Overview
First I want you to remain calm, the new EU’s general data protection regulation is not going to kill your business.
In fact, I believe this new regulation, in the long run, will bring more confidence in data exchange, communication and of course on the entirety of the internet.
So in the mission of becoming GDPR-Aware and compliant myself, I’ve put this simple checklist together which is by no means a legal advice for anyone and nor I am a lawyer.
Now, I’m not going to get into details on what the GDPR is, rather than focus on simple bullet points of the regulation and how to become as compliant as possible.
You may read through the regulation in details by visiting the official site here and/or consult with your legal counsel.
The Regulation
Let’s have a look at the regulation and what we need to be taking care of in regards to users/employees/customers data.
- Always be transparent and clearly mention the purpose for each data you collect
- Inform users at the time of data collection
- Collect only the data you need
- Do not use collected data for other purposes than the original
- Whenever’s possible, collect anonymous data instead of personal
- Keep the data stored as long as necessary, but not more than that
- Store data for the shortest time possible. Always take into account any possible legal obligations (eg. tax or anti-fraud laws and product warranty durations)
- Keep collected data stored as secure as possible
- Keep collected data up to date
- Inform users in prior if you’ll be using their data for other purposes
- Set time limits to review or erase stored data
Compliance: The Steps I Took
Below I mention the steps I took to make sure I followed the GDPR and eventually become compliant.
- Organize all collected data; doing this you’ll create a list of all the user data you hold and how you got them
- Write your Privacy Policy in a clear and non-legalese language, and include the information mentioned below – see following list
- Clearly prompt for consent whenever you request data; if you request data for marketing purposes you must prompt for another consent
- Contact all existing users (users acquired prior to GDPR effective date) and prompt for consent
- Put mechanisms in place for users to be able to access all data you hold on them; provide the ability to download their data in a machine-readable format as well as to place a request for deletion
- In case of a data breach you must report to corresponding authorities; in case of a high-risk data breach, you need to directly inform the users as well. Both actions have to be taken within 72 hours of the incident
- If you are a public organization or manage a large amount of data you must appoint a Data Protection Officer
Privacy Policy: Things To Include
Besides asking for data consent, you should also rewrite your Privacy Policy in a plain language (non-legalese) and include amongst other the information mentioned below.
- Who your company is and contact details. Contact details of the DPO (Data Protection Officer) if any
- Why your company will be using user data; reason each data or category
- The legal justification for processing their data
- How long your company will keep the data
- Who else might receive the data
- Will the data be transfered to a recipient outside the EU?
- If you disclose the data to another recipient you must inform the users the latest by the first communication with them or by the time you disclose their data
- Do you provide users with access to their data and also option to download a copy in a machine-readable format?
- Can users request from you to delete their data?
- How can users lodge a complaint with a data protection authority about any concerns they might have?
- Can users withdraw consent whenever they want to?
- If you are using lots of cookies you should list them all in a separate Cookies Policy, where you’ll also mention how users will be able to manage those cookies
- Inform users on the existence of any automated decision-making system and the logic involved. Also include the consequences there of
- additionally, If you didn’t got the data directly from the users:
- you must mentioned the source the data originated
- and you must inform the users about the above privacy policy information within a month
The End
The above three lists are all you need to know in regards to GDPR and how to act so that you become GDPR compliant.
Acting now on GDPR you’ll avoid losing users/customers for lack of consumer confidence and most importantly avoid being fined by the EU.
GDPR fines, by the way, are not going to hit your door that easy as there will be a series of prior warnings to become compliant before they actually give you a fine.
So rest assured you won’t be immediately fined, and instead, you’ll have some time to do whats necessary to become compliant.
Technical examples
Below you may find some additional technical examples that might help you in becoming GDPR compliant if you own a blog, e-commerce store or any other digital product.
Website Analytics
If you are using Google Analytics or any other service to track your website’s usage you could take one of the following two approaches to becoming GDPR compliance (I’m going to use Google Analytics for this example as it’s the most popular one).
-
Automatically anonymize or disable personal tracking
To do that you need to meet the following:
- Anonymize IP addresses on all G.Analytics hits
- Disable UserID tracking on Google Analytics hits, e-commerce hits, form tracking hits, and the UserID dimension in the Custom Dimensions addon
- Disable author tracking in the Custom Dimensions
- Enable the ga() compatibility mode
- Disable the Demographics and Interest Reports for remarketing and advertising tracking on G. Analytics hits (Note: If you do this you’ll continue to get the reports)
You can set the above settings within GA Admin settings as shown below:- Property Column >> Tracking Info
- Data Retention
- User and event data retention: Don’t automatically expire (unless obligated otherwise)
- Reset on new activity: ON
- Data Collection
- Remarketing: OFF
- Advertising Reporting Features: OFF
- Data Retention
- Property Column >> Property Settings >> Enable Demographics and Interest Reports: OFF
- Account Column >> Account Settings >> Review the Amendment >> Click Accept
- finally, add the {‘anonymize_ip’: true} or {‘anonymizeIP’: true} to your site’s analytics code or if you are using WordPress and the popular plug-in MonsterInsights then go to MonsterInsights >> Tracking >> Demographics >> Enable Anonymize IP
-
Continue to keep tracking personalized data (such as IP addresses) in which case you will need to get an explicit consent
If you are using a WordPress site then you might use some of the popular plug-ins for getting the consent, such as the Cookie Notice
Going through the web many people (especially within e-commerce) recommend the first approach as you won’t lose any GA sessions from people that decide not to consent. I leave that up to you to choose what suits you best.
One last thing about analytics is that you should let your users know in your Privacy/Cookie Policy how they can opt-out of your website analytics system (eg. Google Analytics Opt-Out Add-on).
Forms
Whatever forms you might be using on your website or landing page, be it for user comments, subscribe to newsletters, contact us or any other form, you must have a user consent checkbox for you to process and store those data.
Especially If you are going to use those data for marketing purposes (eg. subscribe to newsletters or marketing list) you need to make it clear in a specific consent message along with a checkbox.
Another way to get consent when you are collecting data for marketing purposes would be to have users double opt-in. That means instead of having them consent at the spot, you now send them a second email after they subscribe, asking them to opt-in and therefore consent.
If you are going to save some data in the cookies for the user’s convenience the next time they comment for example, then you should mention it in your Cookies Policy and also have a user consent checkbox.
In the latter case, you may cover the cookie creation in a one-time general consent within your website. This consent should promote a general data collection message along with a cookie usage message, both pointing to the respective privacy and cookie policies.
Current user-base
If you have a user base acquired before the GDPR effective date (25-May-2018), then added to all the above steps, you should send an email (or use any other means of communication suitable to your case) asking the users for their consent to all the new privacy and cookie policies you have put in place.
Retargeting Ads
If you are going to use a retargeting strategy inform the users in a general form of notice while specifying this in a privacy or cookies policy.
E-Commerce
If you own an e-commerce store in addition to the above I would emphasise on the following three points.
-
Making sure you examine all data gathered/processed by any web services or plug-ins you might be using on your site.
For instance, in an e-commerce store, you most probably be using a payments gateway that will be processing your user data. Also, a shipping extension that helps estimate shipping costs for the user might also be processing user data to function.
Go through all your plug-ins and mention all of them and the data they are processing within your privacy policy. Remember you must be transparent with your customer, not only the law requires it now, but also this will help build a long-lasting relationship with your users.
-
Assign a DPO
Even if you are a one-person store, be sure to appoint someone or yourself as a DPO (data protection officer).
Designate an email address for this purpose and make sure to communicate it through your privacy policies.
-
Cookies Policy
An e-commerce store is very likely to be using multiple cookies as it involves a lot of different functionalities. Even if your site is not that big having a separate cookies policy it will set your store apart from the rest, boosting the confidence of your users.
Other software and apps
If you are developing any other software such as a mobile app with users required to sign in and pass in the software more personal data, in addition to the above, I believe you should also emphasize on the following.
-
Ask for consent to your privacy policies upon user sign in and beginning of software usage
Also, a little note here that, if you are using any third party services to sign a user in, such as Facebook login, you should mention the data you get from their Facebook profile.
-
Software screens that prompt for user data should clearly convey the use and reason behind that
For example, a social app’s screen asking for the user to input data such as his name, age, location and other data should be very clear on the purpose. One way to achieve this is by prompting for relevant data and at a relevant time within the software flow, eg. ask for personal information within the user’s profile screen etc.
-
An easy way for the user to delete/opt-out of the software and services you provide
An all-in-one ‘Delete Account’ button that does just that should be a good solution. Removing all user data and unsubscribing from any of your services with just one click.
-
Functionality to download their data in a machine-readable format
You should be careful about how you implement this functionality, as you may want to be sure that user data won’t go in a wrong direction.
One way to do so is by having the user request the data from within your software by prompting for their email address. You validate the given email address against their stored email address and send them a download link.
This is just a simple way of achieving this functionality. Feel free to add some more security layers in the process making it more sophisticated and secure which should be fine.
Conclusion
There are a lot of different ways people gather and process data today, especially online, which I’m not going to get into here. The primary purpose of this post is to act as an easy checklist for people to become compliant, and which serves the general idea of data privacy and protection that we should follow.
Finally, as stated at the beginning of this post, I strongly believe that the new EU’s GDPR will boost user confidence in data exchange and communication both offline and online. That’s a good reason (at least in my view) for all of us to follow the regulation.
Data privacy and protection was never more important than it is today; finding new ways to shield our data is a must in helping create a solid foundation for the future.
That’s something I’m fascinated about and can’t wait to see how it evolves in the upcoming years, and with new countries taking new approaches on this important matter.
PS. If you think I missed something or want to contribute to this list, feel free to email me at my address or message me on social mentioned in the footer below.
Share this post