The Easiest High-Level GDPR Compliance Checklist Out There – Episode 61 – Business Bites

The Easiest High-Level GDPR Compliance Checklist Out There

Episode 61 on the Business Bites Podcast

The Gist Of This Episode:  Don’t freak out about the GDPR compliance deadline – listen for some quick steps on what you need to do to get protected!

What you will learn:

  • who needs to be mindful of GDPR regulations
  • why it is good business to be compliant
  • steps you need to take to make sure you are in compliance
  • and more!

EXPAND TO READ EPISODE TRANSCRIPTS

Welcome to the Business Bites podcast, the podcast for busy entrepreneurs, whether you’re an online entrepreneur or seeking after brick and mortar success. This podcast brings you quick bites of content so you can learn and grow anywhere you are. Now here’s your host, Rachel Brenke.

Hey guys, Rachel Brenke here with another quick episode of the Business Bites podcast. Everybody’s hair is afire with this GDPR stuff. In fact, to be completely honest, I’m really sick and tired, even as a legal person, I am sick and tired of getting all the emails of all the updates of people’s privacy policies, of all of the “Oh my God, what do I do?” Freak out. Freak out.

Now you guys know I’m a United States based attorney and a majority of my listeners are in the United States and I talked in Episode 59 a little bit about the fact that us as U.S. based businesses, we still need to be mindful of what this GDPR stuff that’s coming, right. If you haven’t listened to the episode, the little crash course on it essentially is that GDPR is the General Data Protection Regulation. It is an EU, European Union, specific regulation when it comes to the receipt and storage of personal data.

That’s really important. That’s going to be the number one question that I want you guys to keep in your mind as we walk through this high level checklist for small business entrepreneurs, solopreneurs. Okay? Now, as I just said a second ago, this is a European Union regulation. The compliance drop dead date is May 25th. So you guys are staring down the deadline of that.

However, United States companies listen to me. The first question I just had you ask yourself was, am I receiving information and am I storing it? The answer is yes. If you have a website and you have not blocked all European Union sites or accessibility from those countries or maybe you are one of those that’s targeting overseas customers or marketing, whatever. Basically everyone, unless you’ve taken the steps to block EU companies needs to be mindful of the GDPR compliance, this General Data Protection Regulation and being in compliance, which again regulates the receipt of data and data can be anything.

It can be personal information; first name, last name, email. It can be demographic data. It can be their IP. It can be their location. Google Analytics is a big tracker that almost every one of you are probably using. Your contact forms, your opt-in forms, everything. So yes, U.S. based businesses, unless you’re going to take the steps to block these other countries, you need to be mindful of being at least in somewhat compliant, if not full compliance of this.

Now, I’m a little preachy here today because I’m getting really frustrated for you guys listening to how “difficult and overwhelming” this seems to be so my goal with this episode is to break it down relatively easy for you all. I want you to understand that it’s really important that you look at what GDPR is requiring and take the steps to comply with it.

Now, let’s just take GDPR off the table for a second. Let’s just take out the fact that it’s an EU, European Union specific regulation. Let’s take out any of the push backs. You may be saying, “Well, it doesn’t matter. How are they going to enforce it on me?” Okay. The core elements, the core compliance requirements of GDPR do apply to you in these ways.

One, they’re really good business, okay? You guys are carrying and tracking and using and targeting with people’s personal sensitive data. Okay? It is good business to let people know that you’re receiving that information. What you’re doing with it, how you’re storing it and how you’re using it. It’s just good business. In fact, if you already had solid website terms and privacy policy terms prior to this, hopefully they were lawyer drafted. You’re not going to have a lot of a change.

You’re already majority of the way there. Okay. If you did not have website terms on your website prior to this, maybe United States business and you’re going, “Oh, I don’t really need it.” Go find me a website that doesn’t have them. Let me scratch that. Go find a reputable website, large company, small company that does not have these proper terms. These are legal documents that are in place to protect you. The website terms are going to create that legal relationship with your visitors, your potential customers, your clients and it’s going to govern that legal relationship of anyone that hits your site. The privacy policy terms are going to regulate much of what the GDPR stuff and the data information that we’re talking about. It is just good business. I’m not going to talk much more about terms and privacy policy. Just know that you can head over to Episode 59. I have an entire episode that talks about this.

That is the number one low hanging fruit thing that United States based businesses can focus on getting implemented. I’m going to give you the next steps that you guys need here in a couple of minutes, but just know you’re gonna need to have proper terms in place. So go ahead and just snag GDPR compliant ones, especially if you need to update your stuff anyways, cause what one, best business practice. Two, guess what? Many states are already requiring some of what GDPR requires. Mind blown, right?

Especially if you’re out in California. A couple of the other ones that are very finicky that require a privacy policy, need to make sure that you’re in line, so why not get two birds with one stone. Get GDPR compliant. Get state compliant and have it. Third reason that I think it’s really important that we just go ahead and embrace this GDPR compliance and use it besides good business and may already be required.

I would lay money that United States is going to start moving towards requirements much like this. As we move on in this technical age, guys, with the advances of technology and data mining, consumers are getting more and more wary about it. They want to know what information is being received, how it’s being received, how it’s being used, right? Be transparent with your audience. Be good business [inaudible 00:06:17]. Get in compliance with GDPR. Get in compliance with your state, but also be proactive and go ahead and get all these birds killed with one stone in order for you to be able to move forward confidently.

Because I will guarantee that many of what is in the GDPR and a lot of the existing state requirements is going to end up branching across America. So we need to make sure that we are not only being reactive, we’re not sticking our head in the sand on this GDPR stuff cause you think it doesn’t apply to you. We need to move forward.

So what have we learned thus far? Okay. GDPR is EU based. If unless you’re going to block your site, you probably need to get compliant. I’ve also explained to you that the lowest hanging fruit, the most simplest thing that you can do is have proper GDPR compliant terms bundle. Why? Good business. Gets you in compliance. Many states are requiring it and states are probably going to move towards it and you’re going to build the consumer and visitor confidence by being transparent when people know what you’re doing with all their data.

So now that I said that, I’m going to give you guys the nice little high level checklist that many of you solopreneurs or small business entrepreneurs need to be mindful of. One of the problems with this whole GDPR craze is that you’re seeing these large impacts and these large blog articles coming out from these huge companies.

If you are not a company that is managing mass amounts of data, that’s not processing mass amounts of [inaudible 00:07:42]. That’s not even necessarily running your own data storage. You’re not your own host. You’re not your own server. You’re merely using third party apps. This whole hype is not that big of a deal. I’m going to give you guys the easy steps here in a second to be able to fix and get easy compliance and make sure that everything is all protected. Okay?

Now, so stick with me here. Say it with me. I’m going to get in compliance for all the reasons that Rachel said. I’m going to get in to compliance because I am a professional and this was what I should do for my visitors. So here are the quick steps that you need to be mindful of. First one, very simply, very interesting that I didn’t think that this still needed to be said, but you need to double check to make sure that your site has an SSL certificate.

If you don’t know what that is, contact your host and see what they can do to get that for you. Second, I’ve already discussed the low hanging fruit. That’s super easy. Website terms and privacy policy updates. I’m not going to dig into that any further in this episode. Go back one episode to Episode 59, because I talk about exactly what needs to be included, the information, how to apply it and how to implement it in your business.

I’m going to give you a little spoiler here. I, obviously as an attorney that provides contract template forms, provide these website terms and privacy policy, GDPR compliance available on RachelBrenke.com I’m not the only one. Your local lawyer could probably do this for you. There’s other sites as well. Please just get a lawyer drafted document in place and get it implemented. Episode 59, go check it out.

All right, so here’s where I think it gets a little more finicky where people are freaking out. They’re like, “Okay, well how do I get in compliance? Is it what I’m doing with the data or is it when I’m taking the data?” It’s both. Okay. So let’s first look at our website. Let’s check out, because this is where all these EU companies or these EU customers or consumers are potentially going to come through us, through the websites that we have, right?

I’m talking about you’re stand alone website, so let’s look our server. Let’s look at our hosts. Are they in compliance? We’re going to run through all third party companies that we’re using in order to ensure they’re all in compliance. We’re also going to run through, if you’re on WordPress, all of our plug-ins and make sure all creators that are receiving data are in compliance.

Please pay special attention to the free plug-ins that may have not been updated for a couple of years or even low cost ones. Just because you had paid for it doesn’t necessarily mean that it’s going to be in compliance. So we want to make sure that we check all third party apps, that they’re going to be compliant and make sure we check all of our plug-ins to ensure that all creators that are receiving data are in compliance.

Cause again, what is the threshold? What is the question that we’re asking ourselves? Are we receiving data and what are we doing with that data? So we want to ensure are we using a plug-in that is sending data to another site? Is it sending it back to the creator? Are we using APIs and those sorts of things. Check your plug-ins. Check your third party apps. Super simple and easy.

Now here’s a little something that I want to mention off to the side. People start freaking out. “I don’t have a data protection officer. I can’t afford to hire one. What do I do with this? But my privacy policy requires it. But you know, I see everyone else has one.” You do want to identify a data protection officer. All that fancy title means is you need to identify someone within your business that’s going to be able to handle the inquiries, because EU companies, as I outlined in Episode 59, people can inquire to see what information is being held on them.

You have to show them and then you have to delete at their request, unless you can maintain it under applicable law. That is basically what the data protection officer’s responsibilities are going to be. They also need with in those scope of that data protection officer, which it can be you, especially if you’re a solopreneur, you’re already wearing many hats. You can do this as well. You need to identify what happens if I do have a breach. What are my steps going to be?

I highly recommend that you identify that data protection officer. Talk with them. Maybe it’s yourself. Go into the bathroom, look in the mirror, talk with them about the website terms and privacy policy updates, run through the third party apps with them, run through the plug-ins and make sure that you guys have gotten in all of it situated for compliance. that’s going to be coming down May 25th.

Another step that you need to take is you want to identify, and this isn’t necessarily I think a super big requirement, but if you guys listen to my other episodes, I’m a big proponent of having insurance. If you are a site that has taken very sensitive data and you’re not completely relying on third party apps, even still I probably would want a CYA. Check with your insurance companies and see if they have a cyber-insurance terms written into your existing liability. That you insurance you have or see how much a rider would be.

This is a really good insurance policy to have because some of them allow for that if you have a data breach and you get sued, you could potentially be able to have your attorney’s fees recouped through the cyber-insurance. It can also look at paying your damages for you as well. So that’s something that you and the data protection officer, again it can be yourself, want to talk through.

All right, and I’m just going to end off of this with this high level checklist of what you guys really can tangibly go and do right away. One of the biggest things and the key foundations of the GDPR is that we have all these new policies that we have to be in compliance with, but we also need to have the visitors of our site or anyone that we’re taking information from may need to overtly assent to the terms.

Okay. And so what are some of the easiest ways to do this? Well, do you have a contact form? Yes. Are people submitting their email address or phone numbers or their names through that contact form? Yes. So what does that mean? They need to agree to your terms. Add a checkbox. They have to give overt assent. Link your terms right there, the website terms and privacy policy that you learned about in Episode 59. Boom. Contact form taken care of.

Go to your opt-in pages. Do your opt-in pages. Take their name, their phone number, their other data, their email. Yes. Okay, good. We’re getting information, so what do we need to do? We need to have a checkbox or some sort of overt assent. Not just by behavior. Behavior is not assent. We need them to actually take and click or sign that they are agreeing to the terms of the site. Link your terms like talked about Episode 59.

Contact forms, opt-in pages. This is why I’m talking. This is really where I’m heavily focused on when United States based businesses are like, “Well, GDPR doesn’t apply to me and it’s too difficult.” I’m like, “It’s too difficult to put a checkbox on your contact form? It’s too difficult to link what you should already be doing on all footers of your website, your website terms and privacy policy and link it on your opt-in pages?” No.

Guys, this is super simple and easy. It’s something you could do in the time that I finish talking on this episode. So check boxes to get the overt assent by anybody that’s visiting your site and who’s submitting in to their private information, sensitive information into your your website. Keep in mind though, you’re check boxes can not be defaulted as checked. They have to take the actual act of either checking it or signing. Okay?

My recommendation, if you already have an existing list and you … and this is what’s funny, is I’ve had so many United States businesses say to me, “Oh, I don’t have any people in the EU.” And I say, “Really? Please go check.” They ended up going and they pull it. They’re like, “Man, I didn’t realize for my Google Analytics, I didn’t realize how many EU visitors I had.” Or “On my email list, I didn’t realize how many of these were EU based IPs.” Right? And so you want to identify how many people on your existing list are from EU countries and then it probably would be good practice if you’re updating your website terms and privacy policy anyways to send out a blast, like everyone else and their brother is doing and have everyone opt into that.

Now again, the United States based consumers or the people that are on your list, unless you’re in a specific state that requires it, none of those people necessarily have to take that step to overtly assent to the terms, right? But your EU based people do. So whether you want to segment out this existing list that you already have or you want to just send it to everybody, but make sure that you check that segmented group of EU people, because once you’ve given them an opportunity to assent under GDPR without their permission, you shouldn’t be storing, not just using, storing their data anymore. Okay.

Because we’ve got to look at it from this timeline. May 25th is the drop dead date. Say we’re sitting right there on that line. We have to not only have the check boxes on contact form, opt-in pages and have our website terms, privacy policy, data protection officer and all that in line starting May 25th going forward, but we have to identify all of the customers or the people that have contacted us May 24th and previously.

So kind of just brainstorm some ways that you want to be able to get into compliance with the EU countries, consumers or customers previously. Again, you don’t necessarily have to send out your updated website terms, privacy policy to your whole list, which includes the United States based people. Unless you’re in a specific state that already requires you to do that, it is a good business practice to have everyone do it.

You could use this as a time to scrub your list, get re-engagement, start warming back up, maybe some cold leads. It’s really … this would be an ample opportunity to do it. I know it’s super difficult because everybody else and their brother is sending out these, “Oh, look at my new privacy policy.” And everyone’s just closing them. They’re not really opening them. Right? So it is a little tricky dance, but it’s something we need to be mindful of.

Now, real quickly, just a little high level checklist on that and I’m not done because I’ve got a little bit more after I recap this checklist. So guys, do not turn off the podcast yet. Website terms and privacy policy updates, lawyer drafted, check Episode 59. Super easy to do. Within that, you’re gonna need to identify a data protection officer and work with them on the terms and privacy policy updates and the data protection plan and policies that your company is going to have in case of breach.

See if you have any cyber-insurance available to you. Make sure you have check boxes with linked terms for an overt assent such as contact forms, opt-in pages, link all your website terms and privacy policies on every page of your site. I just find that great business practice even without this GDPR stuff.

Identify how many people on your list are from the EU countries. Decide how you’re going to have them give this overt assent to remaining on your list and what the drop dead date that you’re going to use for purging them and getting rid of this data.

Now, as of May 25th you’re supposed to cease use of any EU data for marketing and/or targeting without this express opt-in agreement to terms. I’ll let you guys do with that what you want, but that’s the drop dead date again is May 25th. Now, if you guys are using independent contractors, if you’re using employees, here’s something else that you need to be really mindful of.

You need to ensure that you’re implementing documents that also include confidentiality language in there that’s going to help to insulate and protect you if these contractors or employees have potential access to the data that’s being stored. Because think about it, we’re looking at all of this and and this episode really is primarily from a website based perspective. You could have people that call in. You could have … it depends on where you are and who you’re marketing to, but you could have people mail in stuff.

It’s all … what is the threshold we talked about. It’s the receipt and storage of personal information, of this sensitive data that we’re collecting. Okay. And if your employees or contractors have any access to the site, if they have any way that they’re seeing spreadsheets or they are handling this personal information, they not only need to be well versed in the data protection plan that you’ve created with the data protection officer, but you also need to make sure that you have in their documents with them that there’s confidentiality that exists.

You need to have confidentiality language and honestly guys, you should have already had your employees and your independent contractors already signing the proper documents. But just double check and make sure and you might want to address in there the policies and procedures and just another line of defense to make sure that you are taking all steps to safeguard this personal data because you as the owner, as a CEO, as the entrepreneur, are the person that’s going to end up having an issue and you’re going to be the one that ends up in trouble and you just want to have a little recourse and little safety.

So make sure you have the proper documents in place that have confidentiality language and policies in there as well. Now, I hope I didn’t overwhelm you guys too much. This is a little little longer episode than normal.

Just keep in mind website terms and privacy policy updates, cyber-insurance, data protection officer, checklist of your plug-ins and third party apps. Make sure they’re all in compliance. Check boxes for overt assent on contact form, opt-in form, opt-in pages as of May 25th cease use of any EU data for marketing and targeting as well as storage.

If you guys have any questions at all, please feel free to jump over to the Facebook Business Bites group. It’s simply The Business Bites I’m more than happy to try to answer questions, get you some more resources on it and now we’re not heavily working on this, we’re going to put out a lot more resources since we are United States based business. The information that I put out is what I find to be the most relevant and easiest stuff that United States businesses can implement.

If you are an EU based business or a US business that consistently markets to an EU, you may need to seek local counsel to get a little bit more hands on assistance. Maybe you’re a U.S. Based business that has a way more complex system than just a typical website or even an e-commerce site and you have a lot of different programs and systems in play.

Definitely worthwhile getting a legal review done to make sure that everything is in compliance. Because again, like we’ve talked about in other episodes, guys, you never have an issue, until you have an issue. We don’t want there to ever be an issue and you have to end up playing clean up. Really easy to get all this implemented. I believe in you and I’ll see you guys in the Facebook group.

For show notes, a list of recommended tools or referenced episodes, you can find them at BusinessBitespodcast.com until next time.

About the author

Rachel Brenke is a lawyer, author and business consultant. She is currently helping professionals all over the world initiate, strategize and implement strategic business and marketing plans through various mediums of consulting resources and legal direction.

Hi, I’m Rachel Brenke

Rachel Brenke

I hope you are enjoying the Business Bites Podcast.

The goal is to grow your business in 10 minutes an episode.

Don’t put off business education due to lack of time.

 

Get my free legal biz checklist

Are you listen to the podcast?

Binge Listen To The Business Bites Podcast