This post (along with other posts and pages on this site) may include affiliate links. If you make a purchase from an affiliate link, I may receive a commission at no additional cost to you.
What is GDPR?
Does GDPR apply to you?
What does the GDPR cover?
- explicit consent (i.e., they gave you permission by checking a box or signing up for a newsletter without a freebie); or,
- legitimate interest (i.e., there’s a reasonable expectation that the data will be processed – as in, they requested information from you, and you’re delivering it); or,
- performance of a contract (i.e., they purchased something from you, and you need to complete their order).
How do you get ready to comply with GDPR?
- Map everywhere that you hold personal data. You don’t have to have a fancy system to do this – just a simple spreadsheet will do.
- Identify if you have sensitive data. Sensitive data includes racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data, data concerning health or data concerning a person’s sex life or sexual orientation
- Figure out the legal grounds for which you are processing each piece of data. Remember, the legal grounds include:
– performance of a contract
– compliance with a legal obligation
– protect the vital interest of the data subject
– processing is in the public interest or based on official authority of the controller (rare for an online entrepreneur)
– necessary for the purpose of legitimate interests of the controller (that’s you!) – except where the interests of the data subject overrule the interest of the controller.
- Identify where you transfer the data to third parties – like email service providers, scheduling systems, etc – and where those services are located.
- Update your privacy notice to be GDPR compliant
- Add opt-in wording to your sign up boxes to get explicit consent, and track that consent.
- Put a system in place for managing data subject requests, and opt-outs.
- Check for GDPR compliance with your data processors. Put a Processor Agreement in place if necessary.