may consider getting consent:
If you use cookies you will likely need to capture express consent from EU visitors when they first land on your site. Your website operator should consult with your attorney to see if this applies to your web properties.

Marketing signup points are another area where you should seek affirmative consent from EU visitors for the collection of data for a specific purpose. To collect affirmative consent you may consider including not only a link to your privacy policy but also clear text that explains how you intend to use the data you are collecting.

You may also consider capturing and storing more robust consent information when someone hits the submit button. You may consider capturing information such as timestamp, IP address and the consent language the user saw when they opted in if you aren't already doing so.

Tip 3: Make your web properties GDPR-friendly for visitors who do not consent to use of their data.

In tip 2 we suggested you map out the data you are collecting and how it is used by your company. Now it's time to update your site functionality to stop collecting and processing personal data for visitors who wish to remain anonymous. Update your site functionality to only capture and process personal data for visitors who have given you express consent to do so.

Tip 4: Touch base with your EU contacts and customers to gain affirmative consent.

Now is a great opportunity to reach out to current contacts and customers in the EU to get affirmative consent that they still wish to get messages from your company. You should also confirm they agree to the ways you intend to continue using their data. It’s important that if you intend to continue marketing to EU subscribers beyond May 25, 2018, that you have a record of how they subscribed.

Check out our THRIVE course on how to set up a one-time reconsent conversation for EU contacts. (Available to Listrak Clients Only. If you don’t have a login to Thrive, reach out to your Account Manager or Support to get an access code.)

Tip 5: Get your internal processes, technology, and staff ready for GDPR Right to Know and Right to Be Forgotten requests.

Once you've put in the work to make your web properties and marketing GDPR complaint it's important you consider the role your own employees play in protecting personal data. Ensure everyone on your team with access to personal data understands their duties in protecting the privacy of your customers and contacts.
   • Decide now how you will handle cases where a customer or contact asks to see a copy of their data.
   • Decide now how you will handle cases where a customer or contact asks to have their data erased.

Ask yourself, “Who will take these requests?” “Who will validate the identities of the requesters?” “What steps will they take to validate the identity of the requesters?”

Also, consider whether or not you should build technology to automate the process of finding or erasing data.

Listrak has several processes and procedures in place to handle requests related to data access, data edits and data erasure.  Check out our THRIVE course for instructions on where to submit data-related requests.

In Summary:

Taking the time to make sure your web properties and cross-channel marketing efforts are GDPR compliant is an opportunity to show your visitors, contacts, and customers that you care about their privacy and personal data. For help implementing some of these tips, check out our GDPR Course in Thrive now or contact your account manager.

If you have questions about GDPR, contact privacy@listrak.com.‍

Listrak does not provide legal advice, however, we feel it is important to provide details on how the European Union General Data Protection Regulation will affect your business. We advise you to consult with your company’s legal team for additional details.