How to Get Ready for GDPR (Without Losing Your Mind)

Share on facebook
Share on twitter
Share on linkedin

The GDPR enforcement date is May 25. Will it be the End of the World as we know it?

What will happen when the EU General Data Protection Regulation (GDPR) goes into effect on May 25, 2018? The potential consequences of violating the new privacy legislation are severe, and we’re all talking about it.

Inbound AV is updating our data practices and policies and those of our clients. And, we want to help you prepare, too. This is the first in our series on GDPR readiness: a common sense guide to beginning your GDPR compliance project.

Please know that is not intended to be legal advice, and you may want to consult an attorney. Our recommendations here are based on studying the regulation and also the actions of enterprise organizations as they prepare for the GDPR to take effect.

Discovery Phase

This first step is straightforward. It’s time to take inventory of your data policies and data practices. Data policies include your published privacy policy, cookie policy and terms of use. Your data practices are the ways in which you collect, store and use customer information, including email addresses and browsing histories.

Getting your arms around data practices is probably more complicated than rounding up your policies. Depending on the size of your organization, you might have different departments or resources managing the various customer touchpoints that collect data. Here are two big questions to ask your teams:

1. Where do we collect email addresses?

This might be on your website, on social media channels or even offline in your physical store. Think beyond your marketing activities — do you capture email addresses to fulfill orders, or to gather customer feedback? Those touchpoints count too!

2. How does our website use cookies?

Most websites rely on cookies for basic web browsing. Other activities that are often cookie-dependent are remarketing, analytics tracking, conversion tracking, displaying ads, commenting and logging in.

Make a Plan

You will almost certainly need to update all of your data policies and practices. Your goal is to address these crucial GDPR requirements:

A clear, simple and thorough privacy policy.

A GDPR-compliant privacy policy communicates some important pieces of information, such as:

  • Identification of the business that manages the website, along with a physical address.
  • The full name of your Data Protection Officer if you have one.
  • The bases on which you collect information about your customers. GDPR identifies six legitimate bases. Learn more here.
  • A description of how you use the information you collect.
  • A statement on how your site uses cookies to record customer data.
  • How users can view the data you have collected about them.
  • How users can complain about your policy or your data practices.

The right to access data.

Users have the right to see the data you’ve collected about them. As a website owner, this means you’ll need to implement some form of logging that will surface customer data upon request.

The ability for a user/customer/visitor to be forgotten.

Not only do users have a right to see the data you’ve collected about them, they also have the right to request deletion of that data. This will is likely the most challenging to-do of your GDPR readiness program. As this topic is fairly complex, we’ll cover it in greater detail in a future article.


Your users must actively consent to your data policies, and you must document this consent action.

The way you collect consent is also important. The regulation is fairly clear on this point: you cannot have a consent box checked by default. Your users must actively check a box stating that they agree to your policies.

Further, you’ll need to ask for consent again whenever you make substantive changes to your data policies. And that means you’ll need to implement some type of versioning control for those policies, along with the ability to track consents by version.

Implement the Plan

If you’ve done nothing with respect to GDPR just yet, don’t worry. We’ve identified the bare-bones first steps to take.

1. Rewrite your data policies.

A great place to start is by reviewing the privacy policies of larger organizations. Here is Etsy’s new Privacy Policy. Is Slack your favorite messaging app, too? Here is Slack’s revised Privacy Policy. Your needs may not rise to the level of these two huge enterprise companies, but start by familiarizing yourself with these comprehensive policies, and craft a policy that addresses your practices.

2. Craft an email letting your customers know you’ve updated your policies.

It’s wise to use language such as: By continuing to use our services on or after May 24, 2018, you acknowledge and agree to our updated privacy policy, cookie policy and terms of use. Don’t forget to link to those live policies on your website.

3. Update all email signup forms to include a required checkbox.

The checkbox will state that the user agrees to your Privacy Policy and Terms, and will link to both. As noted above, this box cannot be checked by default. Users must actively check the box.

The key dynamic to remember is that none of us know how this new regulation will play out. We are implementing a plan based on what seems most reasonable. As the regulations come online, we will be iterating and tweaking our implementation.

If you plan to do this on your own, I’d highly recommend keeping an eye on successes and failures that will be easily researched. Inbound AV will be posting relevant news as it comes in. Make sure you stay aware, as real businesses are impacted by the regulations after May 25.

Now it’s time for you to become a GDPR Ninja.

Was this post helpful? Or do you have more questions? Send us an email.