Blog

How Are You Addressing GDPR Compliance?

Kurt Voelker

Vice President, Business Strategy and Growth, Forum One

A key component of building trust with your online users is to assure them that their privacy is protected at an organizational level. The General Data Protection Regulation (GDPR) that the EU put into effect in May 2018 aims to protect users’ personally-identifiable information (PII). Now that we are two months in, are you confident that your organization has taken the right steps to guarantee this protection?

In the run up to GDPR going into effect, many organizations sent out opt-in/out emails notifications to their user databases and giving website visitors the option to accept or decline tracking cookies. These are important first steps, but what else should you be considering longer term as you ensure your users’ right to privacy? Here are a few ways to make sure  your organization is complying with data privacy guidelines.

Start with an audit

An audit should be done at the institutional level. Start by asking questions to better understand your organization’s privacy guidelines. What data is your organization collecting? How is it being collected and used? Is it protected? After considering the basic questions, then your organization can establish what areas need to be strengthened and changed to meet GDPR guidelines and protect privacy rights. 

Review third-party systems

Data processors don’t end with your organization. It’s important to be aware of parties in the chain of disclosure of personally identifiable information. Consider where your data goes after it’s collected. In many cases it is likely stored in Google Analytics, MailChimp, Salesforce or other CRM systems.  To enhance your relationship with third party systems it’s important to have constant communication. Interviewing each vendor, asurring there is a legal basis, confirming they’re following the principles and recognizing privacy practice agreements are all ways to keep communication open throughout the entire process. 

Optimize email list settings

Before making any privacy changes, take the time to first understand what data your organization already has about your subscribers. The GDPR says information should be obtained in a specific and explicit way. In doing so, your subscribers need to be aware of the exact information they’re disclosing, understand the purpose of its use, and feel confident that their privacy rights are respected.  If your data collection isn’t currently being presented in this way, then it’s time to make updates. The best way to ensure your organization is following GDPR guidelines is to ensure that subscribers are able to easily opt-in or out. This gives them the ability to see how and why you’re collecting their data and then decide if they want to continue to be included or not.

Inform users of tracking cookies

Cookies taken by themselves are not personally identifiable; however, coupled with the addition of other information, they can become so. To accurately update your privacy features make sure users are informed of what’s being collected and how the information is being used. Taking it a step further, you can add an opt-in/opt-out option to being tracked by cookies. As long as it doesn’t disrupt any legitimate business transactions, this feature can allow users to browse anonymously if they choose to do so.  

Provide privacy options to users

There are a few key features your organization needs to provide in order to support your end users. These features are straightforward and correspond directly to the GDPR. Users should be able to request data, move data, correct data, erase data, and object to the processing of their personal data. These options can be provided either automatically or manually, but above all they must be given the ability to update the data. A few examples for implementation can be to use a “Contact Us” form, or have steps in place to follow the Google Privacy Center

Follow good data processing practices

Within GDPR, data being processed outside of the EU is fine as long as the selected country is deemed “adequate” by the regulation. The United States is among the list, as long as the organization adheres to the Privacy Shield. Additionally, it is important to pseudonymize the data when working on it locally and encrypt data that is either at rest or in transport.

GDPR is not just about your website, it’s about what your organization is doing to protect the privacy of the users you serve. The overall goal of the regulation is to create a change in behavior that puts individual’s privacy rights first. It’s not about fixing a few things to adhere to the guidelines; rather, it’s about becoming more aware and respectful of privacy in general within your organizational structure.    
 

Need help navigating GDPR?

We’d be happy to chat about how you can ensure that your organization is in compliance with GDPR.

Written By

Kurt Voelker

Vice President, Business Strategy and Growth, Forum One