On Friday, 25 May 2018 the General Data Protection Regulation (GDPR) which intends to give European citizens back control over their personal data, will come into effect.The impact of this will be global though and could affect kiwi businesses, so we've put together this handy guide to help guide you through compliance.
What is GDPR?
The GDPR a new set of rules governing the privacy and security of personal data for citizens of the EU, and enforced by the European Commission.The new single data protection act is replacing the Data Protection Directive from 1995. It includes some major changes to Europe's privacy laws.
Why is this happening?
The EU want to give the power of deciding what happens to their data back to it's citizens, and frankly it's something we here at Bitlab applaud.Basically, under the new rules, individuals have “the right to be forgotten”. This means they reserve the right to request that businesses delete their personal data.
How will it affect my business?
If you think you're safe outside the EU here in New Zealand, think again - although it is a legislative change in the EU, it applies specifically to data gathered on citizens of the EU and can carry some hefty fines.If your business collects email addresses or any data on visitors, and those visitors could come from the EU, you could be liable. While we believe it's unlikely the EU will start looking for companies to fine, we also believe it's common courtesy for international businesses and websites to ensure we comply with these new regulations.
What do I need to do?
- Make sure you are aware of all types of personal data collected on your website. Websites collect all types of data so it’s important to determine what data is necessary for collection and where it is located (I.e., if third-parties have access). Limiting the amount of data collection can reduce storage expenses and reduce liability and disclosure efforts following a data breach. A good place you can start is identifying a tool that works for the needs and scope of your organization. Knowing where personal data lives on your website is a great way to find potential risks before issues arise.
- Consider utilizing encryption as a part of your data collection and storage. While this point is more “behind the scenes”, companies should consider encryption of their collected personal data, depending on the level of sensitivity. Not only does it protect personal data by making personal data unreadable (should it fall into the wrong hands), encrypted data could be considered “unintelligible”. In some cases, unintelligible data is not required to be disclosed following a data breach.
- Make sure all consent forms are unchecked by default and have an easy confirmation process (active opt-in) For example, the option to “click” an approval button or select a “check-box” make for an easy confirmation process. Siteimprove makes it easy to set up a policy on your site, so an opt-in or opt-out option is always present when necessary. **Note: This must be separate from other terms and conditions and consent forms should be easy to understand.
- Make sure the contact information for your Data Protection Officer (if applicable) or any other data privacy personnel is listed clearly on your website. The GDPR requires companies to provide people with the ability to view, edit, or delete their personal information. Additionally, people also have the right to send inquiries regarding their information. Make sure you allow people easy access to anyone responsible for managing personal data so inquiries can be made.
- Make sure you have a process in place for easy data deletion (Right to be Forgotten) Completing data requests can be a time-consuming process. Make sure you have processes in place to handle deletion requests in a timely manner.
- Are you ready for a data breach? Should this unfortunate event take place, make sure you know what to do and who to contact (I.E., Supervisory Authority, DPO, customers, etc.) and that all necessary notification forms are in place.
- Be prepared for data portability requests. Another main component of the GDPR is allowing people with the ability to transfer their personal information from one service to another quickly and easily via a common format (I.e., CSV file). Do you have this capability?
- Do you have a mobile app? The GDPR also applies to personal data collected through mobile devices and apps. Spend some time reviewing the data your mobile app collects, where it goes and why it is collected, all while making sure it complies with the GDPR.
Help, I'm not sure if I'm compliant!
As mentioned above, there is also a handy online checklist you can use to make sure you cross all the i's and dot the t's.If you're not sure where to start, you can get in touch with us at firstname.lastname@example.org and we can help point you in the right direction.