GDPR Compliance Checklist for Digital Marketers | KDM


Grow Your Business Through Digital Marketing

“Your Expert, in your pocket.”

GDPR Compliance Checklist for Digital Marketers & Businesses

GDPR Compliance Checklist for Digital Marketers & Businesses - KDM digital marketing consultancy

GDPR enforcement is fast approaching. The EU deadline for GDPR compliance is the 25th May 2018. The big question for most businesses is how do I exactly comply with these new rules in data protection and what does it mean for the contacts in my database? GDPR or General Data Protection Regulation (GDPR) is a new digital privacy regulation introduced to protect users and their data. This means that businesses by default will have to have some type of privacy on all their digital products and websites. And they will have to monitor and assess their privacy settings regularly to monitor any data breaches and make sure they have the necessary permissions to use and share a user’s data. Businesses who fail to comply with this regulation could face fines of up to £17m! But, don’t worry you still have 3 months or so to comply. And to help you out we have created a GDPR compliance checklist for digital marketers and business.

[bctt tweet=”Businesses who fail to comply with #GDPR could face fines of up to £17m! #kdmdigital” username=”KDM_Digital”]

The Ultimate GDPR Compliance Checklist

1. Audit your database to confirm opt-in status for all your current contacts.

The new rules of GDPR mean being clear and transparent about what you are communicating to your database contacts. This will mean that digital marketers will have to double-check and segment their contacts as relevant to confirm their opt-in status. It is essential that marketers conduct the following process:

  • Segment your contacts based on opt-in status. Create lists based on recently opted-in, how they opted-in and what they have opted-in for.
  • Define what each contact has opted-in for exactly. For example is it your monthly newsletters or only promotional emails about your products/services.
  • Third-party contacts that you might have added in from networking events or LinkedIn must opt-in again.
  • If someone on your list has opted-in, but have not opened or engaged with your emails in a very long time (maybe in over a year), they must opt-in again.
  • Include this information in your privacy policy or a document which is publicly available on your website.


WARNING: Don’t break one law to comply with another! Honda and Flybe attempted to confirm opt-in status by sending emails to individuals who had recently opted-out of communications or could not be proved that they opted-in in the first place. As a result, Flybe was fined £70,000 and Honda fined £13,000. Please before sending emails make sure those contacts have clearly opted-in and are still opted-in!

Example of managing a user’s email preferences


2. Have the correct process in place before adding new contacts.

Before you start looking for new contacts or leads to add to your database, there are a couple of changes required to your website and forms:

  • Change all forms on your site to include specific information on what the subscriber will get for signing-up or the type of content they are opting-in for.
  • Link to your privacy policy in all forms.
  • Make sure the process of unsubscribing from your database is clear and included in all emails going out.
  • Include this process and information in your privacy policy available to everyone to read.
  • Make sure your email or marketing automation software can create dynamic lists. This means it can automatically unsubscribe contacts who have not engaged in a long-time and that you can create a workflow that automatically sends out a notification to subscribers to inform them that their subscription is expiring soon. And give them the option re-subscribe or unsubscribe from your list.
  • It is also good to check if your email or marketing automation software can track opt-in and engagement over time to make this whole process easier for your team.
  • Also, make sure that all subscribers are confirming their subscription by sending out an automated confirm subscription email or double-opting in.


DID YOU KNOW? The pub chain JD Whetherspoon’s took a powerful approach to clearing their database by deleting all their newsletter subscriptions. And sending an email to more than 650,000 contacts that they will no longer email their newsletter to subscribers. Instead, they will have to stay up-to-date via their blog.

gdpr compliant form example - GDPR Compliance Checklist for Digital Marketers & Businesses
Example of GDPR Compliant form Vs. a non-compliant form. View larger image here.

3. Identify contacts that have not opted-in correctly.

Since we still have 3 months or so until GDPR takes effect, we have some time to run some re-engagement campaigns for contacts who have opted-in incorrectly. If you have no real proof or evidence of that contact opting-in, this means they have opted-in incorrectly. Therefore this is your final chance to confirm their status. To get the most your of your re-engagement campaign, try following this process:

  • Segment your contacts based on interest, stage in the sales funnel and any other relevant information you might have.
  • Create some personalised content based on your data.
  • Create your emails and relevant automation workflow.
  • Send out your campaign and track engagement. You can send out a couple of reminder emails to unengaged contacts before the deadline.
  • Those who have not engaged or confirmed their subscription, you can add to another list to separate them from the other users. The contacts in this list should be deleted after the May 2018 deadline.
  • Bonus tip: You could even consider retargeting ads on Facebook to remind your contacts to confirm their subscription.
subscription re-engagement email example - GDPR Compliance Checklist for Digital Marketers & Businesses
Example of a subscription re-engagement campaign sent by Threadless.

4. Confirm company-wide compliance.

GDPR compliance doesn’t stop at marketing. It relates to everyone who sends out emails or deals with leads. This is especially relevant to your sales department staff, who may also use email and tools, such as LinkedIn to communicate with contacts. Therefore it is highly important to educate all staff members of complying with GDPR and the consequences of failing to comply:

  • Organise a training session for staff members, teaching them how to know the difference between a confirmed opt-in and an incorrect opt-in, and what to include on communications that go out and the process of opting- in and out.
  • Review current processes and templates (Beware of anyone using spreadsheets to record their contacts and make sure they are also following the rules).
  • Create new processes for contacting leads and customers.
  • Look for external resources or workshops to further educate employees.
  • Consider the consequences for employees who break the rules (Make sure they have received adequate training before).
  • Train and educate new hires. And include this information in your company’s employee handbook if you have one.

 [bctt tweet=”#GDPR compliance doesn’t stop at marketing. It relates to everyone who sends out emails or deals with leads. #kdmdigital” username=”KDM_Digital”]

5. Manage requests for information correctly.

Another requirement of GDPR is responding to information requests without any delay and at the latest within one month of receiving the request. Not only do you only one month to respond, but you must also fully complete the request. This means you will have to give them a full record of all the data you have on them. For example, where it is stored, purposes of recording that data and how long you intend to keep it. We recommend you follow this procedure:

  • Use a marketing automation software to automate the response for efficiency purposes and follow-up with a personal note if needed. You can even create a workflow that automatically notifies you and relevant employees that a request for information was requested.
    • Remember to include options to unsubscribe, as well as options to delete user’s data from database or update if incorrect in the email you are sending out.
    • Review the information manually to double-check if the response is correct.
    • Offer contact details in email clearly, so the user can contact you easily.
  • Create a landing page which dedicated to information requests. Include the link in your privacy policy.


6. Prepare for security breaches and have a clear process in place.

A security breach refers to the “accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed” to the relevant authorities. If a security breach is likely to “result in a risk for the rights and freedoms of individuals”, you will have to without any undue delay or less than 72 hours at the latest to notify the relevant supervisory authority. While this task might not be relevant to digital marketers, it is still important that all employees understand this procedure in your business:

  • Prepare crisis communication in case of a security breach (social media posts, blog posts, emails, PR)
  • Prepare for questions on social media or by customers as a result of the breach.
  • Decide who will be responsible for managing external communication.
  • Educate everyone on keeping data secure and what to do in a security breach.
  • Identify which supervisory authority needs to be notified in case of a security breach.
  • Include this procedure in the employee handbook and relevant information on your privacy policy.

 [bctt tweet=”While #GDPR may not be relevant to some employees, it is still important that ALL employees understand the consequences of not complying! #kdmdigital” username=”KDM_Digital”]

7. Review external partners to see if they are GDPR compliant

Anyone, your company works with, such as suppliers and other partners must also comply with GDPR. If they are not, then it’s time to consider your partnership with them. Here is the process for reviewing your external partners:

  • Review your partners well before the May 2018 deadline, especially those who have access to your marketing data.
  • Contact partners and confirmed that they are complying with GDPR. You could create a survey to confirm their compliance.
  • If your partners are not complying, then try to educate them on GDPR and the consequences of not complying. And monitor their progress in complying.
  • Don’t forget about the software and tools you are using in your company. Make sure you ask them about GDPR and what country they store your data in.
  • Update your privacy policy to include information on the tools/software you use, as well as information on your partners complying with GDPR.


HANDY TIP: Why not share this GDPR compliance checklist with your partners to help them understand how to comply with GDPR?

[bctt tweet=”Anyone, your company works with, such as suppliers and even software your company uses, must also comply with #GDPR. #kdmdigital” username=”KDM_Digital”]

8. Review and update your privacy policy.

It is now more important than ever to make sure your privacy policy makes sense and is crystal clear. And did you know you could even face a fine for not having a clear privacy policy that is written in simple and plain language? To avoid this, we suggest you review your privacy policy:

  • Update your privacy policy to include all the information about GDPR
  • Offer contact information and link to request for information landing page.
  • Make sure all your forms have a link, linking to your privacy policy.
  • Finally, make sure your privacy policy is public and easy to find. Include it in your footer and even in your about section to be extra clear.


HANDY TIP: It is best to keep up to date with any new privacy laws and news to make sure you are complying and how you can further protect your data and digital security.

[bctt tweet=”Make sure your #privacypolicy makes sense and is crystal clear. That means it should be in plain, simple language for anyone to easily read! #kdmdigital” username=”KDM_Digital”]

A final note on GDPR compliance

Remember you only have until 25th May 2018 to comply, after that your business risks getting a huge fine for not complying. It is best to start your GDPR compliance preparation early, even now if possible! And make sure your whole company, as well as your partner’s, know the consequences of not complying. This may all sound depressing, but from a digital marketing perspective, we believe that this could help businesses keep clean lists of prospects that are really interested in your business and products. Instead of thousands of contacts who will never buy from you! If you have any concerns or questions about GDPR compliance, feel free to contact us and we’ll point you in the right direction.

For more information on protecting your customers’ data or improving your website’s security, please see our website security and SSL package.

Need help with GDPR compliance? We have a GDPR Preparation workshop in May. Learn more or book your place here.

Leave a comment