If your organization targets EU residents, maintains an email list or has significant international website traffic, you’ll need to evaluate the impact of the GDPR on your organization and make adjustments if needed.
Enforcement will go into effect starting May 25th, 2018 and failure to comply may result in substantial fines. Most of the requirements should be met simply by being a good steward of people’s information and using best practices for security and design.
While it’s still to be seen how the GDPR will be interpreted and enforced, here’s what we know:
- Personal information — broadly defined as any data that can be linked to a person — must be securely stored and documented. This includes email addresses, IP addresses, purchase history, cookies, past browsing behavior, etc.
- Personal information should only be gathered if users give explicit permission before any data is collected, and they must have the ability to withdraw consent at any time.
- EU citizens will have the right to access their stored personal information, and to have the data transferred or destroyed.
- The amount of data collected should be minimal- only used for the purpose under which it was authorized, and deleted when its no longer needed.
GDPR compliance requires an ongoing commitment to data security and privacy in every aspect of a site’s design.
Here are a few tips for meeting the requirements of the GDPR:
- Update your privacy and data use policies. Your updated policies need to enumerate all of the personal data you collect, how it is used, and to explicitly request user permission to collect it.
- Make data removable. Make sure your data storage is well organized so you can accommodate users’ requests to access and delete personal information.
- Put in place data use logging. Update your development documentation. Update your development documentation processes to log any and all processing of personal data, such as querying or reporting internally.
- Train your team. Update your internal processes to provide any teams that touch our process personal data to have annual at least annual training on your organization’s policies, and best practices for secure data handling.
- Pseudonymize user data in non-production servers (dev, test, stage). Ensure your database of personal information is managed securely by using pseudonymisation and other well-developed data security practices.
- Confirm your third party software is compliant. Check with any third party software or cloud vendor digital systems rely upon to see how they are responding to the new regulations. For example, your email service provider will be need to document that users gave consent when they subscribed to your email list. (Here’s MailChimp’s guide on GDPR, as a reference); and you will want to review Google’s Data Processing Terms in the account settings of your Google Analytics account and provide the appropriate contact information before accepting the Data Processing Amendment updates.
At Forum One, we’re helping clients navigate the GDPR in a variety of ways, including creating a documentation plan for all log data to demonstrate the reasons for collecting it. We’ll continue to monitor developments and provide resources as the GDPR is implemented.
We’d be happy to chat about how you can ensure that your organization is in compliance with GDPR.