Do you own a website or an app that serves EU customers? Is it GDPR-compliant
This article will not only help you get a better understanding of the GDPR, but will help you comply with this regulation by providing a quick guide that you can use to make sure your compliance plan covers everything it needs to.
The GDPR was adopted by the European Parliament on April 27, 2016. At that time, businesses (including online businesses) were given a transition period of two years to fully comply with this regulation. On May 25, 2018, the GDPR went into enforcement.
This privacy directive is both comprehensive and specific. Containing 99 articles, the GDPR gives very precise instructions about how companies will handle user data under the GDPR. It gives the users (in this case, the EU citizens) certain rights concerning their data.
Any website, web app, mobile app, or desktop app that collects or processes the data of EU citizens falls under the jurisdiction of the GDPR.
To get you started with your GDPR compliance, we have formulated a list of 14 steps:
Start by raising awareness in your workspace about the GDPR and how it will affect your business. Assess what steps you will have to take to properly implement this regulation.
Hold informative meetings, have employees read articles and make sure everyone is aware of changes that will be taking place at your organization.
Under the GDPR, you are required to show how you implement this regulation in your business workspace. For this purpose, you must keep a record of the customer information you hold, where you obtained the data from, and to whom you will transfer it to. In addition, you may have to conduct a data audit in your company.
From beginning to end of compliance implementation -- and well into the future -- documenting is going to be very important under the GDPR.
Your customers have certain rights regarding their data. Under the GDPR, your customers can in most cases:
You must address and abide by these user rights.
The GDPR requires you take necessary steps to grant requests of your customers within 30 days of the initial request (or two months if the request is complicated). Also, ensure that you are able to provide the customers their information free of cost (a reasonable fee can be charged if the request is excessive).
Under the GDPR, if you use consent as your legal basis for collecting data, the consent must be plain and explicit consent of the user has to be obtained before you collect or process personal information. In addition, you must make sure that the customer is completely informed about how you will be using their data. The use of some types of cookies also now requires consent.
The GDPR requires you to take steps to detect and investigate data breaches. You must also document any breaches that occur and notify both users and the appropriate authorities about breaches that occur.
You will have to organize a data protection impact assessment of your data processing facilities. This will let you see where any weaknesses are in your environment that may lead to a data breach. It is generally a requirement in high-risk situations and will help you stay informed about the repercussions that can occur if your data is compromised.
Under the GDPR, you may be required to appoint a Data Protection Officer whose job it is to ensure compliance with the data and privacy guidelines, as well as to monitor the data processing activities in your company.
Determine whether you need this role or not and take the appropriate steps if you do.
If your business operates internationally, identify which data protection supervisory authority your business is answerable to. Under the GDPR, your business will be subjected to the data protection supervisory authority of the country/region where the decisions about data processing are made or where your main administration is based in.
You also may need an EU Representative in some cases.
Clearly specify whether you control customer data or you process data for another company.
Let's look at how Amazon does it:
In this example, Amazon states that any data that it collects is controlled and processed by Amazon and its subsidiary companies.
You should always provide information for how your users can contact you.
Here's how CheckMarket does this:
CheckMarket provides its email as well as physical address to its users.
Under the GDPR, you are required to inform your customers about their 8 rights, which are as follows:
An example of this is Towergate's Fair Processing Notice:
As a business owner, you are required to inform your customers about whether it's mandatory or not to provide the data you request.
Here's how Apple lets users know that it isn't mandatory to provide information and what will be affected if a user chooses not to do so:
Here's how JFrog discloses this:
You should include the legal framework and safeguards that you use or fall under when it comes to international data transfers. For example, here's how Instructure includes this information in its GDPR policy:
As a business owner, you are required to inform your user about the lawful reason for collecting or processing their data.
An effective way to obtain consent is by using checkboxes and clickwrap. GDPR-compliant consent must be freely given and done through an affirmative action (such as clicking a checkbox).
Don't pre-check your boxes. Use separate boxes for requesting consent for multiple different things, such as one for consenting to marketing emails and another for agreeing to your Terms and Conditions.
The GDPR will affect all businesses that handle the personal data of EU citizens. To avoid non-compliance and heavy fines, you must take necessary steps to make sure your online business is in compliance with the GDPR.
Use this quick guide as a checklist to make sure you're addressing and remembering the basics of GDPR compliance.