August 13, 2019 GDPR Compliance – Is your Site Ready to Rock?
GDPR Compliance: Is your Site Ready to Rock?
GDPR (General Data Protection Regulation) is a new data privacy law from the EU consisting of a long list of regulations for the handling of consumer data.
You might be thinking, “So it’s a law from the EU, so what? We operate in the US & Asia only.”
Not so fast. Just because your firm is outside the EU doesn’t mean you can avoid penalties that the EU has promised to impose should you fail to observe GDPR compliance when dealing with EU citizen data.
The goal of this legislation is to unify existing data protection guidelines while increasing the levels of protection for individuals. The framework was under negotiation for over four years and it finally came into effect on May 25th, 2018.
These reforms are designed to help customers gain a greater level of control over their data, and also encourage (i.e.force) companies to be more transparent throughout the data collection and use process. It’s intended to bring existing legislation up to par with the connected digital age in which we live. Since data collection has become such an everyday part of our lives both on a personal and business level it helps to set the standard for data-related laws.
The Guidelines in a Nutshell:
- Obtaining consent
Your terms of consent are required to be clear. It’s not acceptable to cram a bunch of legal jargon designed to confuse your users into 56 pages written in 4 pt font. (Cough… @Apple) Consent must be easily given and freely withdrawn at any time.
- Timely breach notification
If a security breach occurs, you have 72 hours to report the data breach to both your customers and any data controllers, if your company is large enough to require a GDPR data controller. Failure to report breaches within this timeframe will lead to significant fines.
- Right to data access
If your users request their existing data profile, you must be able to serve them with a fully detailed and free electronic copy of the data you’ve collected about them. This report must also include the various ways you’re using their information.
- Right to be forgotten
Also known as the right to data deletion, once the original purpose or use of the customer data has been realized, your customers have the right to request that you totally erase their personal data.
- Data portability
This gives users rights to their own data. They must be able to obtain their data from you and reuse that same data in different environments outside of your company.
- Privacy by design
This section of GDPR requires companies to design their systems with the proper security protocols in place from the start. Failure to design your systems of data collection the right way will result in… you guessed it→ a hefty fine.
Onward to the To-do list..
Consider appointing a Data Protection Officer
Your company may need to appoint a data protection officer (DPO). Whether or not you need an officer depends upon the size of your company and at what level you currently process and collect data.
Try to develop efficient data protection and privacy strategy based on your situation. Ideally, you should consider each area of your business and look at how you collect, process, disclose, store and delete data.
You must communicate to individuals the legal basis for processing the data, how long you plan to store the info, outline how complaints can be filed when customers are unhappy with your implementation, whether their data will be subject to automated decision making, and their rights under the GDPR. Again, this should be written in concise, easy to understand and clear language.
Your staff should be aware of the basic principles of the GDPR and the procedures being implemented for compliance.
- Map and document data streams performed by data processors.
- Be fully transparent to the user who is giving up their information.
- Give informative notice to your employees, vendors, and clients.
- Configure your consent method to use explicit/active consent when processing sensitive personal data on your website.
“C” is for Compliance!
Data controllers should always cooperate with the Supervisory Authority regarding the fulfillment of their tasks.
Schedule regular audits of data processing activities and security controls in your organization. Keep records of personal data processing up to date for proof of consent.
Check what other vendors are doing
Because GDPR is sort of vague, the market will have to come up with different tactics to make sure that data is in compliance but does not sacrifice UX. Its not a bad idea to check competitor websites for changes and best practices for your niche.
Continue working on operational policies, procedures, and processes
As mentioned before, privacy is not a one-time project. It is continuous work to make sure that the data you collect is safe and used with the proper scope. You should review your procedures to ensure they cover all the rights individuals have.
- Have a breach reporting mechanism in place.
- Bring internal procedures in line with the GDPR and privacy policies.
- Review and update employee, customer and supplier contracts.
- Secure personal data through appropriate organizational and technical measures.
- Verify if data transfers outside the EU are compliant with GDPR requirements. Do not forget about the transition points.
Basically, adjusting forms and getting consent for cookies should fix most of these issues. However, keep in mind, this is not legal advice.
The short version: inform your visitors in plain language about the purpose of your cookies and trackers before setting anything other than strictly necessary cookies.
There are different ways companies implement this, and the GDPR reference to cookies isn’t exactly clear. What you need to know here, is that another European regulation (ePrivacy) is coming out which will legislate cookies even more.
There are tons of free messaging aps and free email providers out there that have advertising mechanisms built-in to basically spy on users and collect your information. We can’t assume that info won’t end up in the wrong hands.
iPBX Circle (app and softphone) is our proprietary cloud communication platform with web-conferencing, chat, and file-sharing features built in. Security and reliability is our #1 priority which is why this software is a GDPR-compliant carrier grade platform designed to safeguard your companies sensitive communications. Feel free to drop us a line. We’d be happy to provide you with a free demo account for a limited time. In the mean-time be sure that you’re up to date on your GDPR Compliance: Is your Site Ready to Rock?