General Data Protection Regulation (GDPR) has introduced a paradigm shift in the ownership of personal data. Currently, in the hands of businesses, GDPR attempts to transfer ownership of private information back to the individual. The inaugural Data Protection World Forum (DPWF) 2018, recently held in East London, explained how GDPR is trying to address privacy concerns within the region and how its implementation will affect businesses, especially SMEs.
GDPR compliance is a legal necessity for all businesses operating within the European Union (EU) and the European Economic Area (EEA). According to eComply, implementation of GDPR will take around 200 hours for SMEs if they start from scratch. Changing the way organisations collect and manage data, failure to comply may lead to penalties for businesses in the future (Read Article 83).
Coming into force in May 2018, businesses have been given time to adjust to GDPR since compliance is a long-term, step-by-step process for businesses that already have established structures and processes. The Information Commissioners Office (ICO) has also stated that small businesses that have not aligned with the new regulation post D-Day will not be treated harshly. Hence, SMEs should not be fearful of this regulation. Compliance will prove to be beneficial for consumers and businesses alike in the long-term, so start now.
Here are 8 ways you can make your app/website GDPR compliant:
1. Consider Whether You Need to Keep All the Data
The less customer information you hold, the more your chances are of becoming GDPR compliant. However, this doesn’t mean that you let go of relevant data. It is important is to always ask: Do you need it?
2. Increased Rights over Personal Data
GDPR has granted more rights over personal data to website visitors and customers. They now have the right to know what information the business is storing and whether proper consent was taken before storing it. They can question business practices.
Article 21 states,
“Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to the processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing.”
3. Inform Users about Breach of Personal Data
A personal data breach refers to illegal access, alteration, destruction or loss of personal data. In case of a breach of privacy, it is essential to inform users without delay, and mention how this is likely to affect their rights and freedom. Relevant authorities should also be informed within 72 hours of the breach.
To know more about how to respond to a personal breach, refer to this checklist.
4. Encryption of Data
Recital 83 of GDPR states that proper encryption techniques should be implemented in order to maintain security of processing of private information. These measures should ensure a satisfactory level of safety regarding sensitive information of users/customers.
There are two subdomains of data encryption:
- Encryption related to Web Traffic (HTTPs)
- Encryption pertaining to data storage
An HTTPs connection uses SSL/TSL cryptographic protocols which ensure a secure connection between the two parties. Similarly, it is essential to encrypt personal data making it impossible to decipher without relevant decryption keys. This will ensure security of data.
5. Clear Consent Forms
It is imperative for users to understand what they are accepting to share when agreeing to consent forms. No information should be stored until proper consent is given. Furthermore, terms and conditions should not be vague and should be easily accessible for visitors.
Moreover, consent forms should employ an opt-in approach, i.e. the check boxes on the form should be unfilled so that users can choose to share their information. Previously, companies automatically checked the share information box, which most users neglected to see. Therefore, it is important that consent forms should have an opt-in approach.
6. Ease of Withdrawing Consent
How would you feel if you are unable to retract a decision you have made? Bad, right? Well your users will feel the same if you don’t give them that option. If a user chooses to unsubscribe, their data should be erased. Plus, it is mandatory to do so under GDPR. In order to be compliant, it is necessary that you provide users with an option that allows data to be deleted, and future activity to remain untraceable.
Apart from this, users should be given the right to reject any business intelligence tracking or other consent form requirements. This ensures privacy of sensitive information.
7. Third Parties that Contain Users’ IP Addresses
If your system shares user data with third parties, it is necessary for you to mention the name of the parties involved. User consent is required separately for each individual party. Whilst users generally do not want their data shared with third parties, mentioning how third parties might use their data could persuade their consent.
Similarly, if your software or app uses logs that store IP addresses, visitors should be informed about how their information will be used. You should also encrypt your logs post approval.
8. Hire an Expert to Do This for You
If you are confused about how to integrate these changes with your current business processes, hire a Data Protection Officer (DPO). Companies may lack the knowledge and expertise of implementing GDPR correctly. Another option is to hire an external company to help you comply properly.
While this all may seem like a lot of effort from your side, the upside is that compliance will be good for business – potential customers will trust you more.
GDPR is here to stay. Consumers are preferring GDPR compliant businesses more and are prepared to take action against those who have not implemented GDPR properly. By following these steps, you too can be GDPR compliant.
Step 1: Consider whether you need all the data you are collecting and storing. Delete unnecessary data.
Step 2: Ensure privacy and safety. Encrypt data.
Step 3: Have clear consent forms with an opt-in approach.
Step 4: Give users the option to withdraw consent or unsubscribe.
Step 5: Inform users of any third parties with whom their information is being shared, and make them aware of logs that store their IP addresses.
Step 6: Consider talking to an expert, not simply to avoid a potential GDPR abuse fine, but to ensure that you are doing all you can to protect your users.