The long and winding road of the GDPR is finally here. Since May 25, 2018, your digital operations may need some tidying up to keep up in good relations with Europe.
One of the most monumental regulations to affect the internet is the GDPR. But what is it and if you own a website, how can you make sure that you are not locked out of the European Union market?
GDPR stands for General Data Protection Regulation.
Okay, so what does this mean? From the surface, it pertains to how businesses collect personal data and how they plan to use it.
You’ve probably seen many websites send out emails and notices about GDPR and even mailing lists asking you to re-sign up for their newsletters. They are being proactive to make sure that you have received notice about new regulation that affects their business operation.
Not my problem…
Pfft, that’s for big business to figure out and it doesn’t apply to my small business. I very much dislike saying this, but if you are located anywhere around the world and do direct business in Europe (such as serve a website with advertisement, sell products, etc), you are regulated by European legislation. Sorry, not sorry.
(Continue singing Demi Lovato’s Sorry Not Sorry as you wander into the world of the GDPR).
You may argue that you are not bound by regulation in Europe in your home country and claim sovereignty, however Europe regulates the last-mile(s) (or more appropriately the last-kilometer[s]) of connection to people in Europe. If you’re not compliant with GDPR, then your website might not be available to people living in Europe. Consider losing a huge audience share because you aren’t compliant with GDPR. Think $$$. You don’t need to do much.
As far as regulation is concerned, the European Commission (EC) has a GDPR website that is extremely informative about the rules for businesses and organizations as well as rights for citizens. (I kind of think of this in a worldview where we are slowly converging digital media regulation and I welcome every bit of it–especially when we see new privacy regulations show up such as the right to be forgotten).
Think of the GDPR as a way to treat collecting and using private data in an ethical way.
The 7 steps for GDPR
The EC has provided a useful handout with 7 Steps to get ready for the GDPR.
From that handout, here are six headlines to consider (the seventh headline makes no sense, but I’ll explain later).
- Check the personal data you collect and process, the purpose for which you do it and on which legal basis
- Inform your customers, employees and other individuals when you collect their personal data
- Keep the personal data for only as long as necessary
- Secure the personal data you are processing
- Keep documentation on your data processing activities
- Make sure your sub-contractor respects the rules
- Check if you are concerned by the provisions below
Check the personal data you collect and process…
On the surface, this list helps you figure out how to make sure that you are handling private information in a proper way. Given the problems with security breaches, this is great relief for your personal lives. It may make life a momentary hell for businesses, but these are easily achievable for any business.
The first step is to make sure that you understand what kind of personal data you collect and process and why. For example, do you collect names, email addresses, and contact information? Perfect. What do you use it for? How do you use it? How long do you intend to keep it?
Inform your customers…when you collect their personal data…
The second step is how you tell your visitors, employees, and anyone else that you are collecting their personal data. That might be something like a statement that says “I’m collecting your personal data (like email addresses) to help my business and that I plan to use your information (such as sending you an email) in my marketing campaigns.” Other data can include something like analytics data that gathers demographic and usage information on a website that you visit. The more complex your systems are (like tracking cookies, sub-systems on a website, and remarketing efforts should be clearly explained and it can be something like: “we use tracking cookies and if you have self-identified yourself on our website through means of logging in, we might use data from that login step to market relevant information to you via email, advertisement, etc…”).
Ever get that reminder email a few hours or days after browsing Amazon for an item or searching for a plane ticket on Southwest Airlines? That’s remarketing and it’s pretty damn effective (and very specific down the item or destination) to get you to make the purchase. Even ads tend to follow you on different devices or browsers are becoming more and more present.
In addition, your employees deserve to know how their data is being used. It’s as simple as being honest why, what, where, when, who, and how their data is accessed.
Keep personal data for only as long as necessary…
The third step is very important because it helps purge private data because why would you want to ever keep every piece of data forever? This steps also helps with efforts such as the right to be forgotten. As a society, we are data hoarders. Advances in data storage, business policy, liability, and the such has facilitated in this gold mine of data that in some cases is rather useless and in other cases close to a surveillance state. This also helps make sure that you have data for as long as necessary, such as if you do business with a customer. If you no longer do business with a customer for a while, why would you need to keep their information? Think of it as a nice way to Spring Clean your Rolodex. That seems like a nice thing to do anyway!
Secure the personal data you are processing…
The fourth step is to secure that personal data. Given that there have been many breaches, how are you making sure that your information is kept safe?
- Are your passwords strong enough (or not used repeatedly on different systems).
- Do you use two-factor authentication on sensitive systems?
- Is your information security hygiene healthy?
- Are you practicing Safe Security Measures?
- Are you practicing Same Password Abstinence with systems that use the same login username?
- Are you encrypting your data if someone steals your physical devices (laptop, USB drives, etc.)?
These may sound like punny innuendo jokes around, but information security is important! Just be smart about it so you aren’t embarrassed! If you need a good place to start, secure your passwords using a Password Manager like 1Password.
Keep documentation on your data processing activities…
The fifth step is pretty easy: just write it down. Hire a technical writer to help you document your processes. It can be as simple as this: list the systems you use for private information, what do they collect, how often, how long are they saved, and what you plan to do with that data.
Make sure your sub-contractor respects the rules…
The sixth step is serious because you use companies to process data. As a business, you rely on other tools, software, and systems to get the data you need. They in-turn have to follow the same rules you do. Consider them as your partner and if they aren’t playing nicely or get infected, you need to tell them to go away or tell them to fix their problems.
Don’t be a Cambridge Analytica or work with one.
Check if you are concerned by the provisions below…
The seventh step is kind of confusing, but if you are a large organization with lots of information, you may need to appoint someone whose sole responsibility is to develop policy, guidance, and best practices to protect collected data. It may be helpful to have one person, team, or department that knows how to make sure your business is GDPR compliant. Depending on the extent of business you do in Europe, it is helpful to understand how data is handled beyond just the mass market email or tracking cookie found on a website.
In conclusion, follow your country’s own data retention and regulations as well as add another layer by following the GDPR. It’s not only good for you to work these details in early on, but keep on the lookout for other countries to enable similar types of regulation. Having many more countries on the same kinds of rules helps level the playing field for using the internet. In addition, this article has general tips to get you started. I suggest if you need more specifics, consider contacting a lawyer to help you out.
You can also get some help if you need some guidance from our friends at Automattic (creators of WordPress):
With those ideas in mind, best wishes getting your company to become compliant with the GDPR! As always, be ethical with your business practices. Let’s be great players as we continue shrinking the size of the world commerce and society when we are moving forward with progress and maturity about the information services age.