If you do any business with citizens of the European Union, and you have a website that collects marketing data, you might have heard of GDPR by now.
The abbreviation ‘GDPR’ stands for General Data Protection Regulation, and it is the largest piece of legislation to come out of the European Parliament in the past decade. Its regulations applying to the collection of personal data go into effect May 25.
With the compliance deadline quickly approaching, and the threat of hefty fines looming for those who don’t, organizations are seeking answers on how to achieve GDPR compliance now. To follow is more information that may help you understand GDPR.
What is GDPR?
With the induction of General Data Protection Regulation, we are looking at a completely different way of handling and protecting data to protect the privacy of EU citizens. That means that organizations that use website cookies and collect any kind of data from people residing in the European Union should be compliant with the regulation.
Even if you are a software testing company in Silicon Valley or a mobile app company in India, you should probably consider GDPR compliance if your website collects cookies or you have any dealings at all with EU citizens.
The primary goal of this new legislation is to allow EU citizens to have control over their personal information, including opting out of cookies, requesting deletion of their data, and deciding how and where their data can be used. It also puts the onus on organizations to state clearly their data collection and privacy policies so that users and customers understand how their data is being gathered, utilized and stored.
Why Do We Need GDPR?
GDPR is coming into existence in order to meet the public’s concern over privacy. Protecting user data is not something new for the EU. GDPR can be expressed as the successor of the Data Protection Directive 95/46/EC act, which has been in effect since 1995. Kudos to the EU for anticipating the need for data privacy and protection even before the World Wide Web became the omnipresent, interconnected tool we know today. The internet is a fast-paced space and it was inevitable that data protection would need regulation.
In a recent online survey conducted by RSA, 7,579 consumers from the U.S., France, Germany, Italy, and the U.K. were asked about their biggest concerns with data security. The metrics from their Data Privacy & Security Report reveal that the loss of banking information and financial identity theft is a major concern.
It is the lack of trust in how organizations collect, store, utilize and secure people’s personal information that has led to these regulations. The report also notes that many consumers intentionally provide incorrect data when submitting information online. There are many reasons behind such behavior, such as preventing unwanted marketing, but security has always been their top concern.
What Is ‘Personal Data’?
Personal data is any data related to a person that can be used to identify the individual. A person’s name, image, email address, bank details, social networking accounts, IP address, and so on, are considered personal data.
GDPR Penalties for Non-Compliance
The penalties for non-compliance can be a hefty fine of up to 4% of annual global turnover or €20 million (EU). This is the maximum fine an organization anywhere in the world can face if GDPR regulations are not followed and an EU citizen lodges a complaint.
How to Dodge the GDPR Bullet (Legally)?
#1 Understand the GDPR
GDPR will continue to be refined. By May 25, however, you can meet the obligations under GDPR that refer to the process your website uses to collect, process, and store user data. Every piece of information that is stored should be processed lawfully and transparently. This information should be used for legitimate purposes, and kept for no longer than necessary. This link talks about the frequently asked questions on GDPR: https://www.eugdpr.org/gdpr-faqs.html
#2 Let The Website Visitor Know About Cookies
Because they have the right to do so. As soon a visitor lands on your website, he or she should be informed that your website stores cookies and how it will use the information stored in future. GDPR requires opt-in to website visitors as they enter the site, and full policies on your cookies policy and privacy policy. For this, you can simply put a pop-up on the website that clearly defines that you would be using cookies. Next, create a CTA that asks for their consent (such as “I agree”).
A few examples on how you can place a notification on your website might come handy:
- On the top: https://www.pluralsight.com/
- At the bottom left: https://www.qasource.com/
- At the bottom: http://www.sainsburys.co.uk/
#3 Have A Map Before You Set Sail Sailing
Perform data discovery and documentation throughout the enterprise. Users have the right to information, (ok, I’ve said that before, but it is that important) the right of access, the right to restrict processing, and the right to data portability. Use a records management policy that addresses the types of records you keep, how long you retain them, and who has access to this information.
#4 Critical Data Comes First
Assess the security measures that your organization uses to safeguard users’ information. Demonstrate how your business handles data protection in compliance with GDPR. This includes email encryptions, firewalls, and transport layer security (TLS) or hypertext transfer protocol secure (HTTPS) to protect Personal Data.
#5 Notification and Consent/Opt in
By law, the consent must be informed, and unblurred. Clearly explain how you would be collecting the information and how your business plans to use their personal data.