• Pricing
  • Resources

    Resources

    Blog →

    Data privacy news, updates and advice.

    Guides →

    Stay compliant with the latest data privacy regulations.

    Academy →

    Learn how to grow your store compliantly.

    Case Studies →

    See how Dataships helps companies grow online.

    Knowledge Center →

    Get up and running on Dataships.

  • About us

Data compliance playbook

Complying with global data privacy laws is the new normal for online businesses. However, the increasingly complex nature of these regulations makes it difficult for companies to create an effective data compliance strategy. Not to worry. Our comply playbook has everything you need to know to achieve and maintain compliance. Let’s dive in

Cookies
Privacy Policy
Preference Center
System of Record

Your website is crucial to the overall success of your compliance approach. Not only that but it is often the first point of contact with your users and therefore your best opportunity to make a good impression and start building trust.

Establishing a strong compliance foundation on your website will set you on the right path to creating an effective owned data strategy that builds trusts and grows your business.

To be compliant your website must have four key elements:

  1. Compliant Cookies: this should be formed of a cookies policy and a cookies consent tool.
  2. Dynamic Privacy Policy: publish a comprehensive privacy policy on your website which outlines your company’s data practices.
  3. Customer Preference Center: ensure you have mechanisms in place for your users to exercise their data privacy rights.
  4. System of Record: You need to maintain consistent logs so you can prove your compliance

Put your data privacy compliance on autopilot with Dataships

“I wanted to market online without leaving myself exposed from a data privacy point of view. Dataships set up everything I needed for me with a very quick turnaround time."
Sinead Brophy Founder of Go with the Flow
Get Started For Free

Chapter 1

Cookies Compliance

Cookies are typically small text files that live on your website and store visitor information.

These digital cookies have several functions, including remembering previous user visits and interactions like placing items into a shopping cart.

The personal data recorded by these cookies can include an IP address, username, email address or another unique identifier.

Your Cookie Policy

Did you know it’s best practice to maintain a separate cookies policy to your privacy policy?

A cookies policy is a declaration to your website users about:

  • What cookies are active on your website
  • What data the cookies are tracking and for what purpose
  • Where in the world this data is sent

Cookie Consent Management Tool

It is best practice to use a dynamic consent management tool to manage and automate your cookie compliance. We recommend implementing a non-intrusive cookie banner at the bottom of the user’s screen. This banner should contain a first layer of information about the use of cookies and should link to your Privacy Centre to provide further information:

This cookie banner cannot ‘nudge’ a user into accepting cookies and if you use a button on the banner with an ‘accept’ option, you must give equal prominence to an option which allows the user to ‘reject’ cookies, or ‘manage cookies’ which brings them to an additional layer of information in order to allow them to do that.

Cookie Declaration

A cookie declaration should explain the tracking cookies used on your website. These should be broken down into the following categories; necessary, preferences, statistics and marketing. The cookie declaration allows you to give your users additional information as to the name of the cookie, the provider, its purpose, expiry and type. Users can then make an informed decision whether to accept or reject these cookies. This ensures you are complying with the transparency articles of the GDPR.

Find out more about cookie best practices here article

Cookies are typically small text files that live on your website and store visitor information.

These digital cookies have several functions, including remembering previous user visits and interactions like placing items into a shopping cart.

The personal data recorded by these cookies can include an IP address, username, email address or another unique identifier.

Your Cookie Policy

Did you know it’s best practice to maintain a separate cookies policy to your privacy policy?

A cookies policy is a declaration to your website users about:

  • What cookies are active on your website
  • What data the cookies are tracking and for what purpose
  • Where in the world this data is sent

Cookie Consent Management Tool

It is best practice to use a dynamic consent management tool to manage and automate your cookie compliance. We recommend implementing a non-intrusive cookie banner at the bottom of the user’s screen. This banner should contain a first layer of information about the use of cookies and should link to your Privacy Centre to provide further information:

This cookie banner cannot ‘nudge’ a user into accepting cookies and if you use a button on the banner with an ‘accept’ option, you must give equal prominence to an option which allows the user to ‘reject’ cookies, or ‘manage cookies’ which brings them to an additional layer of information in order to allow them to do that.

Cookie Declaration

A cookie decleration should explain the tracking cookies used on your website. These should be broken down into the following categories; necessary, preferences, statistics and marketing. The cookie declaration allows you to give your users additional information as to the name of the cookie, the provider, its purpose, expiry and type. Users can then make an informed decision whether to accept or reject these cookies. This ensures you are complying with the transparency articles of the GDPR.

Find out more about cookie best practices here article.

Chapter 2

Your Privacy Policy

If you have found yourself asking, “Do I need a privacy policy on my site? The answer is a definite yes.

Regardless of your location, if you operate online, you are likely covered by at least one set of compliance requirements.

Your website must have a comprehensive privacy policy which outlines your company’s data practices. A privacy policy (also regularly referred to as a privacy notice) is a public document that explains how your company processes personal data and how it applies data protection principles. If you are collecting data directly from someone, you have to provide them with your privacy policy at the moment you do so.

Generally, a privacy policy should be provided in written form and is typically supplied electronically.

Rule of thumb = at a minimum every company that maintains a website should publish their privacy policy there and it should be accessible via a direct link from every webpage.

What are they key components of a privacy policy?

  • Introduction: An overview of your organization and any subsidiaries and an outline of the scope of the policy.
  • Information collected overview: A listing of the data collected, such as personal information like names, email addresses, and other contact information.
  • Methods of data collection: A description of how your organization collects the above information, such as when customers register for services or complete surveys—or the use of cookies to browse the site.
  • Information usage and storage: Defines how your organization uses and stores the collected information in accordance with privacy and security regulations. This can also include elements of the visitor’s data rights and how to view and update their preferences.
  • Contact details: How to contact the organization with questions or requests for the data held about a customer, or how to exercise one of their other data protection rights.

Read more → here.

What is the best way to create and maintain a privacy policy?

Organizations that do need a privacy policy on their website have several options when it comes to creating and maintaining a privacy policy. However, given the dynamic nature of privacy laws and compliance regulations, some offer more protection and peace of mind than others.

Your options include:

  • Do it yourself using a template. A tempting approach, however, this option comes with the possibility of missing or misinterpreting key information and putting your business at risk of non-compliance.
  • Hire a lawyer. This approach provides your organization with a privacy policy that covers the relevant laws, but it is a static solution that will require additional costs and time to update the policy as regulations or your business evolve.
  • Partner with a data privacy compliance expert: A third option that overcomes the downsides of the other options is choosing to partner with an organization that provides a dynamic solution that will constantly and automatically update your privacy policy as the legislation evolves and as your customer locations and business needs change.

Learn more here.

Chapter 3

Data Rights Facilitation

One of the key facets of these data protection laws is the right for a consumer to access, receive, and delete their personal information from businesses. The process that facilitates users exercising their rights is called a data subject request.

So just what does a data subject request (DSR) entail, how does its process work, and what can your business do to prepare for your own customer requests?

Data Subject Rights

The GDPR has given the individual back decision making power over their data. Organizations are now obliged to fulfill certain rights of the consumer. These rights are:

  1. The right to be informed
  2. The right of access
  3. The right to rectification
  4. The right to erasure
  5. The right to restrict processing
  6. The right to data portability
  7. The right to object
  8. Rights in relation to automated decision making and profiling.

Learn more about them here.

What Is a Data Subject Request?

When it comes to data management, the GDPR actually refers to EU citizens as “data subjects,” and the organizations and businesses that process and use data about data subjects are known as “controllers.”

The regulation gives each data subject the following rights:

  • To obtain a copies of data collected by businesses and organizations
  • To request changes to their data held about them
  • To restrict the processing of their data by businesses
  • To have their data deleted from a controller’s holdings
  • To receive their data in an electronic format so it can be moved to another controller.

The CCPA grants similar rights and, as with the GDPR, formalizes the process of exercising these rights through a DSR process.

Once a controller receives a DSR, they are obligated to “take appropriate measures to consider each DSR. Additionally, “the controller shall not refuse to act on the request of the data subject for exercising his or her rights.”

Learn more here.

Chapter 4

System of Record

In the previous chapter, we explained what a data subject request is. We will now go through what you must do with these requests to prove compliance over time. 

The fourth and final requirement to have a compliant website is a System of Record. So, what does this involve? Simply put, a system of record is an audit log of the personal data activities you have had with your users. 

A best-in-class system of record contains;

  1. Relevant internal documentation 
  2. Consent collection logs
  3. Data processing legal basis log
  4. Data rectification log
  5. Data deletion requests log
  6. Custom request logs

If you are handling any data access requests at all, you must be able to show what you did to handle these requests and how long you took to facilitate them. 

Best practice is to have a central repository of all of these requests and an audit log showing the steps taken to action them. 

System of Record for Marketing 

A system of record is essential in actioning compliance requests and is also crucial to your marketing efforts. To market with confidence, it is key that you maintain a system of record that shows what consent was collected. 

You must maintain a clear audit trail for records of consent. In most countries, each contact you market to should have an auditable trail detailing your basis for contacting them. Whether it is based on consent or legitimate interest, you must prove a compliant basis for contacting a user. By having a system of record, you will be able to categorize your marketing contacts so that you know whom you can market to and why.

Part 2

Optimize how you collect personal data

Now that you know how to get compliant, it’s time to understand your consent collection set-up. Including:

  • What owned data you have in your system
  • What method did you use to collect it
  • Your privacy policy at the time
Take me there

Get and stay compliant with Dataships

Dataships provides end-to-end online compliance designed to give your customers control of their data while ensuring you stay compliant with the latest data privacy updates.

Start Free Trial
  • Get full access
  • No credit card required