How to stay GDPR compliant on min read

gdpr compliant on

What is the GDPR?

The GDPR is one of the most significant initiatives on data protection in Europe. It introduces rights for individuals, such as the right to be informed, the right of access, erasure, and data portability. The extensive 88-page regulation means companies need to review their current practice with private data. How do companies obtain consent? How do they inform individuals of how they process data with more transparency than before.

The GDPR holds companies accountable with fines up to 4% of annual global income when failing to comply. It also covers something called ‘privacy by design’. This means companies are responsible for including data protection in designing systems from the beginning. Therefore, companies need to implement appropriate technical and organizational measures to meet the GDPR requirements. takes data privacy very seriously. The platform processes and stores a lot of private data. Therefore, it’s easy to track and review all individual data and take measures to comply with the GDPR on Below, you can read about a couple of initiatives you can take on to comply with GDPR. Be aware, the following text does not include everything that your company needs to do to comply with the GDPR. Instead, it only states recommendations on what can be done on For further reading on the GDPR, we refer to the European Commission’s website.

What is personal data?

The General Data Protection Regulation considers any information relating to an individual. Examples are names, photos, email addresses, bank details, social media posts, medical information or computer IP addresses.

Data Permission

gdpr compliant with data permission

GDPR sets a high standard for consent. From 25 May, 2018, companies cannot assume that it is okay to contact people. According to the GDPR, users must give an unambiguous consent through a ‘clear affirmative action’ if they want to receive marketing material from a company.

That means pre-ticket opt-in boxes are not allowed, and consent must be separate from other terms and conditions. People who have opted in should also be able to withdraw their consent at any time. Your company needs to tell them about the option to do so.

It’s also important to inform which organizations and third-party controllers will be relying on this consent as well.

Your opt-in form must state in plain language that is clear an easy to read what the contacts are opting in for. This is also when you need to specify the terms. Meaning, companies can no longer use long illegible legal terms of use; everyone must be able to understand.

Further, companies must keep clear records of the consent given, and be able to prove they exist; this includes who/when/how/what you informed people.

How to ensure your future contacts are GDPR compliant

It’s important to update your terms, privacy notice, and opt-in forms under the new regulation. Many companies have resulted in offering multiple opt-in options. This allows people to choose what type of content they want companies to send them. This will ensure that people know exactly what they are opting in for. As an example, it can be opt-in for news, new products, offers, etc.

On, you can set up lead forms with as many opt-in options as you like and include checkboxes that are not pre-clicked. The lead form consent will also be attached to your contact for documentation and always available to review.

How to ensure your current contacts are GDPR compliant

You need to review how you obtained your current email contacts on along with their information in-store to ensure you have complied with the GDPR legislation. You may need to refresh the consent if you obtained contacts through methods not compliant to the GDPR. These methods can include pre-clicked opt-in forms or not stating the purpose for your data collection and processing.

On, you can easily look at the history of each contact and see when and how obtained it. Also, you can see through which campaign or which interactive content they gave consent. Review your privacy notice and terms to learn whether if you are using GDPR compliant methods.  

If you gained contacts through methods that are not compliant to GDPR, you have until 25 May, 2018, to refresh the content. Learn more about what is Interactive Content and how it can help you refresh your static content.

Data access


The GDPR brings more control to users over how companies handle their personal data. This includes the ability to access and remove it.

That brings us to the next three rights presented in the GDPR: the request for access, the right to data portability, and the right to be forgotten. Companies must reply to the request without undue delay within 1 month.

Access request

The GDPR gives individuals the right to request a copy of any of their personal data which companies process. This includes which information, where and for what purpose. The company should also provide a digital copy of the personal data, free of charge. The company should process the request within 30 days.

It is very important to make sure users can access their data, review it and make changes. This can be as simple as a link to email settings in an email, where the user can check which type of emails he/she wants to receive. Don’t forget to refresh your email contact consent before GDPR takes place!

Right to data portability

Data portability is the right for a contact to receive a digital version of the personal data and the right to forward that data to another company. This personal data is information that he/she has previously provided to a company. Companies must reply to this request without undue delay within 1 month.

Right to be forgotten

The right to be forgotten is also known as Data Erasure and entitles the contact to have the company holding their data erase their personal data. In addition, the company should also cease further dissemination of the data, and potentially have third parties halt processing of the data. Companies must reply to the request without undue delay within 1 month.

Below are examples of situations where companies need to comply and erase personal data (note, the list is not exhaustive):

  • The data is no longer necessary, concerning the purpose of it being collected.
  • The individual withdraws his/her consent, and there is no legal ground to keep the data.
  • The data was unlawfully processed.

How to ensure your data access is compliant with GDPR

gdpr compliant with data access

On, you can easily look up a contact to review all the personal information you have obtained on. This includes contact information, dates of interaction, and information gained through interactive content. This could be something simple like the favorite color from a quiz. You can export all the information in a digital format.


When it comes to cookies, there are two issues to consider, privacy; what information companies track and the transparency in which they communicate with users. Ask yourself, “who tracks the information and for what purpose? Where does the data go and for how long will it stay there?”

As with most things in the GDPR, the user must be informed about why and how the personal data is stored. Companies should use clear, plan language to explain what is happening when a contact gives consent. Also, it must be possible to opt-in and opt-out of the cookies. Finally, the consent should be provided through ‘affirmative’ actions (not a pre-clicked box).

The user must also have a ‘true choice’. This means he should be able to access the website even though strictly necessary cookies have been rejected. The user should be able to withdraw his consent as well, and the right to be forgotten also applies to cookies. Don’t forget; companies cannot track anything until the user gives his/her consent for cookies.

It’s crucial to store and document the consent provided.

All of this means it’s not enough to offer a simple ‘ok’ button to accept cookies anymore or that a visitor gives consent simply by using the website.

The cookies will now be grouped into categories, which the user should be allowed to check or uncheck. The necessary cookies are whitelisted and can, therefore, be pre-checked. The user should not be given the choice to uncheck. These are, however, the only cookies necessary for the website to function. However, any cookie category that does not handle personal data is allowed to be pre-checked. Other cookies, such as cookies for marketing, preferences, and statistics cannot be pre-checked. The user should actively click in the box to allow tracking through them.

Every 12 months, from the user’s first visit to the site, the consent needs to be renewed.

How to ensure that your cookies are compliant with GDPR

gdpr compliant with cookies

On, you can add a fixed header or a footer to ask for consent with as many opt-in boxes as you wish. You can offer opt-in boxes for different categories, both be pre-clicked and not pre-clicked.

You can also choose to activate ‘GDPR compliance’ on with one click. GDPR compliance is an option that enables different features to help you comply with GDPR. For cookies, this means that companies will not collect information for categories that are not pre-clicked before consent is given. For websites supporting multiple languages, you can include consent forms in more than one language. 

On the cookie consent, you can write your privacy notice in clear and plain language. First, be sure to explain where, how long and why you will store this information. Second, add a link to your legal page or further cookie information page.

Documenting and storing on happens automatically. It is easy to find, access, view and delete a user profile, if someone sends in a data erasure request.

If you think we left anything relevant out, don’t hesitate to leave a comment below.

This was the third part of series on the GDPR, stay tuned on the blog for more. For more information about GDPR and Dot, have a look at our special GDPR page.

Disclaimer: does not give legal advice for your company to use in complying with EU data privacy laws like GDPR. Instead, it provides information to help you understand what you can do on the platform to comply with the law. This information isn’t legal advice, and we encourage you to seek a professional lawyer’s opinion when referring to this. To be clear, this information is in no way a recommendation or any expression of legal understanding. This page does not enlist all the regulation within the GDPR. It’s important that you make sure your company meets all the legal requirements of the GPDR.

Subscribe to our blog!

* indicates required