GDPR Overview: 50 Tips & Questions Surrounding GDPR

The GDPR (General Data Protection Regulation) is sending shockwaves through virtually every company, no matter the size. The new regulations went into effect on May 25, 2018. While businesses had a few years to prepare, it can still be nerve-wracking knowing that the rules have now changed and wondering if you’ve covered all your bases, especially with such high stakes (i.e., fines).

Most website operators and publishers rely on a variety of third-party tools for marketing and other business activities. Maybe you’re using social media follow buttons to grow your social following, or you’re running ad campaigns on Facebook or Twitter. Even if you run your website on WordPress or use HubSpot to create landing pages, those services could still be collecting data about your website visitors, therefore leaving you on the hook for GDPR compliance.

The good news is that most of these services have already implemented changes, resources, and tools to help their users comply with the new regulations. At ShareThis, for instance, we’ve released a GDPR Compliance Tool to make it easy for you to obtain consent to collect cookie data from your website visitors.

If you’re wondering how GDPR is impacting other platforms, what resources they’ve made available to users, and what steps you need to take to ensure compliance, you’ve come to the right place. We’ve rounded up 50 tips and insights on how GDPR impacts Salesforce, HubSpot, MailChimp, and a number of other widely used platforms, along with actionable advice you can use today to stay compliant.

Click on a link below to find out how GDPR is impacting several popular platforms and browse tips for users to ensure compliance:

How does GDPR impact Salesforce?

1. Salesforce is committed to data protection. The #1 value at Salesforce is trust, and the company has consistently reinforced its commitment to protecting its customers over the years through proactive responses to new legislation and best practices. Salesforce’s Trust and Compliance documentation provides an in-depth description of the Salesforce architecture and infrastructure, security- and privacy-related audits, and more.

2. The Salesforce data processing addendum ensures that users can legally transfer personal data outside the EU. Customers can rely on Salesforce’s binding corporate rules, Privacy Shield certification, or standard contractual clauses for lawfully transferring personal data to Salesforce outside the EU.

With the deletion of a contact, the statistics do not associate to that deleted contact, and any personal data in the statistics table is removed, and the data becomes anonymized." - Salesforce

3. There is no functionality in the Marketing Cloud for receiving data subject requests (such as the Right to be Forgotten). Users should rely on external processes, such as your existing customer support network, to handle these requests.

4. The Salesforce Do Not Track feature will be useful to publishers who need to fulfill data subject requests, such as when consent to collect data isn’t obtained from a user. Customers should seek legal advice to determine how to update their privacy notices and consent requests. Once Do Not Track is enabled, behavioral browsing data is no longer tracked for that individual, and they’ll be presented with generic data such as recommendations.

5. GDPR’s impact will essentially weed out both B2B and B2C consumers who aren’t interested in engaging with sales and marketing efforts, driving sales and marketing teams to take a more personalized approach. That means marketing and sales teams can no longer bank on sending out mass marketing emails, and marketing and sales professionals will be relying more heavily on personalized, one-on-one outreach.

6. Salesforce has introduced an Individual Object feature, which can serve as the basis of workflows to support compliance efforts. Individual Objects can be used as the foundation of workflows, supporting processes such as deleting data that has been stored longer than necessary. Salesforce’s reports can be used for segmenting campaigns, allowing marketers to easily exclude any contacts who have opted out.

How does GDPR impact HubSpot?

7. Marketers who use HubSpot are most likely considered “data controllers.” And that’s where most of the liability lies. However, marketers may also be a processor in some situations, such as agency partners that work with data on behalf of clients. If you use HubSpot tracking tools or your site is built on the HubSpot CMS, you’re a data controller while HubSpot is the processor.

8. GDPR poses new challenges for marketers. However, HubSpot sees the legislation as a positive and is enthusiastic about helping to shape the conversation around innovative, compliant strategies.

9. HubSpot has several product changes planned to help users comply with GDPR. The company’s goal is to make compliance as easy as possible, allowing the platform’s users to easily live up to the core principles behind GDPR.

10. HubSpot already offers features that marketers can leverage to obtain and track consent. Since you can create landing pages and forms with any text you prefer with HubSpot, you already have tools at your disposal that can help you comply. You can even enable a double opt-in feature to ensure that clear and unambiguous consent has been obtained from your contacts.

"When one of your contacts (i.e., data subjects) asks you to delete them from your records, you'll have the ability to do so quickly and easily." - HubSpot

11. HubSpot also enables users to perform a GDPR-compliant delete. Contact asking to be deleted from your records? Not a problem. HubSpot allows you to execute a GDPR-compliant delete with ease, permanently removing all traces of the contact from your system.

12. For most HubSpot users, GDPR is business as usual, although there are a few changes and best practices to implement. HubSpot’s focus is on inbound marketing, which is about earning attention – a practice that’s in sync with the consent premise of GDPR. Users will need to update their cookie practices, re-qualify their lists with clear consent, and get their data capture in order.

13. While HubSpot provides a good deal of technical compliance, users are still on the hook for bottom-line compliance. It’s still up to users to refine the proper wording for permissions, audit their data, and manage other aspects of compliance.

How does GDPR impact MailChimp?

14. MailChimp has introduced several tools to help users comply with GDPR, including GDPR-friendly forms and tools to seamlessly handle contact data requests. Forms will have separate checkboxes to allow contacts to opt-in to each element of your marketing activities individually. And, MailChimp will maintain a record of each version of your form so you’ll have a complete audit trail of the precise permission language that was present when a contact opted in.

"If someone signed up for your list through a MailChimp hosted form, you can export that list and view information related to the signup. For additional evidence of consent, you may choose to turn on double opt-in." - MailChimp

15. MailChimp’s GDPR fields include checkboxes for opt-in consent. Mailchimp users should evaluate the consent previously obtained from subscribers to ensure that it’s in compliance with the new GDPR requirements.

16. Users will be able to carry out contact data requests in a single step from their MailChimp account. Because MailChimp maintains detailed records, you’ll be able to prove consent in the event of a dispute. Plus, you’ll be able to quickly handle subscriber data requests with single-step execution.

17. MailChimp’s decision to make single opt-in the default has been a hot topic of discussion. GDPR doesn’t specifically require double opt-in, although double opt-in does provide a clear audit trail of granular consent.

18. Getting explicit consent from subscribers will be easy for MailChimp users. To gain explicit consent for each aspect of your marketing and data collection activities, you can implement multiple, secondary checkboxes asking for consent for each intended use of your subscribers’ data.

19. You’ll need to be able to prove that you’ve obtained proper consent from any EU subscribers to your MailChimp mailing list. You can find this information in the ‘Source’ column of your mailing list. You can already prove consent if the source of a subscriber is a Facebook signup form, MailChimp-hosted signup form, a signup form embedded on your website, or a generic API from a third-party plugin. You’ll need to re-obtain consent for any subscribers added by an admin, imported via CSV, or imported from a copy/pasted file.

How does GDPR impact Google Analytics?

20. Google Analytics serves as a data processor for companies that use it under GDPR. Google has obligations to conform to GDPR, including providing a data processing agreement that Google Analytics users must accept.

"In Google Analytics and Google Analytics 360, we offer IP masking to further anonymize IP addresses you are collecting." - Google

21. Save time with Google’s technical solutions for streamlined compliance. Google offers several technical solutions to help you save time in managing business consents, masking IP addresses, and locating sensitive data.

22. Some settings that can aid in GDPR compliance are already available in Google Analytics. Customizable cookie settings, data sharing settings, and privacy controls are just a few of the existing options that can help you manage compliance.

23. One common question is whether the data that Google Analytics collects qualifies as “personal data.” In short, it certainly can. You can tell how many times one individual user has visited your website, what pages they visited, and how long they stayed, for instance. Google identifies cookie identifiers and other online identifiers, IP addresses and device identifiers, and client identifiers as personal data.

24. There are steps you can take to ensure compliance when using Google Analytics. First, identify what data you currently hold, what you intend to collect, and how you plan to use it. Get rid of “nice to have” data that you don’t actually need to store. You’ll also need to find a way to verify that the EU-US Privacy shield applies and Google’s membership is valid if you’re transferring data outside the EU.

25. Many publishers and website owners wonder if they need to obtain explicit consent before tracking website visitors. The answer? It depends. You need to notify your visitors if you’ve enabled Google Analytics Advertising features in your privacy policy. And of course, you’ll need to obtain compliant consent from EU users for any data collection, sharing, and usage. If you’re using any third-party plugins or tools, e.g., social share icons, you’ll probably need to obtain consent as you’re sharing data with those entities.

26. Limit access to your Google Analytics account. Make sure that you, and not an agency, own it, and always filter out personally identifiable information from your data.

27. Google is said to be working on a solution to provide anonymized, non-personalized ads when consent is not obtained. Website owners are responsible for obtaining consent to continue to collect data for ad targeting with Adwords, AdSense, AdMob, DoubleClick Ad Exchange, and DoubleClick on behalf of a third party.

28. Soft opt-ins and implied consent no longer cut it under GDPR. Consent must be unambiguous, and users have to check a box or click a button that explicitly indicates that they’re okay with the data collection and intended use.

How does GDPR impact Facebook?

"When Facebook processes data on an advertiser's behalf, the advertiser must have an appropriate legal basis for Facebook to process this data." - Facebook Business

29. Typically, Facebook is a data controller, but there are some scenarios in which it serves as a data processor. Advertisers, for instance, must have an appropriate legal basis for Facebook to process any data used for advertising purposes.

30. Facebook will no longer be able to use news feed posts for ad-targeting, unless those posts are public, or at least set to the “friends of friends” privacy setting. Posts not set to public or friends of friends tend to include data types that GDPR dubs “special categories,” such as ethnicity, religious beliefs, political affiliation, and sexual orientation.

31. Some experts say removing personal data from the online advertising process is the only logical path to compliance. The onus is on brands and publishers to ensure that they’ve obtained the proper consent on their own. The Internet Advertising Bureau (IAB) believes that the supply of personalized inventory will drop, while contextual targeting options not requiring personal data will rise in its place.

32. If you’re using a Facebook Pixel, you’ll need to meet obligations under GDPR. Facebook says that anyone using a Pixel will have obligations under the GDPR, including scenarios such as retail websites collecting data about the products shoppers view for ad targeting purposes, blogs that rely on cookies to aggregate reader demographic data, or Facebook advertisers that use the Pixel to measure conversions or retarget prospects.

33. Facebook may face additional scrutiny due to recent events. The Cambridge Analytica scandal may draw added attention to Facebook from EU regulators, coupled with past concerns regarding Facebook’s data collection.

34. Purpose limitation under GDPR is the real sticking point for platforms like Facebook. Users willingly disclose personal data when using services like Google or Facebook, and those platforms have the right to process that data in order to provide those services. GDPR, however, will prevent them from using that data for any other purpose without explicit consent.

How does GDPR impact AWS?

35. AWS announced that it all AWS services are “GDPR-ready” on March 26, 2018. AWS says that security remains its highest priority, and the company has a long list of certifications and accreditations that demonstrate compliance with various international standards.

36. AWS offers a new Data Processing Agreement. The Data Processing Agreement is incorporated into the AWS service terms and meets GDPR requirements. AWS also complies with the CISPE Code of Conduct.

37. AWS customers can implement their own security measures in compliance with GDPR. Customers can also tap into AWS’s security and compliance services.

38. AWS provides a number of data access controls to limit the use and processing of data to what is necessary, including temporary security credentials. Temporary credentials work similarly to long-term access key credentials, but they can be configured to last for a defined period, ranging from a few minutes to several hours.

"AWS is responsible for securing the underlying infrastructure that supports the cloud, and you are responsible for anything you put on the cloud or connect to the cloud." - Amazon Web Services

39. Amazon Web Services operates under a shared responsibility model – meaning users share in the responsibility of protecting data. Some AWS services are entirely under your control, such as Amazon EC2, Amazon VPC, and Amazon S3, meaning you’re responsible for all security configuration and management.

40. For UK and EU companies in cloud computing, forcing additional requirements on suppliers could prove challenging. In fact, some experts speculate that it could actually give giants like Amazon a key advantage.

How does GDPR impact WordPress?

"If your website has visitors from European Union countries, then this law applies to you." - WPBeginner

41. Does GDPR impact all WordPress users? Yes; GDPR affects businesses of all sizes around the world – not just those located in the EU. It’s applicable to any website that has visitors from EU countries.

42. Publish a privacy policy to inform visitors if you’re collecting data, what data points you’re collecting, and how you plan to use it. All WordPress website owners must publish a detailed policy disclosing the personal data you’re collecting, as well as how that data is processed, stored, and used.

43. Make sure your plugins are GDPR-compliant. As a website publisher, you’re ultimately responsible for data collection and storage methods used not only by yourself or your team, but also any plugins or third-party software you use.

44. Review your data collection and processing workflow. You should audit your website to determine where data collection and processing is currently happening, how it’s stored, and how long it’s stored.

45. The WordPress comment system collects IP addresses, so it’s not natively compliant with GDPR. Sometimes, comments also require a name and email address. In either case, you need to obtain consent to store this data – and if a user requests that you delete their data, you must comply promptly.

46. Keep an open communication channel for user requests. You’re required to respond promptly to user requests, such as requests to review or delete their data, under GDPR. Offering a form that users can submit is a simple and straightforward way to enable users to easily communicate these requests.

47. Does your WordPress website use cookies? You need to know, and if it does, you need to use a cookie consent solutionIf you have a clean version of WordPress with no plugins, it likely doesn’t set user-related cookies. But few people use WordPress in its most basic form, meaning you need to verify whether the plugins you’re using set cookies and implement a consent form if so.

48. If you haven’t already, audit your WordPress website and make any necessary changes now. It’s the site owner’s responsibility to obtain consent for any data third-party plugins are collecting or using. You should also ensure that if you’re using a newsletter service, you have opt-in (not opt-out) configured.

49. Contact any third-party services you use for information about their compliance with GDPR. Include any information about third-party services you use in your Privacy Policy.

50. As the duty for compliance ultimately falls on the user, WordPress aims to provide tools and resources that website owners need to ensure compliance. The biggest challenge for WordPress users is that most sites are a combination of WordPress core, plugins, and themes, so there are endless ways those websites collect, process, use, and access user data. WordPress ultimately can’t make any given website compliant, so instead, the company has opted to make a variety of resources and tools available for website owners and publishers.

About ShareThis

ShareThis has unlocked the power of global digital behavior by synthesizing social share, interest, and intent data since 2007. Powered by consumer behavior on over three million global domains, ShareThis observes real-time actions from real people on real digital destinations.

Subscribe to our Newsletter

Get the latest news, tips, and updates

Subscribe

Related Content