The Ultimate Guide for SMBs: How Does One Become GDPR Compliant?

**PLEASE NOTE**

This article has been written for illustrative purposes only and has no legal value. It merely represents information compiled by LeadFox pertaining to the General Data Protection Regulation (GDPR). We recommend that you consult with a professional in order to ensure that your practices are compliant with the applicable legal provisions. Find the complete text here.  

The GDPR checklist to be compliant FASTER The law in bullet points to make sure you miss none of them Click here to access the free checklist  

Table of content

Chapter 1

GDPR overview

 Chapter 2

The Three Main Changes

Chapter 3

GDPR-Compliant Initiatives

Chapter 4

How is LeadFox preparing for the GDPR?

Chapter 5

How is LeadFox helping you prepare for the GDPR?

Chapter 6

How can you prepare for the GDPR?

Overview: What you should know about the GDPR

Starting May 25th, 2018, businesses will need to comply with the new provisions set out in the General Data Protection Regulation. More commonly referred to as the GDPR, the purpose of this regulation is to establish “rules for the protection of individuals and the processing of their personal data, as well as the regulation of the free movement of that data.

The aforementioned personal data is described as “any information relating to a given individual [...] who can be directly or indirectly identified via an identifier, such as a name, an ID number, location data, an online username, or one or more specific elements that are unique to the individual’s identity [...].”

Come again? How about a more in-depth look?

The Purposes of this Legislation

There are three very simple underlying objectives to this text, which all aim to bring structure to the practices of businesses that collect, store, transfer, and use the data of European citizens within the context of their business activities. First of all, this legislation aims to unify the various European regulations that govern personal data protection. The development of the Regulation was therefore inspired by the various regional regulations already in place and the best elements were then consolidated into a single piece of legislation. Secondly, it aims to offer European citizens greater control over the use of their data.

This constitutes a major step forward in comparison to previous provisions, and it aims to prevent unpleasant incidents like the one that has caused quite a stir in the headlines in the past few weeks. Lastly, the European Parliament hopes to hold businesses accountable for the processing of personal data.

Is it too good to be true?

Non-Compliance and the Potential Consequences

However, businesses that do not comply with these provisions will incur severe penalties that are “proportionate to the offense and will serve as a deterrent.” Those fines can be set at 4% of the business’s revenue, or up to €20,000,000. DPAs (Data Protection Authorities), tasked with enforcing the various laws currently in place, are now responsible for ensuring GDPR compliance. For the time being, certain aspects, such as the complaints process, the scope of application, and the magnitude of fines and their underlying principle of proportionality, remain hazy. Nevertheless, the European Parliament’s objective is to send a very clear message: hefty financial constraints can be imposed upon those who attempt to circumvent the rules!

But don’t worry. A two-year grace period shall be instituted in order to allow businesses to comply with all provisions. What is the sole condition for receiving said grace period? You must demonstrate that adequate efforts are being made and that your business is actively trying to comply with those provisions.

Are you impacted?

The scope of this regulation is not limited by your geographical location. Canadian businesses: you may also be affected if you meet any of the following criteria, even if your business doesn’t have a single European client.

concerné

You must comply with the new provisions if:

  1. You operate a business within European territory,
  2. Your business is located outside of European territory, but you have European clients,
  3. You are compiling data pertaining to the behavior of European residents within the context of your business activities.

What does this look like in practice? For example, if some of your marketing initiatives include asking internet users to fill out a form so as to gain access to your services or content, you must comply with these rules. After all, the Internet has no borders and you cannot control where your web traffic originates from, nor exclude visitors living in certain geographical locations!

From the Data Protection Directive to the GDPR: 3 Main Changes

Implemented in 1995, the Data Protection Directive constitutes the set of rules governing the use of personal data. Needless to say, this legislation, developed before the arrival of cloud storage, CRMs, and online advertisements based on visitor behavior, is now...very much obsolete.  

via GIPHY

The benefit marketers have reaped up until now: these directives were so ill-adapted to present-day reality that they left room for considerable leeway in the performance of various marketing practices. In order to reflect present-day trends, the GDPR outlines three key changes.

Citizens’ right to access their personal data and increased control thereof

The GDPR outlines the processes of collecting, storing, using, and transferring personal information. These new directives guarantee that European citizens will be able to:

  • To demand easy access to data. According to this provision, all Internet users have the right to know the purpose of data collection, the type of data that is collected, which third-party entities will receive said data, and the data storage period the business intends to uphold. The user must also be able to file a complaint with the competent authorities, if necessary. Information acquired should be made available free of charge, provided within a one-month period, and in electronic format.
  • To rectify information. Visitors to your website can request to have any erroneous information about them rectified and that those adjustments be made within a reasonable time frame. The visitor to your webpage must be able to add missing items of information that pertain to them, should they so choose.
  • To erase information, namely the right to be forgotten. Each citizen can require a business to erase the data collected about them. The business must guarantee a timely removal of the data, unless the services they provide to the individual require the use of that data or unless legislation requires that the data be retained. A description of the technical measures deployed by the organization for destroying archived data should be accessible.
  • To request data portability. Through this measure, the European Union emphasizes that every individual is free to request access to the information collected about them. The business must provide this information in a readable and comprehensible format. The citizen may then send this data to the third-party entity of their choice, in so far as that action does not infringe upon the security or freedom of others.
  • To object to the collection of information. This provision guarantees that information can only be saved when an individual clearly states their consent. And speaking of consent...

A more stringent definition of consent

The GDPR completely revises the notion of consent generally used by marketers.

Automatic registration, where the visitor is responsible for their own removal from mailing lists, and similarly, the passive opt-in approach comprising a pre-checked box, will be deemed fraudulent. The opt-in method will therefore be the only measure recognized in the context of obtaining an individual’s consent for the collection and use of their personal data. The guidelines governing data collection and the use of that data must be stated clearly and without ambiguity. The citizen must be able to easily withdraw their consent at any time.

Greater transparency regarding the use of data once it is collected

The GDPR provides a set of directives on the transparent collection, storage, use, and transfer of data acquired in the context of your business’s activities. Your business practices must therefore align with this perspective, particularly with regard to ensuring that archived personal data is adequately protected against malicious use or theft. In order to ensure compliance, you can add an easy-to-access Terms and Conditions section to your website which clearly describes the various uses of the data you collect.

6-transparent

This directive affects many of your daily marketing activities.

In the context of your email marketing campaigns, be sure to add a few elements to your templates, such as an opt-in field during the initial interaction, or even an ‘unsubscribe’ link with every email communication. You must also be sure to maintain proof of consent for each contact in a readable format.

Even after the implementation of the GDPR, it will still be possible to employ automated marketing strategies, such as deploying forms and email marketing campaigns, retargeting, and profiling. Nevertheless, visitors to your website must be able to withdraw their consent at any time. The purposes of data collection and use thereof must also be outlined in the Terms and Conditions section of your website.  

Examples of Compliant Initiatives

In order to comply with the provisions stipulated in the GDPR, marketing initiatives must meet several criteria. In particular, they must outline the specific reasons for data collection and define the context in which that information is to be used. Providing easy access to your website’s privacy policy and terms and conditions for all visitors is imperative.

When should I use the famous opt-in – a.k.a. checkbox? The opt-in checkbox is a highly recommended element for each of your forms. According to some marketers, this regulation forces organizations to implement a double opt-in process; an initial checkbox at the time of subscription and an email requesting the subscriber to confirm their subscription.

Even though this approach brings with it certain advantages – leads are typically better qualified and more engaged later on – no textual directive actually requires your business to implement such an approach.

Examples of Compliant Initiatives

The Internet is brimming with examples of companies that have already implemented good marketing practices in compliance with the directives set out in the GDPR. Here’s one, but don’t let it keep you from doing your own research (into your competitors’ practices, for example) in order to create content that reflects your industry and brand image.

Example 1:

example-gdpr

How is LeadFox preparing for the GDPR?

Obviously, LeadFox will be compliant as soon as the GDPR goes into effect on May 25th, 2018. Here is a summary of the rights that LeadFox will address:

  • The right to access one’s personal data
  • The right to consent
  • The right to transparency regarding the use of data once it is collected

Citizens’ right to access their personal data and increased control thereof

The GDPR outlines the processes of collecting, storing, using, and transferring personal information. These new directives guarantee that European citizens will be able to:

  • To demand easy access to data. According to this provision, all Internet users have the right to know the purpose of data collection, the type of data that is collected, which third-party entities will receive said data, and the data storage period the business intends to uphold. The user must also be able to file a complaint with the competent authorities, if necessary. Information acquired should be made available free of charge, provided within a one-month period, and in electronic format.
  • To rectify information. Visitors to your website can request to have any erroneous information about them rectified and that those adjustments be made within a reasonable time frame. The visitor to your webpage must be able to add missing items of information that pertain to them, should they so choose.
  • To erase information, namely the right to be forgotten. Each citizen can require a business to erase the data collected about them. The business must guarantee a timely removal of the data, unless the services they provide to the individual require the use of that data or unless legislation requires that the data be retained. A description of the technical measures deployed by the organization for destroying archived data should be accessible.
  • To request data portability. Through this measure, the European Union emphasizes that every individual is free to request access to the information collected about them. The business must provide this information in a readable and comprehensible format. The citizen may then send this data to the third-party entity of their choice, in so far as that action does not infringe upon the security or freedom of others.
  • To object to the collection of information. This provision guarantees that information can only be saved when an individual clearly states their consent. And speaking of consent...

A more stringent definition of consent

From now until May 25th, 2018, LeadFox will have completed 3 important actions intended to reinforce consent among its users:

  1. All forms will be GDPR compliant. We will request consent via an opt-in (checkbox) and we will display the terms of use for each one.
  2. We will have our contacts reconfirm consent in instances where we lack proof of consent.
  3. We will maintain proof of all of our contacts’ and users’ consent.

Greater transparency regarding the use of data once it is collected

In order to be completely transparent regarding the use of data, we have updated our terms of use and privacy policy. They describe what our email and marketing automation practices involve. You can view them by clicking here.

And finally, in order to maximize your data security, we have appointed an internal DPO (Data Protection Officer). The DPO will ensure that we are following the best global practices when it comes to our data management.

How is LeadFox helping you prepare for the GDPR?

In addition to committing to GDPR compliance, LeadFox is implementing several measures and tools designed to help you prepare for these new changes. Here are our suggestions:

LeadFox helps you respect your users’ rights

  • The right to rectify information. You have the possibility of editing your contacts’ information yourself. All the same, you can contact us and we will help you edit, download, or delete your contacts’ data.
  • The right to erase information, namely the right to be forgotten. LeadFox allows you to easily delete a contact in just seconds.
  • The right to request data portability. You can export the data you collect about a contact via the contact settings.
  • The right to object to the collection of information. We recommend that you activate the free email preference option included in your account. That way, your contacts will be able to exercise their right to object through a hassle-free process of unsubscribing from certain lists via the ‘unsubscribe’ link in your emails or through managing their settings.
  • The right to require easy access to data. Be sure to clearly explain how you use the data you collect in your privacy policy and terms and conditions.

It is worth noting that if one of your contacts sends us a valid request to access or edit their data, we will respond to their request. However, we will of course inform you of the situation.

LeadFox offers all of the necessary tools for you to comply with the GDPR

LeadFox includes all of the necessary tools for GDPR compliance. With LeadFox, you’ll be able to easily:

  • Create GDPR-compliant forms
  • Request consent from your future contacts
  • Have consent reconfirmed by contacts for whom proof of consent is missing
  • Maintain proof that your contacts have in fact given their consent
  • Respect all of your users’ rights (see above)

LeadFox offers you the marketing documentation you need

LeadFox stands out from the competition thanks to the quality of its dual-language marketing content. Our comprehensive section on the GDPR is no exception to the rule.

Below are links towards LeadFox’s key GDPR documents

  • The Ultimate Guide for SMBs: How Does One Become GDPR Compliant? (this article :))
  • A checklist - How Does One Become GDPR Compliant?
  • GDPR templates included within LeadFox
  • A web page summarizing the key takeaways
  • Knowledge Base files to help you at every step
  • How to create a subscription form that complies with the GDPR
  • How to set up a single and double opt-in confirmation process
  • How to obtain proof of consent from your existing contacts
  • How to maintain proof of your contacts’ consent (create a list – Consent for the use of GDPR data)
  • How to edit and delete information pertaining to your contacts
  • How to export information about your contacts
  • Activating email preferences
  • Requesting personal data modification

And finally, you can contact us at any time to get tips on how you and your business can comply with the GDPR. Evidently, a legal opinion is the only way to guarantee full compliance with all of the specificities of the law.

How can you prepare for the GDPR?

“Do you have access to data pertaining to me?”

“What is the content of that data?”

“Can I access the data collected about me?”

“Please destroy all of my stored personal data.”

What measures have been implemented to guarantee the security of my personal information?”

With the implementation of the GDPR, your business should be able to provide all of the above information in a reasonable period of time. Do you know where to find all of that information? Before you start questioning your current practices, you should instead evaluate them in relation to the new obligations you must abide by. Start with the inventory of data you collect and how you process it. Here are a few things to consider:

  • What tools do you use to collect data?
  • Who can access that information?
  • Do you share that information with a third party?

The GDPR applies not only to new information you acquire after May 25th, but also to the email addresses currently in your database. You must therefore ensure that all of your contacts have consented to continuing the dialog you have entered into prior to that deadline. Yes, that unfortunately means that you must communicate with all of your contacts and have them confirm their subscription to your mailing lists. In so doing, you can remove dormant leads, contacts who no longer have sales potential, and individuals who no longer wish to maintain a line of communication with your company.

9-préparer-rgpd

Then be sure to monitor the various elements that will allow you to quickly adapt to those new provisions. In this respect, you should also add an opt-in confirmation field to your forms immediately, as well as consolidate all instances of proof of consent into one single, easy-to-access document. You should also get used to deleting and editing your contacts. And finally, you should validate the technical process you use to export the data you’ve acquired. In brief, up until May 25th, 2018, we recommend that you be prepared to:

  • add an opt-in confirmation field to your forms
  • delete, export, and edit your contacts’ information
  • have your current database reconfirm their consent
  • clearly explain how you will use data collected from your contacts

We recommend that you download our GDPR checklist so you can be sure to cover all of the main points. Click here to download the checklist for free :  

Do you have any questions about the GDPR and LeadFox? Send us an email at RGPD@leadfox.io View our comprehensive section on the GDPR here