Are you GDPR compliant?
What is the GDPR?
Even though this is a regulation passed by the EU, it affects pretty much the entire world. If you collect any bit of information from a person in the EU (regardless of where you are based), you’re subject to this law. Why? Because you then have information owned by a EU citizen.
And if you are found to have been in non-compliance, you can be fined up to 20 million Euros. Ouch!
If you have been lucky, you might have even seen the plethora of GDPR compliant related posts on social media and digital news channels. Since it’s the most comprehensive set of rules for data privacy drafted so far, this legislation’s primary goal is to create a set of easy-to-follow rules for the entire EU, which uphold the highest standards of data privacy.
Hopefully you are already on your way to being compliant and have gotten over the initial shock of this new law. If not, brace yourself as this one’s going to be a tough pill to swallow.
What you need to consider.
The GDPR is quite complex, but there are two main points to consider. First off, there’s the ‘right to be forgotten’. This means you’re responsible for deleting personal information upon request.
Secondly, and possibly the most important is the GDPR opt-in. The EU has said that you must “get their clear consent to process the data.” That means that users have to explicitly say yes, not only have the option to say no. Let me be clear on this. An opt-in is under no circumstances the same thing as an opt-out.
What you need to be GDPR compliant.
1. Breach notification policy
2. The Right to Access
All users have a right to access the information you have about them. Also fairly simple for most websites and email databases generally have links to the “update info” or “my account” pages.
3. The Right to be Forgotten
Your users also have the right to ask you to delete their accounts and any personal information you have on them. If you are sharing their information with any 3rd party, that will have to stop immediately. This one needs some nifty code to add this “delete” option to user profiles.
4. The Right to Portability
This one’s interesting, users will be able to request you to transfer or forward their records to other services if need be. We would advise you to push back on the user and ask them to rather submit their data themselves if they requested.
5. Privacy by design
This one’s a little tricky for the smaller businesses; it basically means that you are liable if a data breach occurs if your system isn’t secure by design. If you fail to take precautions to protect users information, you will be held responsible. Luckily our website developers are continually increasing security measures and protocols to be in line.
6. Data Protection Officers
This is mainly for the really big guys out there, but essentially, if you handle loads of data, you will need to work with a Data Protection Officer (DPO).
Lets be real.
That’s all very well said, but what does it mean in real terms? The actionable steps here are five-fold:
- How to access and download a complete record of any data you have on them;
- The process through which users can fully delete their data from your records (and not simply unsubscribe, etc.);
- Exactly how you will inform users of data breaches if they ever happen;
- Detailed explanations of who you are, what you use the data for, who has access to it, and how long you retain it;
- Any 3rd party remarketing, advertising or tracking software that you use.
2. Second, create explicit required fields on every form, indicating acceptance of both Cookie and Privacy Policies before processing anything. Checkboxes are fine, and text fields where users can type “I agree” are even better, but not that user friendly. Make sure they link to the respective pages. You should also ensure you have a double opt in policy for any email lists.
3. Get your website developer to add in the “right to be forgotten” option as well as the cookie acceptance pop-up.
4. Get your SSL. Now more than ever, you should get a SSL certificate for your domain ensuring any data transference has strict security protocols. Read more on the importance of an SSL here.
5. Make sure you have links to your new policies on your social media pages. And (when the option is available on these platforms) delete any conversation with a user after the “transaction” is complete.
What’s the damage?
Depending on your website setup and who manages it, this could be quite costly and time consuming. Thankfully, Banter has already implemented this on our test server and website and have created a “mini-package” that we can implement for your website at a nominal rate of R2325. This GDPR Compliance package will ensure you stay on the right side of the digital curve and law. Get in touch now.
Once you have this all in place, going forward, the process will be simple and streamlined, but there are a few things to keep in mind when gathering info.
Ask for the bare minimum of information needed. If a first name and email is all you really need, don’t ask then for their birthday. That’s not to say that you can’t ask for the other information. The GDPR simply says you have to tell people why you need it.
Additionally, when you’re asking for information, the EU says you have to disclose “who you are […], how long it will be stored, and who receives it.” This will mainly impact simple newsletter sign up forms you see on websites. Now they will need check boxes and/or disclaimers (depending on the info being requested.)