GDPR Compliance Quick Check
Get instant feedback on your compliance strategy. No registration required.
This tool is designed for EU/UK based businesses, marketing to customers within the EU/UK.
The questions focus on some of the most common mistakes we see and on areas that regulators have been targeting recently.
Step 1
9 Question Quick Check
Answer the questions below. Choose the best fit answer for your organisation.
Step 2
Understanding Your Results
Score 8-9: Well done. You have a good level of compliance and/or are privacy conscious.
Score 5-7: Good work. But you are still at risk of legal action which may result in an investigation and a financial penalty. There is also a risk to the reputation of your brand. Make sure you address any issues raised. Read the explanations in Step 3 to determine what action you need to take.
Score 0-4: Don’t panic. We’ve seen this many times, companies focused on growth can end up forgetting about those pesky data laws. Be aware that right now you are at risk of legal action which may result in an investigation and a financial penalty. You are also at risk of damage to your reputation – brand and career. But this is easily fixed, and you probably won’t need any lawyers unless your data use is complex. Read below to learn more about each issue and how you can fix it. You can also join our email list which will keep you informed when the law changes.
Step 3
Why It Matters and What Action You Should Take
We’ve based this quick check on the areas most commonly targeted by regulators. Below we’ll break down what the law says about your legal responsibilities, why it’s important and what you can do to achieve compliance.
Registration with supervisory authority
Supervisory authorities enforce GDPR and other data privacy laws such as PECR/E-Privacy Regulations. They are present in every EU Member state. The ICO is the UK’s supervisory authority. You can check who your supervisory authority is in your country, using our directory.
What is the issue?
Registration is legally required in some member states.
In the UK every organisation or sole trader must register with the ICO if they process personal data.
There are few exemptions that cover:
- Some charities and pension schemes.
- Some public bodies and members of parliament.
- Some organisations who limit their processing of personal data to a limited list of means, including staff administration, advertising, marketing & PR and account/record keeping.
This may apply to you so we advise you to check with the ICO’s eligibility checking tool which features the full list of exemptions.
Why is it a problem?
If you are: UK based, do not qualify for an exemption and fail to register you are breaching the Data Protection (Charges and Information) Regulations 2018.
If you do not register, you may be subject to:
- A financial penalty.
- A less lenient approach from the regulators if you receive a complaint from a member of the public or suffer from a data protection breach.
How do I fix it?
Register online with your supervisory authority.
- It takes 15 minutes online.
- Costs between £40-£2,900 for the year.
- There are discounts for charities and some pension schemes.
Register with the UK’s ICO here.
Cookie Consent
What is the issue?
Under PECR you need consent to use non-essential cookies and related tracking technologies.
Under GDPR, consent must be freely-given, specific and informed.
In practice this means you need a cookie consent mechanism if you wish to use non-essential cookies and tracking technologies, such as Google Analytics, or the Facebook Pixel.
This mechanism must meet a number of standards which have recently been clarified by regulators.
Many websites have cookie consent mechanisms that were only valid under the original EU cookies law, or which have not been updated to reflect recent legal cases.
Common mistakes include:
- No consent, just a notice
- Loading cookies before consent is given
- All cookies bundled into the one accept button
- Deceptive design practices
- Pre-checked cookie options.
Why is it a problem?
Failure to comply could result in an investigation and financial penalty from a supervisory authority.
We are currently seeing an increase in cases concerning the use of non-compliant cookie consent mechanisms.
Failure to comply would mean that data collected without valid consent would be invalid. You would have no legally valid purpose for holding it, therefore you would be obliged to delete it. This may be technically difficult to fulfil without deleting all the past data in your account if you are using a platform that aggregates data such as Google Analytics.
Using non-essential cookies without consent shows little respect for the user’s privacy. It leads to growing distrust between consumers and brands, and in our view encourages users to take more drastic precautions with their privacy. These precautionary measures, such as using an anti-tracking browser/plugins would eventually make web analytics platforms almost useless. As the data they collect would then represent only a fraction of actual website users.
How do I fix it?
Check if you use non-essential cookies, like Google Analytics. Make a list of these cookies and include them in your cookie notice/privacy policy.
Note that the definition of “essential” cookies is limited. While you may interpret web analytics as an essential part of maintaining and operating a website, this is not how they are viewed under current data privacy laws.
According to the ICO your cookies may be exempt if:
- “the cookie is for the sole purpose of carrying out the transmission of a communication over an electronic communications network; or
- the cookie is strictly necessary to provide an ‘information society service’ (eg a service over the internet) requested by the subscriber or user. Note that it must be essential to fulfil their request – cookies that are helpful or convenient but not essential, or that are only essential for your own purposes, will still require consent.”
If you use non-essential cookies. Then make sure you have a cookie consent mechanism which meets the required standards.
Check the standards:
Cookie consent mechanism providers:
Learn about some of the most common mistakes in our recent article:
Data Attribution – Legal Basis for Processing
Customers have the right to request details from you about how and why you process their data under the right to be informed (GDPR). This may include the legal basis for processing. You must be able to evidence the legal basis for processing on request to a data subject (customer, prospect, employee) or to a supervisory authority. If you hold inaccurate or poorly maintained data you may be unable to fully answer such a request. You therefore could be subject to a formal complaint, an investigation and/or a fine. You must keep accurate, detailed records, especially when you are relying on consent to process customer’s data. Otherwise, you need to say goodbye to that data. It’s not worth the risk.
DPIA
DPIA’s should be completed regularly. Especially following major rulings from the courts that govern the application of data privacy law like GDPR. Most companies will need to update their privacy policies after the recent EU-Schrems II case, which invalidated the EU-US privacy shield
International Transfers
Log all your international data transfers in your DPIA. You need to establish your legal mechanism for each international transfer. Remember that the EU-US Privacy Shield is no longer valid, so another legal mechanism is required to continue transferring data between the EU-US.
What is the issue?
- Data transfers to countries outside the EEA (European Economic Area) are protected under GDPR.
- You must have a legal mechanism in place to send personal data outside of the EEA.
- Many services that marketers rely on are hosted outside the EEA. Some of the most used tools like Google Analytics, Mailchimp and Salesforce use US servers for some or all of their data processing.
- Many brands use services like these without checking their validity under GDPR, or are unaware that the data they process with these service providers is being sent outside of the EEA.
Why is it a problem?
- Without a valid legal basis, the transfer of personal data is prohibited under GDPR.
- The penalties for non-compliance are serious. Under Art. 83(5) of GDPR, a fine can be issued of up to 20 million euros or up to 4% of total global turnover whichever is higher.
- Customers may object to their data being processed in countries with weaker data protection practices than their home country or in countries with sweeping surveillance powers.
How do I fix it?
Complete a DPIA regularly so that you are aware of all data flows in and out of your organisation. For flows outside of the EEA, you should establish the most appropriate legal mechanism. The possible mechanisms are listed below:
- Adequacy Agreement, some countries such as Andorra, Argentina, Guernsey, Isle of Man, Israel, Jersey, New Zealand, Switzerland and Uruguay currently benefit from this arrangement which essentially allows unfettered data flows. You can check which countries have adequacy agreements on the EDPB website.
- SCC – Standard Contractual Clauses. A contractual agreement between you and the service provider which assures GDPR level protections, including “appropriate safeguards” on both sides. This is the most common mechanism used.
- Binding corporate rules. BCRs are an internal code of conduct operating within a multinational group, which applies to restricted transfers of personal data from the group’s EEA entities to non-EEA group entities.
- Certification Mechanism approved by a supervisory authority. This is a new update, and the ICO is yet to implement any approval of these mechanisms.
- Contractual clauses authorised by a supervisory authority. A bespoke arrangement currently not supported by the UK’s ICO.
- Administrative agreements approved by a supervisory authority. This mechanism is used for public bodies.
- Make sure you have a legal mechanism in place. Document this mechanism and review this regularly, at least every 1-3 months.
Privacy Policy Updates
Privacy policies require regular maintenance. Every time you add a new tool or channel to your marketing stack you should review if any changes to your privacy policy are required. Additionally, any time your reasons for processing data or the types of data you process change you should update your privacy policy. This applies even if you are relying on a legal basis other than consent, for example legitimate interests. Your data subjects have a legal right to access information about how, when and why you process their data under the right to be informed.
Training
While the legal text of GDPR has not changed since it came into force, the way it’s applied has changed many times. New guidance from the EU, court cases and regulator’s judgements can quickly change how GDPR and other data laws are applied. For example, the recent EU-Schrems II case made data transfers between the EU and US invalid overnight. Because things change so often training should be completed frequently. This will also help you keep up with your requirements under the accountability principle of GDPR.
Get regular email updates from us about data and marketing
We’ll teach you how to be a more ethical marketer, and keep you up-to-date with some of the things you need to know to stay on the right side of the law. You’ll also get invites to contribute to our campaigns and events.
