On May 25th the GDPR (General Data Protection Regulation) will kick in; it’s introducing many substantial changes to the way that some have been treating personal data. It’s a crucial date for every marketer, enterprise and blogger who uses and manages personal data.
Although many argue that they’re already managing and storing personal data properly, even if that is true, with the introduction of the GDPR more steps are required. Presumably, you’re reading this because you want to achieve full compliance but keep things simple at the same time by not diving deep into the documentation.
What is the GDPR?
The GDPR (General Data Protection Regulation) was adopted on the 27th of April 2016 and is coming into effect on May 25, 2018; and it is a new set of laws that govern both how you communicate, interact with and store customer data for any European member states citizen.
What is the point of the GDPR?
The GDPR has been designed to give power and control over how their data is processed and used back to the end-user who owns the data.
Under the new rules, individuals have “the right to be forgotten”, meaning they will be able to request that businesses delete their no longer necessary or accurate personal data.
Plus, the intention is to simplify the regulatory environment.
How much will it cost me? What’s the price?
With the introduction of the new regulation, there is also a chance to the amount of money regulators can fine companies who do not comply.
The fine is now up to 4% of their global turnover or 20 million Euros — whichever is higher. This threat is certainly big enough to frighten companies into fixing the way that they are currently managing our data.
How does it affect me?
The GDPR affects any entity or business that stores customer personal information and purchase information.
So if you are collecting email addresses as a part of your operation and if you’re collecting purchase (financial) information then the GDPR is extremely important.
So, what do I need to do?
Well, it’s not easy by any means but I’ll try to sum everything up and make it as simple as possible for you. Of course, if you’re serious about being fully compliant you probably should get a lawyer (I am not a lawyer and accept no responsibility for your compliance with the GDPR under any circumstances).
“Any information that could be used, on its own or in conjunction with other data, to identify an individual.”
Essentially, one of the main things is that you must tell users/individuals all of the information that you are collecting about them. So if you are letting a user subscribe or create an account in your site, that’s not all of the information you must declare that you are collecting. When a user creates an account, you are also collecting their IP address (location).
1. It’s all about consent and transparency.
Of course, collecting information such as IP addresses is not forbidden but you have to tell your users what you keep track of any why you need to keep track of that information.
You have to be completely transparent; and the first step to that is consent.
- Be clear about what information you’re collecting
- State it clearly in your terms and conditions; explain how data is generated.
- Oh and double opt-in is now more than just a good practice, it’s a must.
Other than a good practice, the double opt-in is required by law in many countries the will of the user by having them consent more than once before the actual service starts. Otherwise, I could enter a random person’s email address on your website to sign them up for your service when they have never actually given consent.
Proof of consent
Keeping proof of consent is mandatory with the new GDPR rules. You need to keep a log which records every change the user performs, what was changes and an exact timestamp.
2. How long are you keeping user data? And, why?
One of the requirements of the GDPR is that you make your users aware of how long you plan to keep their personal information on your servers and you must clearly state this in your terms and conditions. The reason behind this is to prevent the storing of obsolete data on servers where you cannot be sure of the reliability.
Example: Take a hotel. When you check-out and finish your stay, you presume that all of your information has been deleted from the hotel’s system. This is not actually true in many cases because the hotel keeps a record of guests which stayed and when. In some extreme cases, they may not be properly handling other personal information such as passport numbers and credit cards.
You obviously wouldn’t want to have your sensitive personal information stored on the servers of every single hotel you’ve ever stayed at.
The GDPR requires businesses such as hotels to justify the storing of this data and state it clearly to the end-user. Doing this makes storing potentially obsolete data legal, but upon request by a user you, as a business, must be able to delete all information associated with someone completely. But that’s coming up next.
3. Data requests; the right to be forgotten.
The GDPR requires you to offer your users the ability to ask for a copy of their files for portability reasons. It states that the downloaded data (export file) should be in a machine-readable format and not necessarily in a human-readable format.
Depending on what information you are currently collecting, you must integrate a system to allow users to export and download data from your platform. This includes all of the data you have on them, not just what they provided.
4. Who’s hosting your data and your user data for you?
Most businesses don’t host their website themselves at a local location, they use a hosting provider. Since your hosting provider’s servers is where your user data is going to end up being stored, you must ensure that they are also fully compliant with the GDPR.