This Friday is the deadline for compliance with the European Union’s new General Data Protection Regulation, widely considered the strictest law in the world in terms of regulating the collection and use of consumer data. In broad strokes, GDPR generally requires companies get clear consent for collecting people’s personal data and allows people to access the data stored about them, fix it if it’s wrong, and delete it if they so choose.
Even if your business isn’t based in the EU, it may still be required to comply with GDPR if it collects data on people in the EU, and the fines for not complying can be severe: up to 20 million euros or 4% of annual revenue in the most egregious cases.
If you’re still scratching your head about what you need to do to get ready for the new law, here are a few resources that can help.
Parker, an automated chatbot from international law firm Norton Rose Fulbright, can help if you’re still figuring out whether your business outside the EU even needs to comply with GDPR. Essentially a checklist in chat form, the tool can help you decide in a few minutes how concerned you need to be about the new regulation. And if you’re still not sure after talking to the bot, it can connect you with one of the firm’s lawyers, and can provide you with some food for discussion with any attorney or vendor you might consult with.
The GDPR Checklist
You may have seen research showing how useful checklists can be at making sure you don’t miss a step in any complicated but high stakes procedure, whether you’re doing surgery or flying a plane. This GDPR compliance checklist, developed by a group of startup founders from Belgium, can help you take the same rigorous approach to making sure you’re ready for the new law.
Since the checklist is licensed under a Creative Commons license and maintained on open source portal GitHub, you can feel free to tweak it for your own company’s needs or even suggest revisions via a pull request if you have your own ideas for how it should be improved.
Co.Design’s guide to GDPR for designers
While this guide is aimed at designers, it’s useful to anyone who’s involved in crafting websites, apps, or services that are going to potentially handle people’s personal data. Experts say the era of siloing off privacy and security concerns is over. Designers, developers, and managers all need to be thinking about what data they actually need to collect, and where they can store and process it. They also need to make sure users clearly agree to what’s going on and have the legally required resources to access, update, and delete their data if need be.
Segment’s GDPR Compliance Tools
If you want to let your customers see the data you have on them—and update or delete it if they wish—but you also store data across multiple cloud vendors, you might have some work to do.
“Companies consider data discovery and mapping to be their top challenge, because in today’s digital-first business environment, data processors are not only internal groups but, in most cases, direct and indirect digital vendors that support an organization’s mobile apps and websites,” says Chris Olson, CEO of The Media Trust, in an email. “Most organizations are unaware of who their extended network of digital vendors is, what personal data as defined by Article 4 each one collects through the organization’s digital assets, why they’re processing it, and whom they share it with, among others—all of which need to be documented under Article 30 of the GDPR.”
One solution is to use a core tool that syncs that data to as many of those third-party cloud services as possible to simplify things when those user requests come in or you’re preparing your compliance documentation. Segment, which has long helped companies connect with third-party data services, has rolled out tools to help its customers track those requests, data updates, and user consent changes to forward them on to supported vendors.
MailChimp’s Updated Consent Forms
Even if you haven’t been thinking about it for your own company, you may have received some GDPR-related emails asking you to verify if you still want to stay on various email lists. But how can you make sure your own contact lists are compliant with the new regulation’s rules on consent and disclosure? MailChimp has developed new consent forms and data management tools, letting its users get compliant opt-in data recorded for the people you want to contact, whether they’re existing users you want to prompt to verify consent or new visitors to your site.