General Data Protection Regulation (GDPR) was created in 2016 by the EU. However understanding that it will take time for companies to make such a drastic change to the collection of data policy, the EU gave a grace period, which ends on 25th May, 2018. So is your business GDPR ready? Let’s look at key things you need to know starting with what is GDPR.
DISCLAIMER: Keep in mind this our current understanding, which will evolve as the practical aspects get worked out. We recommend you make a ‘good faith effort’ to comply. This is not legal advice and we aren’t lawyers. If you have legal questions, please consult a lawyer.
What is GDPR?
GDPR is a law that aims to protect the EU citizens against breach of data confidence. The aim of the GDPR is to streamline the process of data handling across the EU. And also to replace the outdated 1995 Data Protection Directive, which didn’t take into account the different ways users give out their data now. GDPR wants companies to think before asking – Why do I need this data, what will I do with it, how will I use it, who will process the data and where will it be securely stored.
Insiders confirm this is the right step towards making companies act responsible. After all look at the number of companies who divulge serious leakage of data via hacking years after the incident. Yahoo with 500 million user profiles hacked. Facebook via Cambridge Analytica misused the personal information of 50 million users. And the list goes on.
Culpability for Companies
The GDPR aims to make companies accountable for such breach of trust. You can no longer shrug your responsibility. If you do this, you will face a fine of €20,000,000 or 4% of the total worldwide turnover, whichever hurts you the most.
What companies are affected by this law?
If you do business in any of the EU countries, or accept data from EU citizens, you are affected by this law. That means, eCommerce store, blogger, hosting company, development company, service company, trader, auto parts dealer and so on. Everyone must now know what is GDPR and comply with the law or face the consequence.
But I am a US business owner? Why should I prepare for GDPR?
UK is not in the Brexit. And my business is in the UK. Do I need to prepare for GDPR?
I live in Australia and my business is there as well. Will GDPR affect me?
My server is in Singapore and I have only UK citizens as customers. Why I need GDPR?
To be on the safe side we recommend you comply with all the GDPR terms and conditions, irrespective if you are a small business owner or a large enterprise. And no matter where your business is located or what business you conduct. This will save you a lot of legal headache later on. And most notably, your clients, shoppers and also employees will be happy knowing you care about keeping their personal data safe.
What types of data come under GDPR?
- Phone Numbers
- Credit Card details
- Bank details
- Cookies saved on user computer
- Gravatar pics and also personal photos uploaded by users.
- IP Address
- Mental Condition
- Social Media posts
- Marital Status
- Biometric information
- Location using Geo targeting
- Political Views
- Company working for
- Current Salary
In short, login forms, registration, subscription, contact us, APIs, Apps and so on. You now have to be careful about asking users for information, as all questions asked come under the protection of the GDPR. Always keep in mind what is GDPR.
Ok, so I will install a plugin or ask a developer to block users from the EU. That will do the trick.
One of our clients came up with an interesting concept. However this won’t work. GDPR protects EU citizens worldwide. That means, you could have an EU citizen living in the UK, shopping on your site. As he/she is from the EU originally, their data is covered under the GDPR law. But you will not know this, as your plugin or code wrongly assumed he/she is a UK national.
It has been brought to our notice that if the EU citizen is in the US, then the data laws of the US will be upheld, while a US citizen in a EU country will have to follow the GDRP laws. However we are not certain if this same is applicable for other countries. [Aspiration Hosting strongly urges all readers to take advice from a legal adviser for clarity.]
How do you safeguard against this?
- First of all, you are no longer allowed to automatically “Opt in” people. That means the checked box should always be unchecked on forms. It is upon the discretion of the user, whether he/she wants to check the box or not, to receive your service.
- Another most important aspect is you must inform your user beforehand how his/her data will be used. This information can no longer be vague, but fully developed idea that informs the user in totality about the given data usage. This is because “User Consent” is high on the GDPR radar. If the user understands his/her rights and knows why and how their data will be used and still continue using your service, they have given their consent freely. Remember this is a vital clause in the GDPR because you could be liable for damages if the user misunderstands this or doesn’t give his/her consent freely.
- Forget “Infinite Data Consent”. You need to now clearly state for how long you intent on keeping the personal data. After which time the data is erased completely and forever.
- In case of any theft of data, according to the GDPR, you only get “72 hours” to inform your users of the data breach. Please note, 72 hours doesn’t mean business hours, but includes weekends and also all holidays.
Important Rights under What is GDPR
- The “Right to be Forgotten” is also high on the GDPR protection radar. If and when a user contacts you with the intention of having their personal data removed from your database. You must comply immediately. A no questions asked policy should be adopted.
- The “Right to Amend” is where your users can change information themselves when it is incomplete or wrong.
- The “Right of Portability” is another important GDPR clause. This says that a user can request you to send his personal information to them or another person or service without any hindrance from your side. And also you must do this within a reasonable time.
- The “Right to Object” is when a user can object to you using their personal information in direct marketing, scientific or historical research. Things like user shopping preferences or how much a particular user spends on clothes etc. You need to get “No objection consent” from the user in order to use the data.
Types of software affected by GDPR
Programs also need to comply with GDPR. These include plugins, user data analytics, order processing, marketing and similar programs. Check out these two widely popular programs and how you can configure them to GDPR standards.
- Google Analytics
How to prepare for GDPR?
You also need to add Privacy notices in places where you are going to collect data from the user. Check out this article GDPR: How to write a Privacy Notice – Best Practices for guidance.
After the Privacy, you also need to spruce up your Terms and Conditions page. Again we have a Terms and Conditions Generator to speed things up.
Things to check in the EU GDPR official site:
Now that you know what is GDPR, you might also want to check out the European Union GDPR official site for more information. It would be better if a legal team goes over it to fully understand the GDPR implication on your business.
- Are you the Controller? (You need to understand this term from the legal standpoint)
- Or the Processor? (You need to understand this term from the legal standpoint)
- Do you need to hire a Data Protection Officer?
- How can you keep up to date records of the data you have?
- What are data auditors?
Final Checklist for GDPR
- Create privacy notices in input areas where users will add personal information.
- You will on regular intervals ask for renewal of all user consent.
- Explain in simple, understandable words to the user. What is GDPR. How you will use the data collected and the reasoning behind it. Who is going to be responsible for such use, and where if necessary the processing will take place. Also explain what types of data you will be collecting. You should include hidden data as well like IP addresses, location, country etc.
- You also need to get consent from users who are already your clients or customers. This is especially relevant for mailing lists.
- Get clear consent from the users if you are using the personal data for marketing purpose, research or statistics, case studies, white papers and so on.
- Keep all records of the consent from users in case of data auditing.
- Inform all your users within 72 hours of data theft.
- Consent to data portability. Listen to your users when they object or want to amend the data. And the most important delete the user data when requested in a timely manner.
In conclusion, now you know what is GDPR. And you also know what steps you need to take to prepare yourself. Remember the deadline is 25th of May, 2018.