gdpr fines

The GDPR packs a big punch in terms of the fines it can impose on businesses who don’t comply: 4% of annual turnover or up to €20M. Here’s How to Avoid GDPR Fines With These 10 Quick Steps:

Control where your data is and how it’s stored, shared and accessed

Get Started Now

1. Make Sure All Data is Organised

Store all data you have on employees, suppliers and customers in an organised way. That way if you get any subject data requests (SARs) you know where to retrieve the requested data from quickly to meet the 30 day timeline to get back to people.

2. Make Sure All Personal Data is Securely Stored

Where is your customer, employee and supplier data stored? How safe is the data storage solution? Is any of this data being shared between your organisation and 3rd parties? How is that sharing done? Is the sharing secure?

Making sure all personal data is securely stored is a simple way to ensure GDPR compliance.

Making sure all personal data is securely stored is a simple way to ensure GDPR compliance Click To Tweet

3. Have a Documented Policy on Data Processing

Create a document that clearly states how you process peronsal data. It should include

  • what information are you collecting
  • why you are collecting it
  • how long you are keeping data for
  • where is it being stored
  • what you use it for
  • who will it be shared with
  • how you process it

Make this easily available to customers, employees and suppliers.

4. Delete Data That You Don’t Need

If you don’t need data that you have collected from employees, customers or suppliers, then delete it. Under GDPR, data controllers and processors are obliged to return or delete all personal data after the end of services, or on expiry of a contract or agreement, unless it’s necessary to retain the data by law.

So get rid of personal data that is no longer relevant, no longer in use for a specific purpose or relates to children under 16.

Recommended reading: There May Be Some Surprising Benefits of GDPR

5. Have a Process in Place for Data Deletion

GDPR also introduces the “right to be forgotten”, also known as the “right to erasure”. Individuals can ask that their data is deleted if it’s no longer necessary to the purpose for which it was collected, or there is no ‘compelling’ reason for its continued processing.

They can also demand that their data is erased if they’ve withdrawn their consent for their data to be collected, or object to the way it is being processed.

The data controller is also responsible for telling other organisations to delete any links to copies of that data, as well as the copies themselves.

Individuals have a right to have personal data erased and to prevent processing in specific circumstances:

  • Where the personal data is no longer necessary in relation to the purpose for which it was originally collected/processed.
  • When the individual withdraws consent.
  • When the individual objects to the processing and there is no overriding legitimate interest for continuing the processing.
  • The personal data was unlawfully processed (in breach of the GDPR).
  • The personal data has to be erased in order to comply with a legal obligation.

So if just one of these conditions applies, your organisation must delete and remove data and recorded calls ‘without undue delay’, and specifically within a month, barring exceptional circumstances.

Time to set up a process!

Have a process in place for data deletion to comply with GDPR Click To Tweet

6. Change All Marketing Opt In To Active Consent

If you are collecting data for marketing, then the customer or prospect must have an active consent option, so they must be able to tick a box that says, for example, “Yes I want to receive your marketing information, here’s where you can read our Terms of Use and Privacy”.

You can no longer rely on pre-ticked boxes or indeed add them without their consent to your mailing list.

7. Implement Double Opt In For All Mailing Lists

Double opt in on your mailing software is easy to implement nowadays, you should absolutely make sure this is done because it is a simple way to show that people consented to go on your mailing list and your mailing software will also record when they clicked to agree to join.

8. Offer Easy to See Links to Read Your Terms of Use/Privacy Policy

The norm is to have your Terms of Use or Privacy policy buried in a footer at the bottom of your website. Now it’s good to have layered opt in wherever you are capturing personal data. Layered opt in means there is an easy to see link to view Terms of Use and/or Privacy Policy (as in the example we gave above in number 6).

On all data capture forms, put links for people to read your terms of use and privacy policy pages so it’s easy for them to see where to click and read those t&c.

9. Update Your Terms of Use and Privacy Policy

Now’s the time to update your Terms of Use and Privacy Policy.

Make them clear and easy to understand, avoid jargon and overly legal terminology. If you ever copied and pasted from another company’s Terms of Use or Privacy Policy, time to do an update for sure.

Here’s some things you definitely must have in your privacy policy.

10. Staff Training

Train all your employees about GDPR to make sure they are up to date. While your organisation might not need a Data Protection Officer by law, it could be a good idea to appoint someone in your organisation to be responsible for this area.

Ready to give Rinodrive a go? Signing up for a free trial is just

a click away

Are you going to implement these 10 quick things to avoid GDPR fines? Did you find this article useful? Tell us your thoughts in the comments below. 

Join our conversation ‘all about data’ on Twitter and LinkedIn. And keep up with what’s going on in the world of data by trusting us with your email for monthly mailings (and we store it on Rinodrive so it’s super safe).

Tags: