GDPR (General Data Protection Regulation) is new and far-reaching privacy regulation that takes effect in May 2018. Its goal is to strengthen data protection for EU citizens and change how companies approach data privacy and information security. GDPR is the single biggest change in personal data protection in the past 20 years! The new framework is ambitious, intricate and rigorous, but with Snowden revelations and evergrowing technological advances, it was much needed and long overdue.
I’m under the impression that companies are not taking GDPR as seriously as they should. If not complied, the penalties will be brutal! Fines up to 20 million Euros, or in the case of an undertaking, up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher. This is enough to shut down companies, so it’s essential you are ready for May 2018! And there’s a lot to do in the next 6 months if you want to fulfill every single requirement. The road to GDPR compliance is complex. Companies will have to comply with up to 80 new security protocols, so the sooner you start the better.
I’m not going into details of GDPR because the documentation is massive. But don’t get overwhelmed with the sheer amount of things to do. If you already comply with current regulations, you’re on a good path. For companies under 250 employees, it all boils down to not being dishonest and tricky. Microsoft released a benchmark questionnaire so you can quickly see where you stand.
Here are the first steps you can take to start implementing GDPR:
- Develop company-wide awareness: Set a sense of urgency between your teammates because GDPR is not a trivial pursuit. If they are informed about the whole process of changes, they will tackle assigned tasks more seriously and with greater care. Raising the awareness about GDPR guidelines and restrictions is an imperative for product design and development for employees as well as for clients.
- Appoint a staff member to look after Data Protection: A company must name someone who already has a similar role to the DPO position [Data Protection Officer] as long as that person can ensure the protection of PII (Personally Identifiable Information) with no conflict of interest.
This position requires:
a) Informing and advising the employer and other employees
b) Monitoring compliance with the provisions of the Regulation and the Policy
c) Provision of advice – estimating effects on the protection of personal data
d) Cooperation with supervisory authority. A single DPO can handle a different number of businesses as a joint officer, provided that he or she is easily accessible for any establishment for all their needs. If nobody in your team fits this profile, you will have to hire new people, and you can do it through a service contract. It is estimated that GDPR will generate up to 30 thousand new jobs in the European Union!
- Audit and review existing systems and procedures: This is an excellent opportunity to execute data cleanup, examine documentation if you have valid contracts with your customers and to make sure all your subcontractors are legitimate. Document all personal data you hold, where it came from and who you share it with. For instance, if you have false personal data and have shared this with another organization, you will have to tell that organization about the inaccuracy so they can correct the data in their records.
- Conduct a risk assessment: It’s important to accurately identify potential hazards. Make sure to create a record of your findings. Companies are encouraged to implement protective measures to diminish that risk. First, you should assess and determine the rights and freedoms of users or customers, rather than the financial risks your organization faces when personal data security is compromised. GDPR gives many examples for implementing security measures. Pseudonymisation and encryption of personal data are suggested as good security measures, as is the fact that security is about the Confidentiality – Integrity – Availability of personal data. The process of recovery from data breach should be clearly elaborated, and serve as a preventive measure to manage crisis situations.
How to Prepare Your e-Commerce Business for GDPR?
- Only collect data that you need: If there is no business value in knowing, for instance, your shopper’s phone number, then GDPR regulates collecting data and serves as a restriction to provide information that is not of important significance. Your company/business should only take the necessary data. This will include IP address and cookies for which customer should give consent to be used.
- Data access and transparency: This provision ensures that users are familiar with the fact how and why are their personal data being stored, used and processed. Businesses are to provide full visibility across the e-commerce operation and make everything really clear and understandable. Be specific about how your company intends to use personal data that’s given. The most common way to provide this information is in privacy notices, terms of service pages and cookie sections. Also, have clear data policies in a language that users will understand. By GDPR regulations, customers will have the right to request a copy of their personal data held by businesses. This information should be available on user request and delivered via commonly used downloadable format (Zipped XLS, CSV or PDF exported data).
- Implement privacy by design: ‘Privacy by Design’ and ‘Privacy by Default’ are two of the most important changes in web development which are affected by GDPR. Privacy by Design states that organizations need to consider privacy at the initial web design stages and through the whole development process that involves any kind of processing personal data. Privacy by default means that when a system or service includes choices for the user on how much personal information he/she shares with others, the default settings should be “the most privacy-friendly ones”. Clear policies and work instructions related to data protection should be developed and a privacy specialist should be available to assist in applying these requirements. This will enable the design teams to take appropriate measures in the relevant phases as well as developers should in their stage of work.
- Deactivate any default opt-ins: All of your forms should be opt-in by default. You cannot place pre-ticked checkboxes on the form. This means that your page forms can’t be pre-selected, and the user must choose to select them according to his own will. This will be highly visible in marketing business segment AKA newsletters, email campaigns, terms and conditions, cookies and other web-page elements.
- Keep consistent and detailed records: You’ll have to maintain records of all processing activities which take place within the organization. This includes new information provided by customers or users and old information which has to be stored according to GDPR guidelines. All data stored prior to the GDPR entry into provision should be adapted and implemented in GDPR regulations and guidelines.
- Data Breach Notifications: You must report a data breach to regulatory bodies within 72 hours. This is in the jurisdiction of The Agency for the Protection of personal data or similar regulatory institution at the State level. Data Breach should also include emergency procedures.
Responding to the breach should include taking into account all actions that need to be taken care of:
- Fighting possible intruders
- Establishing the extent of the damage
- Restoring the situation back to normal
- Notifying the breach to the supervisory authority – this is mandatory with a statutory time limit, but probably won’t be the first thing you should do.
After all said and done, there is a positive side to all this! GDPR is not one giant pain in the butt. Your customers will trust you more if you comply to it, and be more relaxed while shopping at your online store. So make sure to let people know you are GDPR compliant! Put it in the footer of your website, put it in your e-mail signature, insert it in terms&conditions section of your page… Make the fact that you’re GDPR compliant your advantage over the competition. Let us know if we can help in these actions!
For all those TL;DR people – we’ve made a single picture with the most important bullets to follow.