GDPR is in full-swing, and not just in the United Kingdom. All over the world, businesses working with U.K. clients, customers, and leads have to follow these new privacy and data security regulations. Faced with the risk of a steep fine (up to $23 million), businesses are doing all they can to make sure they’re in compliance.

Last month, we told you everything you need to know about GDPR. This month, we’ve put together a GDPR checklist for your marketing team, your web developers, and everyone in between.

Under GDPR, there’s no more pre-ticked boxes or clever ploys to get people on your mailing list. Whether or not users want to give you their data is up to them; and, while data can be given, it can be taken away even quicker.

• Notify users about cookies and terms of agreement. A top bar on your website should be visible on every page until the user explicitly agrees to your terms by selecting a visible “I Agree” button.
• Do not use pre-ticked boxes. Whether your users are signing up for a newsletter or agreeing to your terms and conditions, pre-ticked boxes are now firmly off limits. A user must explicitly opt in, not out.
• Verify customers’ ages. This is extremely important if you’re a business collecting the data of minors. Only parents or guardians can consent to the data—names, locations, etc.—of their children under 16 being collected. You also have to prove that the parent, in fact, is the one who gave consent.
• Give customers a way to withdraw consent. If a customer decides they no longer want you to collect their information, you have to give them a clear way to withdraw their consent, such as through a form.

Keeping up-to-date with GDPR is going to require a lot of research and housekeeping. You’ll need to know what data you’re collecting, have a privacy policy in place, and detail a training plan for your employees.

• Keep data recorded and organized. GDPR requires that you and your team not only have the data you collect at the ready but the reasons why you collect this data on hand too. Know exactly what data you collect, where it comes from, what you do with it, and how long you have it on file.
• Have a privacy policy. All of the above information about data, its source, and its whereabouts should be in a visible privacy policy on your site that users can access and refer to at all times.
• Be open to requests. If customers want to change the data you’ve collected on them, whether it’s their name, address, or something else, they should be able to. They also should be able to request the deletion of the data you’ve collected, and be able to request access to their data for their own needs or those of a third-party.
• Train your team. You and your team should have up-to-date knowledge on GDPR’s data regulations. If you can, appoint a person of contact who can study up on GDPR. They can be the person your team goes to for questions or concerns.

Your data practices are only as good as the security behind them. You can follow every rule of GDPR, but if you’re not protecting the data you’re collecting, you’ll never be fully compliant.

• Conduct risk assessments. How secure is your data? Have an IT team conduct a risk assessment of your data infrastructure. Where is it weak? Where can changes be made? Is anything at risk of slipping through the cracks?
• Update your technology. Technology is always changing. Hackers find ways to steal data, developers come up with a fix, and the process starts again. That’s why it’s so important to ensure your technology and software are updated to the latest versions available at all times.
• Train your team (again). As mentioned before, your employees are also your number one security threat. A simple mistake, such as sending a password over unencrypted email, can result in a data breach that costs millions of dollars. Make sure your employees know where data risks lie.

Ensuring your business is in compliance with GDPR is a team effort. Such an effort isn’t hard, but it will take a lot of organization and planning to work seamlessly. The internet is changing, and now our practices must too.