The General Data Protection Regulation and what you need to know about it
The General Data Protection Regulation (GDPR) in the name of the new European privacy regulation that came into effect in May 28, 2018. The purpose of the GDPR is to give all individuals in the European Union (EU) increased control over their personal data. Through new regulation, GDPR is changing the way data is captured, used and managed.
The GDPR applies to all websites or mobile applications collecting data from EU residents. Since the internet is a global marketplace, GDPR can apply to virtually any online business located anywhere in the world.
Failing to comply with the GDPR could result in fines of up to €20 million or 4% of your global turnover, whichever is greater. The GDPR fines apply to non-EU nations like the United States.
At its core, GDPR requires that consent on data be “freely given, specific, informed, and unambiguous.” The GDPR also requires privacy policies to be “concise, transparent, accessible, and written in clear and plain language.” Plus, data collecting, and processing practices must be easily accessible to the consumer and free of charge to access.
Below are some tips on complying with the GDPR.
WEBSITE POLICIES REGARDING PERSONAL DATA MUST BE TRANSPARENT AND CLEAR
OPT-IN PROVISIONS MUST BE VOLUNTARY
Under GDPR, your website cannot automatically opt-in a customer. Ensure that your website or marketing material does not automatically have check boxes already checked. Additionally, ensure that your website does not automatically opt-in customers by default. You must give your customers the choice to opt-in by ‘clinking’ their own boxes.
OPT-OUT PROVISIONS MUST BE CLEAR AND EASY
Once a customer has opted in, you must provide a way for them to unsubscribe or opt-out, at any point, and this must be easy and clearly marked.
KEEP RECORDS WITH AN EYE TOWARDS AUDITS
Keep good records. You should be able to show how your customers’ consent was requested, captured and stored. For example, make sure your records are clear and can pass an audit.
CHECK IF CONSENT NEEDS TO BE REFRESHED OR OBTAINED
Re-examine existing marketing databases and your website to ensure proper consent was originally obtained. You may determine that consent needs to be refreshed since the passage of the GDPR.
KEEP TRACK OF YOUR DATA AND WHERE IT IS LOCATED AND STORED
You website might be collecting personal data – be aware of all the types of personal data it collects. It’s important to determine what data is necessary for collection and where it is located (i.e., if third-parties have access). Limiting the amount of data you collect can be beneficial. This includes a reduction of storage expenses and a reduction of liability and disclosure efforts following a data breach.
ENCRYPT YOUR DATA
Consider using encryption as a part of your data collection and storage. It protects personal data by making personal data unreadable should it fall into the wrong hands. Furthermore, encrypted data can be considered “unintelligible”. In some cases, you do not need to disclose unintelligible data following a data breach.
PROVIDE CONTACT INFORMATION FOR DATA PRIVACY PERSONNEL
Clearly list on your website the contact information for your data privacy personnel. The GDPR requires companies to provide consumers with the ability to view, edit, or delete their personal information. Additionally, consumers also have the right to send inquiries regarding their information. Make sure you allow consumers easy access to anyone responsible for managing personal data, so inquiries can be made.
RIGHT TO BE FORGOTTEN
Develop and offer a process that works for you company for easy data deletion. Completing data requests can be a time-consuming process. Make sure you have processes in place to timely handle deletion requests.
HAVE A PLAN FOR A POTENTIAL DATA BREACH
Plan for a data breach. Should a breach happen, make sure you know what to do, who to contact and that all necessary notification forms are in place. Additionally, you may want to obtain a cyber-security insurance policy. If you already have cyber insurance – check your policy to confirm what’s covered.
HAVE A PLAN FOR PORTABLE DATA REQUESTS
Prepare for data portability requests. Another main component of the GDPR is allowing consumers to transfer their personal information from one service to another quickly and easily via a common format (i.e., CSV file).
MAKE SURE MOBILE APPS ARE ALSO GDPR COMPLIANT
The GDPR also applies to mobile apps or devices that collect personal data. To ensure you are compliant with the GDPR, spend some time reviewing the data your mobile app collects, where it goes and why it is collected.
The GDPR regulation recognizes the concept of “legitimate interest”. This concept covers those areas where you do not need to ask for permission to process data that you already hold about your customers. This includes contacting previous customers regarding other products and services you consider to be relevant. Legitimate interest does not require specific marketing consent, so long as the content is relevant, based on your previous interaction with the customer.
The GDPR regulations can be onerous. Please contact Hackler Flynn and Associates if you need assistance in compliance.