How to stay GDPR compliant on


The GDPR is one of the most significant initiatives on data protection in Europe. It introduces changes and new rights for individuals, such as the right to be informed, the right of access, the right of erasure, the right to data portability, and more. The extensive 88-page regulation means companies need to review their current practice with private data, such as how to obtain consent and to inform individuals on how their data is processed with more transparency than before.

The GDPR holds companies accountable with fines up to 4% of annual global income when failing to comply. It also covers something called ‘privacy by design’ which means companies are responsible for including data protection in designing systems from the beginning, rather than as an addition. Companies are therefore accountable for implementing appropriate technical and organisational measures to meet the GDPR requirements.

The platform was designed – from the very beginning – with data privacy in mind. The platform processes and stores a lot of private data, and therefore its easy to track and review all individual data and take measures to comply with the GDPR on below you can read about a couple of initiatives you can take on to comply with GDPR on Be aware, the following text does not include everything that your company needs to do to comply with the GDPR, only recommendations on what can be done on For further reading on the GDPR, we refer to the European Commission’s website.

What is personal data?

The General Data Protection Regulation considers any information relating to an individual, such as a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address as personal data.

Data permission

GDPR sets a high standard for consent, and from 25 May, you will not be allowed to assume people want to be contacted anymore. According to the GDPR users must give an unambiguous consent through a ‘clear affirmative action’ for receiving marketing material from a company.

That means pre-ticket opt-in boxes are not allowed, and consent must be separate from other terms and conditions. Your opt-ins should also be able to withdraw their consent at any time and be informed about the option to do so.

It’s also important to inform which organisations and third-party controllers will be relying on this consent as well.

Everything, including what exactly your contacts are opting in for and terms, must be explained in clear, plain,  and easy to understand language. Meaning, companies can no longer use long illegible legal terms of use; everyone must be able to understand.

Further, clear records must be kept of the consent given, and be able to demonstrate it; this includes who/when/how/what you informed people.

How to ensure your future contacts are GDPR compliant

It’s important to update your terms, privacy notice, and opt-in forms under the new regulation. Many companies have resulted in offering multiple opt-in options so people can choose what type of content they will receive when contacted to ensure people know exactly what they are opting in for. As an example, it can be opt-in for news, new products, offers, etc.

On, you can set up lead forms with as many options as you like for opt-ins – and include check boxes that are not pre-clicked. The lead form consent will also be attached to your contact for documentation and always available to review.

How to ensure your current contacts are GDPR compliant

You need to review how you obtained your current email contacts on along with their information in-store to ensure they were obtained according to the GDPR legislation. If you obtained contacts through methods not compliant to the GDPR, such as through pre-clicked opt-in forms, or did not specify explicitly the purpose of the data collection or the data processing, you need to refresh the consent.  

On, you can easily look at the history of each contact and see when and how it was obtained, such as through which campaign or what interactive content, and review your privacy notice and terms at the time to learn whether it was done according to GDPR compliant methods.  

If you have contacts obtained through methods not compliant to GDPR you have until 25 May to refresh the content. Learn more about methods to refresh your content through interactive content here.

Data access


The GDPR brings more control to users over how their personal data is handled, that includes the ability to access and remove it. That brings us to the next three rights presented in the GDPR: the request for access, the right to data portability, and the right to be forgotten. The request must be replied to without undue delay, within 1-month.

Acess request

The GDPR includes the right for contacts to receive confirmation as to whether or not a company is processing personal data concerning them, including information on where and for what purpose. The company should also provide a digital copy of the personal data, free of charge. The request should be processed within 30-days.  

That’s why it’s important to make sure users can access their data, review it and make changes. This can be as simple as a link in an email to email settings, where the user can check what information he wants to receive emails about.

Right to data portability

Data portability is the right for a contact to receive the personal data, which they have previously provided to a company, in a digital format, and the right to forward that data to another company.   The request must be replied to without undue delay, within 1-month.

Right to be forgotten

The right to be forgotten is also known as Data Erasure and entitles the contact to have the company holding their data erase their personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data. The request must be replied to without undue delay, within 1-month.

Below are examples of situations where companies need to comply and erase personal data (note, the list is not exhaustive):

  • The data is no longer necessary, concerning the purpose of it being collected
  • The individual withdraws his/her consent, and there is no legal ground to keep the data
  • The data was unlawfully processed

How to ensure your data access is compliant with GDPR

On, you can easily look up a contact to review all the personal information you have obtained on. This includes contact information, dates of interaction, and information gained through interactive content (such as their favourite colour from a quiz). You can export all the information in a digital format.


When it comes to cookies, there are two issues to consider, privacy; what is being registered through cookies, and transparency; who is tracking the information, for what purpose, where does the data go, and for how long will it stay there.

As with most things in the GDPR, the user must be informed about why and how the personal data is stored. It should be made clear, in plain English, to the user what he gives consent to, and it must be possible to opt-in and opt-out of the cookies. And, finally, the consent should be provided through ‘affirmative’ actions (not a pre-clicked box).

The user must also be given a ‘true choice’ meaning he should be able to access the website even though all but strictly necessary cookies have been rejected. The user should be able to withdraw his consent as well, and the right to be forgotten also applies to cookies. And don’t forget, it’s not allowed to track anything but strictly necessary until the consent for cookies is given.

It’s crucial to store and document the consent provided.

All of this means it’s not enough to offer a simple ‘ok’ button to accept cookies anymore, or that a visitor gives consent simply by using the website.

The cookies will now be grouped into categories, which the user should be allowed to check or uncheck. The necessary cookies are whitelisted and can, therefore, be pre-checked and the user should not be given the choice to uncheck. These are, however, only cookies necessary for the website to function. However, any cookie category that does not handle personal data is allowed to be pre-checked. Other cookies, such as cookies for marketing, preferences, and statistics cannot be pre-checked and the user should actively click in the box to allow tracking through them.

Every 12 months, from the user’s first visit to the site, the consent needs to be renewed.

How to ensure that your cookies are compliant with GDPR

On, you can add a fixed header or a footer to ask for consent with as many opt-in boxes as you wish. You can offer opt-in boxes for different categories, both be pre-clicked and not pre-clicked.

You can also choose to activate ‘GDPR compliance’ on with one click. GDPR compliance is an option that enables different features to help you comply with GDPR. For cookies, this means that no information will be collected for categories that are not pre-clicked before consent is given, and you can include consent forms in multiple languages for websites supporting multiple languages. 

On the cookie consent, you can write your privacy notice in clear and plain language, explaining where, how long, and why this information is stored, and add a link to your legal page or further cookie information page.

Documenting and storing on happens automatically, every consent is attached to the user profile, making it easy to find, access, view, and delete if someone sends in a data erasure request.

Hopefully, this blog has helped you get started on your GDPR process. If you think we left anything relevant out, don’t hesitate to leave a comment below.

This was the third part of series on the GDPR, stay tuned on the blog for more. For more information about GDPR and Dot, have a look at our special GDPR page.

Disclaimer: This website does not include legal advice for your company to use in complying with EU data privacy laws like General Data Protection Regulation. Instead, it provides information to help you better understand what can be done on the platform to comply with the law. This information isn’t legal advice and we encourage you to seek a professional lawyer’s opinion when referring to this. To be clear, this information is in no way a recommendation or any expression of legal understanding. This page does neither enlist all the regulation within the GDPR, and it’s important that you make sure your company meets all the legal requirements of the GPDR.

Subscribe to our blog!

* indicates required

Leave a Reply

Your email address will not be published. Required fields are marked *