Are you POPIA or GDPR compliant?

by | Digital | 2 comments

Gone are the old days of geographical isolation, where an instance in one country would not affect another country half way across the world. The global village couldn’t be truer today than when it was first introduced by the book War and Peace in the Global Village in 1968.

By now, I am sure you have been receiving numerous emails regarding privacy policy updates. More than likely you have brushed them off and filed them away. Unfortunately this is not the case. These new notifications are a direct result of the new General Data Protection Regulation (GDPR) that the EU brought into effect on 25th May 2018, as well as the  POPI Act that came into effect in SA from 1 July 2020.

What is the GDPR?

Even though this is a regulation passed by the EU, it affects pretty much the entire world. If you collect any bit of information from a person in the EU (regardless of where you are based), you’re subject to this law. Why? Because you then have information owned by a EU citizen.

And if you are found to have been in non-compliance, you can be fined up to 20 million Euros. Ouch!

If you have been lucky, you might have even seen the plethora of GDPR compliant related posts on social media and digital news channels. Since it’s the most comprehensive set of rules for data privacy drafted so far, this legislation’s primary goal is to create a set of easy-to-follow rules for the entire EU, which uphold the highest standards of data privacy.

Hopefully you are already on your way to being compliant and have gotten over the initial shock of this new law. If not, brace yourself as this one’s going to be a tough pill to swallow.

What you need to consider.

The GDPR is quite complex, but there are two main points to consider. First off, there’s the ‘right to be forgotten’. This means you’re responsible for deleting personal information upon request.

Secondly, and possibly the most important is the GDPR opt-in. The EU has said that you must “get their clear consent to process the data.” That means that users have to explicitly say yes, not only have the option to say no. Let me be clear on this. An opt-in is under no circumstances the same thing as an opt-out.

GDPR compliant

What you need to be GDPR / POPI compliant.

1. Breach notification policy

Basically you need to ensure that you inform your users within 72 hours if there is any data breach or compromise to their data. This is simple enough to add to your privacy policy. But be sure to follow up on this if you do have a data breach.

2. The Right to Access

All users have a right to access the information you have about them. Also fairly simple for most websites and email databases generally have links to the “update info” or “my account” pages.

3. The Right to be Forgotten

Your users also have the right to ask you to delete their accounts and any personal information you have on them. If you are sharing their information with any 3rd party, that will have to stop immediately. This one needs some nifty code to add this “delete” option to user profiles.

4. The Right to Portability

This one’s interesting, users will be able to request you to transfer or forward their records to other services if need be. We would advise you to push back on the user and ask them to rather submit their data themselves if they requested.

5. Privacy by design

This one’s a little tricky for the smaller businesses; it basically means that you are liable if a data breach occurs if your system isn’t secure by design. If you fail to take precautions to protect users information, you will be held responsible. Luckily our website developers are continually increasing security measures and protocols to be in line. 

6. Data Protection Officers

This is mainly for the really big guys out there, but essentially, if you handle loads of data, you will need to work with a Data Protection Officer (DPO).

Lets be real.

That’s all very well said, but what does it mean in real terms? The actionable steps here are five-fold:

1. First, make sure your Terms of Service and Privacy Policy are GDPR compliant themselves. Add in a Cookie Policy as well while you are at it. This will contain info on:

  • How to access and download a complete record of any data you have on them;
  • The process through which users can fully delete their data from your records (and not simply unsubscribe, etc.);
  • Exactly how you will inform users of data breaches if they ever happen;
  • Detailed explanations of who you are, what you use the data for, who has access to it, and how long you retain it;
  • Any 3rd party remarketing, advertising or tracking software that you use.

2. Second, create explicit required fields on every form, indicating acceptance of both Cookie and Privacy Policies before processing anything. Checkboxes are fine, and text fields where users can type “I agree” are even better, but not that user friendly. Make sure they link to the respective pages. You should also ensure you have a double opt in policy for any email lists.

3. Get your website developer to add in the “right to be forgotten” option as well as the cookie acceptance pop-up.

4. Get your SSL. Now more than ever, you should get a SSL certificate for your domain ensuring any data transference has strict security protocols. Read more on the importance of an SSL here.

5. Make sure you have links to your new policies on your social media pages. And (when the option is available on these platforms) delete any conversation with a user after the “transaction” is complete.

GDPR compliant

What’s the damage?

Depending on your website setup and who manages it, this could be quite costly and time consuming. Thankfully, Banter has already implemented this on our test server and website and have created a “mini-package” that we can implement for your website at a nominal rate of R2325. This GDPR Compliance package will ensure you stay on the right side of the digital curve and law. Get in touch now.

Going forward

Once you have this all in place, going forward, the process will be simple and streamlined, but there are a few things to keep in mind when gathering info.

Ask for the bare minimum of information needed. If a first name and email is all you really need, don’t ask then for their birthday. That’s not to say that you can’t ask for the other information. The GDPR simply says you have to tell people why you need it. 

Additionally, when you’re asking for information, the EU says you have to disclose “who you are […], how long it will be stored, and who receives it.” This will mainly impact simple newsletter sign up forms you see on websites. Now they will need check boxes and/or disclaimers (depending on the info being requested.)

If you are ever inclined to delete yourself from the internet entirely, then read this article.

If you are struggling to keep up with all the updates in the digital landscape, including the upcoming WordPress Gutenberg update, LinkedIn’s platform innovations, the Cambridge Analytica Scandal that caused the social media landscape to change and important developments to Google Maps APIs, then get in touch. We would love to take this load off your shoulders.

Join the Banter

Stay up to date and in the know with the latest global trends and all things digital, to keep your business on the right side of the digital curve.

You have Successfully Subscribed!