GDPR stands for General Data Protection Regulation adopted by the European Union (EU) in April of 16.  It extends and codifies previous “agreements” between EU and US regarding transfer of personal data and applies if the data controller (collector), processor, or subject (user) is a EU resident. The regulation includes steep sanctions of up to four percent of revenue or €10 million for violators.

Ok… What does that actually mean?

Ultimately GDPR is a series of regulations that give EU citizens greater control of their data.

It’s a concern for companies that have users in both the EU and the United States because there have already been regulations passed in California that are similar to GDPR. It’s expected that these regulations will continue to expand across the United States and to other countries throughout the world, so we recommend being compliant regardless of where your users and customers live.

Fortunately we’ve broken down what you should do into four areas of focus:

# 1 – Inform

When data is collected, clearly inform users what data is collected, the legal basis for processing, how long it will be retained, if their data is transferred to a third party, and if any automated decision-making is made on a solely algorithmic basis. Data subjects (users) must also be informed of their rights to data access and erasure.

When updating your online policies for GDPR, consider including the following:

  • What data is collected and processed, legal basis, how long it is retained, and transfers
  • If solely automated decision-making processes are used
  • Link to forms for data access and erasure
  • Include a categorized cookie list

There are a variety of tools that can be utilized to scan and inventory your site for data collection but it’s important to partner with a company that understands these results and can help you to get your website GDPR compliant.

#2 – Consent

Attain informed, explicit consent to collect user data, and be able to demonstrate compliance by following these steps:

  • Provide a cookie banner that requires positive consent (opt-in) vs implied consent to drop cookies
  • Provide a mechanism for users to withdraw consent
  • Ensure all forms include consent language and opt-ins
  • Consent language should include what data is collected, reason and legal basis for collection, retention
  • Provide separate opt-ins for requirements to process requests vs additional purposes such as marketing
  • Provide a link to your privacy policy whenever collecting user data (e.g., forms, transactions)

Make sure you’re adding the appropriate consent fields and integrating them with your existing consent management system. There are tools available that ensure your cookies and consent management are compliant with GDPR regulations, but again, it’s important to have someone on-staff or working with a partner that understands this software and GDPR compliance.

#3 – Access and Erase

Allow users to access and delete their data, as well as change their consents at any time.

To ensure your users can update their data consider these steps:

  • List contact info of the responsible party for collected data in your Privacy Policy
  • Create workflows for receiving and routing data access and erasure requests
  • Create workflows for gathering, packaging, and delivering data.  
  • Develop provisions that allow your company to retain personal data if it is required to process transactions, meet legal obligations, or poses undue hardships

Creating workflows and processes for dealing with user data can be time consuming and tedious work as it involves all personal data, not just data collected or accessed by your website.

#4 – Alert

Perhaps most importantly, inform users if there is a breach of their data. The standard is to alert your users within 72 hours if there has been a breach of data. This may involve working with a crisis communication professional, posting the information on your website, and creating a press release or series of communications depending on the level of the breach.

Conclusion

GDPR can sound incredibly overwhelming  but there are many dedicated professionals and businesses that have strong commitments and expertise in guiding companies through compliance. If there were any topics in this post that didn’t make sense, or you weren’t sure if you have them employed on your website, we strongly recommend talking with your website and IT teams/vendors to make sure you’re headed towards compliance. If your internal resources can’t ensure compliance, reach out to a trusted partner like Risdall to walk you through the processes to ensure you’re handling user data appropriately and avoid noncompliance in any current data regulation.

This is the first in a series of pieces from Risdall about GDPR. Check back soon to keep up-to-date on what you can do to be GDPR compliant.