10 GDPR Steps You Need to Know Pre-Launch

10 GDPR steps you need to know pre-launch 🐣

👩🏻‍💻 Establish a register of processing activities

Categorize all the personal data you collect and assess if you process any sensitive categories of personal data.

The register will be the stepping stone that will lead you to the next steps for GDPR compliance. You can identify the kinds of data you process, the format and location it is stored (the cloud, third parties), how it is shared internally and externally (third-party data transfers), who is accountable, and who has access to this data, etc.

→ A nice overview can be found here.

→ Relevant provision: Art. 30 GDPR.

🚫 Limit the data collected

Data minimization is a key principle in GDPR. So the fewer data you process, the easier it is to be compliant.

By using the register, ask yourself before and while processing data: Do I really need certain data for this specific processing? Is it relevant to retain all this data for so long?

→ Relevant provision: Art. 5 para. 1 lit. c GDPR.

✅ Keep processed data accurate

This means you should erase or rectify data that is inaccurate.

→ Relevant provision: Art. 5 para. 1 lit. c GDPR.

🛠️ Privacy by Design / by Default in Product Development

This principle is being understood best if we break it down into its five underlying pillars:

1 - You should take a proactive approach to data protection and anticipate potential risks before it's too late.

2 - Every system, service and business practice should ensure the protection of personal data by default.

3 - You should integrate data protection into the design of all systems, services, products and business practices.

4 - The measures taken should be comprehensible and verifiable for the users.

→ Relevant provision: Art. 25 GDPR.

🍪 Create a lawful cookie pop-up/banner

A standard practice is to have a cookie banner or pop-up when a user visits a website that allows them to consent or decline the use of cookies. You must also document and store consent received from users for proof.

You can find an overview on whether you need a cookie banner, how to set up a banner and examples of lawful cookie banners here.

→ Relevant Provision: Art. 6 para. 1 lit. a GDPR.

📝 Use a privacy policy

Update your privacy policy and make your data collection and processing transparent.

Cookieyes provides a free privacy policy generator here.

→ Relevant Provision: Art. 13 GDPR.

👌🏼 Double opt-in for newsletter and other marketing-related communication (if applicable) + provide opt-out

Double opt-in means that after the user provides their email, you send an email with a confirmation link that the user must click to finalize their subscription. This is a good way to demonstrate that the user has indeed given consent.

Furthermore, give subscribers the ability to manage their preferences, as well as to opt-out of emails.

→ Relevant Provision: Art. 6 para. 1 lit. a GDPR.

☝🏽 Provide contact details for privacy-related requests

Users have the right to access their data, ask for rectification, and even transfer their data for further personal use. Therefore, you should provide access points/contact for privacy-related requests.

🔐 Protect yourself from data breaches

Protect user data by encrypting, restricting sharing, and minimizing the amount of data you hold.

💉 When health-related data

You need to make sure to observe the extra requirements set forth in Art. 9 GDPR.

You can find overview information on the requirements here.