Been called the most important change in the history of data protection regulations, the EU General Data Protection Regulation (GDPR) sure is approaching quick.
Approved in April 2016 after 4 years of continuous preparation and debate, it will come in effect on 25th May.
Once it rolls out, organisations found to be non-compliant to GDPR will be fined an astronomical 20 million euros or 4% of their annual income(whichever is higher).
And obviously, you don’t want that fine to be on your head (neither do we). If you have never heard of GDPR before, you’re in luck as we will tell you everything there is about the GDPR, what it actually is, how to remain compliant under this new regulation
Let’s begin –
What exactly is GDPR?
Formulated with an aim to protect all EU residents from online privacy and data breaches in a data-driven world, GDPR is just the next, updated version of Europe’s last private data protection directive (1995) and carries provisions that require businesses to religiously protect personal data and privacy of the residents of EU over the web.
HIgh profile user data breaches, like the recent Cambridge Analytica Scandal, has recently amplified the long dormant public outcry for implementing more stringent user data protection rules.
So, it’s timing couldn’t have been more perfect.
The GDPR, when implemented, will harmonize the process of gaining consent to collect user data (basic identity information, web data, biometric data, racial & ethnic data etc) of the citizens of EU and will set a benchmark of protection for all businesses that process or control it.
And, as mentioned earlier, there’s a hefty fine for GDPR non-compliance. So, with 25th May being just around the corner, it now is more of a question of ‘How to GDPR?’ than ‘Why GDPR?’.
But before we mention all the things you’ll have to do to be GDPR compliant, let’s define first what businesses will come under its umbrella –
Do I need to be GDPR compliant?
Absolutely! Unless of course, you don’t mind paying millions in penalties. Or You block EU users engaging with your product and services.
Regardless of geographical location, If your business serves or processes/hoards personal user data of EU residents in any way, you need to be GDPR compliant. Period.
And both data controllers (determines the purpose, conditions and means of processing data) and data processors (processes data on the behalf of data controllers) need to be GDPR compliant.
How do I comply with GDPR as a website owner?
Okay, complying with GDPR is no walk in the park. But to fully comply with GDPR, you’ll have to tick-off all these prerequisites –
- Taking consent
Probably, the most important factor in being GDPR compliant is how you take consent from users for collecting and using their personal data. Some people easily give businesses consent to collect their user information, while some people stay skeptical about it.
Fortunately, under GDPR giving consent no longer means going through a ton of ‘terms & conditions’ legalese. GDPR simplifies this process for individuals marginally.
Apart from that, the purpose of collecting user data must also be stated in the consent.
Also, in the wake of GDPR article 7(3), opting-out of consent should be as simple as it was to opt-in, with the click of a button.
GDPR gives complete freedom to users for controlling their own data. Under this new regulation, users can anytime ask for their own collected data from data controllers and they will be bound to present the data free of charge.
Also, they can choose to transfer their data to other data processors or get it deleted irreversibly. We like to call it GDPR’s ‘Right To Data’.
For compliance, I think it goes without saying that businesses will now have to be completely transparent about everything where collecting or processing user data is involved.
- Data Erasure
With GDPR, businesses can no longer continue to hold personal information of data subjects if the information is no longer required or the basis for collecting information in the first place has changed.
Also, data controllers are in direct obligation to erase user data if requested by the user without any delay. And to make sure that it is erased from the user data given to data processors as well, again, without any delay.
- In case of a breach
Notifying data subjects about loss or breach of their user data within 72 hours is a priority for data controllers. If they fail to do so despite being aware of the breach, some serious penalties await after the regulation will finally come into effect on 25th May.
Data processors also need to inform about the breach within 72 hours to their customers i.e. data controllers.
Under this new regulation, sending a breach notification to
all affected data subjects is mandatory within 72 hours for businesses for compliance with GDPR.
- Privacy By Design
A legal requirement under the GDPR, ‘Privacy By Design’ is a concept that calls for inclusion of ‘user data protection’ in the roots of your business systems.Simply put, this concept puts emphasis on developing a business infrastructure that purely focuses on safeguarding private user information of data subjects, rather than treating it as an addition.
GDPR specifically requires data processors & controllers to appoint a ‘Data Protection Officer’ to oversee their data security strategy and constant GDPR compliance.
But not every business needs to hire a DPO. You only need to hire a DPO and stay compliant under the new regulation if your organisation is a public authority, engages in large scale systematic monitoring or processes sensitive personal data.
If your organisation is none of the above, you will do just fine even without a DPO.
The essence of GDPR lies in being fully transparent with your customers about what and how their personal data will be collected and processed. If you do that by following the proper procedures stated officially, you’ll do just fine.
Using 3rd Party apps on your website
Being a website owner who constantly lean on Google Analytics and other data analytics oriented platforms to make richer business decisions, you might be thinking if there’s something that needs to be done to stay GDPR compliant.
Also, when accessing analytical platforms to access behavioural data of your users, you become a data controller and the platform serves as a data processor which processes all the required data for you.
Now, Google Analytics is used by almost every business out there. And if Google needs to stay compliant, they’ll have to guarantee the compliance to you by signing a ‘Data Protection Agreement’ (DPA) and must allow you to update or delete user data of your own choice (if requested by a user)
DPA is required to assure Google that you will be able to comply with GDPR when it comes to handling private data of your own users. For example – If a user want their user data to be deleted, Google Analytics shall allow you to this from your end.
And they are doing pretty well in doing what they can!
Google already checks well on all the GDPR compliance points listed above and is well on it’s way to embrace the GDPR compliant future.
And it’s not just about Google Analytics, analytical platforms like Hotjar and Hubspot, the platforms which are actively used by marketers and business owners all around the world are also doing all they can to be GDPR compliant by making their users sign a DPA.
By doing so, you do your part in GDPR compliance by being completely transparent about the user data you collect and how you use it to make richer business decisions.
GDPR will provide a standard of compliance for protecting user data that almost every user data aggregator will have to follow. It’s not just about Google Analytics, almost every analytical platform that processes user data will comply to GDPR before 25th May and it’s about time that you hopped on the wagon as well!