Change Conversations blog

5 min read

Wake Up Communicators: You need a GDPR checklist and guide

By Dave Bowers on 5/10/18 11:00 AM

GDPR MontageLater this month, on May 25, the GDPR data protection and privacy law goes into effect. GDPR, or General Data Protection Regulation, is a set of rules protecting citizens and residents of the European Union and governs how companies handle their personal data. Email marketing and marketing automation activities are clearly affected. But many small businesses and nonprofits are not aware that you also need to be sensitive to GDPR if you collect personally identifiable information in any way, including contact us forms and website analytics. There's a forest of GDPR information out there so my goal is to highlight key landmarks for you.

Who Does the GDPR Affect?

GDPR applies to you the moment you collect data from someone who lives in one of the 28 member countries in the EU. If you collect customer data of any kind that could be personally identifying, such as email address, name, IP address, device, etc., or you use software that does this on your behalf (tracking software, Google Analytics, marketing automation, sales CRM), then you are affected. You must follow the data privacy regulations of the GDPR. That means all organizations, everywhere that process or hold personal data of people living in the EU.

How do you know if the information you hold belongs to a member of the EU? You probably don’t. So, it is best to assume it does and use the same compliance regulations for all the data you collect.

GDPR basics

What do I have to do to comply with GDPR?

There are many checklists and guides available to help you plan your compliance with GDPR. Here is a quick summary:

  • Have a clear privacy policy that specifies how you use data and who to contact with questions or requests about data.
  • You need to have consent to collect and use personal data. This consent needs to be specific and documented.
  • You must be able to produce a record of an individual's personal data that they can access and change or update.
  • You need to be clear on all email communications how and why you obtained the email address, who you are, and why you are emailing them.
  • It is wise to provide a double opt-in, confirming submission of information and how you will use it.
  • In your opt-in process, you need to be clear about expectations and what individuals can expect from providing their email address. (For example: weekly blog posts and an occasional special report).
  • You need to provide an opt-out on every communication. This needs to be clearly available.
  • Do not buy lists. Do not use lists from others. While EU residents may have given the original organization consent for specific purposes, they did not give it to you.

For many organizations, proving consent in your existing databases to meet GDPR standards will be difficult. You may end up needing to re-opt-in many of your marketing contacts in order to meet the new consent standards. Landing pages and forms will also need to be updated for compliance and to clearly link to your privacy policy with specific information about how the data submitted on a form will be used. You may also need to re-obtain consent for your use of customer data that you did not explicitly obtain permission for at the time of collection.


You will need to provide a disclosure statement as soon as you start collecting data. If you have website tracking software (such as Google Analytics), you should provide that statement as soon as someone visits your website.

Sample website disclosure graphic:


Your disclosures should have a link to your privacy policy or statement. The statement needs to be written in clear, plain language that is accessible. It should also include information on how to contact your company to request a copy of personally identifiable information in your records, and how to remove that data.

Website traffic analytics

Just about everyone with a website is, or should be, gathering website traffic data on visitors to their website and Google Analytics is used by most of you. Unfortunately, Google's guidance on GDPR compliance isn't exactly user friendly so here's a brief video from Christopher S. Penn on the subject.




It is extremely likely GDPR applies to you and your organization. It is better to take steps now to become compliant than to face possible consequences (including costly fines) later.

Disclaimer Note

Sharing this legal information is not the same as providing legal advice, where an attorney applies the law to your specific circumstances. Please consult an attorney for advice on your interpretation of this information or its accuracy.


Best Resources:

The Communicator’s GDPR Checklist and Resource Guide, Spin Sucks PR

You Ask, I Answer: GDPR 101 for Marketers, C.S. Penn

Are you GDPR ready?, HubSpot

GDPR: What You Need to Know and How Constant Contact Helps You Comply, Constant Contact


Check out our Guide to Inclusive Language to help you communicate
  • There are no suggestions because the search field is empty.

About Change Conversations

The Change Conversations blog is where changemakers find inspiration and insights on the power of mission-driven communication to create the change you want to see.


Creative Commons

Creative Commons

© 2009- to present, Marketing Partners, Inc. Content on the Change Conversations blog is licensed under a Creative Commons Attribution-Noncommercial-NoDerivs 3.0 United States License to share as much as you like. Please attribute to Change Conversations and link to ChangeConversations.

Creative Commons License may not apply to images used within posts and pages on this website. See hover-over or links for attribution associated with each image and licensing information.