In effect since May 2018, the General Data Protection Regulation is meant to bring greater control to the citizens of the European Union (EU) or the European Economic Area (EEA) over how their personal data is being collected, used, and shared.
While limiting itself to protecting the rights of data subjects in Europe, it is meant to have a much broader effect when it comes to who can be fined for transgressing against its stipulations.
Namely, it doesn’t matter where your business or website is located and registered, if you are handling this kind of data, you might be held accountable for not adhering to the GDPR.
Actually enforcing this outside of the bounds of the EEA might be difficult, especially if anyone had doubts over whether the UK’s Information Commissioner’s Office (ICO) was going to pursue offenders outside of Europe.
The fact that it was a Canadian company that was issued with the first-ever GDPR notice should make it clear that this regulation is not something that is going to allow people to ignore it for too long, regardless of where they are located.
Even though you probably won’t attract the same ire from regulators as the above-mentioned company – accused of influencing the Brexit vote – but if you are storing or processing the personal data of people from the EEA and EU, it would still be prudent to check how close to GDPR compliance you actually are.
What are you collecting and why?
The first thing you need to do is make a full log of what personal data you are collecting, what you are doing with it, who is it being shared with, etc.
The way you obtained the data, the amount of control you have over it, and the way you manipulate it will determine your role in relation to it, making you either a controller or a processor of the data in question.
This role will largely define your responsibilities, like required action in case of a breach, or the type of consent you have to obtain before using the data.
Knowing which data you are allowed to use under which circumstances is essential in your efforts to stay GDPR compliant.
How are you storing it?
You are not only supposed to use the data according to a certain set of standards, you are, as long as it is at your disposal, responsible for keeping it safe from data theft, hackers, leaks, etc.
This means that you should redouble your efforts to not only protect your website from outside intrusions, but also to do everything you can to protect sensitive data specifically.
Privacy protection methods like anonymisation and pseudonymisation are a great way to ensure that even if you do suffer a breach, you won’t have to add being fined by the ICO to the list of your problems.
Who are you sharing it with?
It doesn’t matter if you have the data tightly vaulted while it’s in your possession if you are willing to share it around without discrimination or prejudice.
Even if you’ve obtained consent for using a data subject’s information, this doesn’t suddenly make you its proprietor.
If you want to share the data in question with third parties, you need to ensure that they are GDPR compliant, or to be prepared to produce written contracts with them binding them to honor an equivalent set of data protection standards.
How did you ask?
As the whole world has simply had to notice by the flood of GDPR-related emails in their inboxes in the frenzy leading up to the adoption of the regulation, there is very little that goes as implied when it comes to asking for permission to use someone’s personal data.
Not only do you have to make sure that your visitors are aware which cookies (or other tracking and monitoring technologies) your site is using, which third-party solution providers, and which data partners; you need to make sure that they understand how this reflects on their data’s security and the purposes for which it is used.
Sweeping consent, like asking your visitors to accept all cookies, without listing which you use, explaining what they do, and giving the data subject an option of accepting or blocking them individually will simply not do anymore.
Do you know their rights?
One of the ways to determine if you can get in trouble because of the GDPR is to check what rights does it reserve for data subjects, and whether you are in violation of any of them.
Among other things, this includes their right:
- To be informed on how their data is to be used
- To request that you delete the data you have or send it to them in a portable format
- To request that you modify and correct the data
- To revoke their consent given to you about using the data altogether, or just for specific purposes
- To be promptly informed of any security breaches you have suffered which may have compromised the privacy of their data
Making heads or tails of the entire scope of obligations that GDPR imposes is not easy even if you know:
- Exactly what kind of data you are handling
- How secure it is
- That it has been obtained with full, explicit consent
- That your data sharing partners are reliable
- What you can and cannot do with it
That’s why it might be helpful, before going into each of the individual compliance segments that might demand your attention, to first take a look at how some of the major industry players in your market have dealt with the issue.
While you cannot hope to simply copy someone’s approach to composing the privacy or terms and conditions page and pretend that it applies to your situation, you can learn a lot about what you need to do just by finding a good example.
For the closest match, try looking at your most reputable competitor with a similar business model and targeted demographics.