How to Prepare for GDPR

On May 25th, 2018 a new law will go into effect in the EU to regulate the protection of data for all EU citizens. This is one of the most important topics of this year and years to come, not only for the EU, but for the entire world.

With the rapid evolution of our global technology ecosystem, many companies have built innovative solutions using the personal data of their users. This data has helped teams to create personalized user experiences for features like ad targeting, product customization, and relevant push notifications, however, these products have lacked feature development surrounding the privacy and transparency of the user data being collected.

It’s our duty as technology professionals and entrepreneurs to put data privacy and security at the forefront of product development. In order to maintain trust with users and prevent abuse or fraud from happening in our systems, we need to clearly understand GDPR policy and update our websites with proper legal documentation.

Who it affects?

When GDPR goes live, the law will impact any company (worldwide) that collects data from any EU citizen. This means if you have a website that captures user information, you will be subject to the same policies regardless of being in another country.

What exactly is GDPR?

GDPR stands for General Data Protection Regulation. This new EU law aims to provide citizens in the EU with more control of their personal data. When companies collect user data online or offline, they will need comply with a set of a regulations that keep that data transparent, properly shared to the subject, and processed securely.

The fines for GDPR can be 2-4% of total company revenue or up to 10-20 million euros. It’s very important to comply with this law, because we’re living in a time where breaching private data is unexceptable.

With the recent data breach on Facebook by Cambridge Analytica, nearly 50 million users were victims of tools that used personal data to identify the personalities of American voters and influence their behavior.

One of the big ideas behind the GDPR is to start thinking about Privacy by Design. In Article 25, this is referenced as “data minimization”, which is about enabling service without the need for personal data. It’s an approach that companies should consider when building new features, for example with Webflow’s Anonymize IP or Facebook’s Clear History. A few questions to ask are:

  • Do we need all the data we’re collecting?
  • Could we do this work without collecting this data?
  • Do we have a plan to delete this data if we no longer need it?
  • Are we lawfully processing personal data?
  • Are we honoring every users’ data subject rights?
  • Are we meeting our obligations as a data controller or data processor?
  • Are we designing privacy into our products?

Who are GDPR Controllers?

Companies that decide “how” data will be processed are Controllers. As a Controller, you are an owner of data, responsible to citizens, ensuring compliance, safety, and management of the Data Processors.

Data Controllers have 4 key responsibilities:

  1. Implement and document technical and organizational processes
  2. Make sure there is a clear understanding of the data being processed and the probability of losing the data
  3. Implement a data protection policy
  4. Develop a clear code of conduct

Who are GDPR Processors?

Companies processing data at the direction of another entity, are the Processor. This includes software products and data services.

Processors need to act in accordance to Controllers to obtain written permission to use sub-contractors and must contribute to compliance audits. They must also follow Controller’s instructions and commit to security measures.

Data Processors have 4 key responsibilities:

  1. Implement technical or organizational security measures
  2. Use of sub-processors with proper Controller consent
  3. Processor must ensure a clear contract with Controller
  4. Must only process in scope data

When processing data under GDPR, there are also 6 baseline legal requirements:

  1. Consent - voluntary by the data subject with the ability to revoke at any time
  2. Contractual necessity - fulfilling a contractual obligation to another organization
  3. Legal obligations - occurs under EU law
  4. Protect vital interest - keeping your data private
  5. Legitimate interest - cross-business integration
  6. Public interest - keeping data compliant for the great public good

What’s a DPO?

With GDPR, a new enterprise leadership role has been introduced in companies with a larger scale to help facilitate proper compliance with the law.

These Data Protection Officers oversee GDPR compliance within the company. They are only needed when a controller or processor requires regular or systematic monitoring of data subjects on a large scale, but if something goes wrong, they must respond within 72 hours of learning about an incident.

This is a full-time position and must follow specific responsibilities:

  • Inform data subjects about their rights
  • Raise awareness of regulation
  • Advise the company about the application of GDPR rules
  • Understand risks and compliance operations
  • Help the company stay compliant
  • Answer questions and handle complaints
  • Cooperate with the EU and other governing agencies

What are GDPR DSRs?

Every citizen in the EU will have new rights as a Data Subject under GDPR. These Data Subject Rights are designed to give people greater control over their data.

  1. The right to be forgotten - people can ask to delete their data
  2. The right to access the data - people can access all categories of their personal data
  3. The right to portability - people can ask companies to provide their data to another company on their behalf
  4. The right to restriction of processing - people can limit the company from processing their personal data
  5. The right to rectify - people can change their data which is inaccurate or incomplete
  6. The right to object - people can reject processing their data at any time

Companies used to be able to get consent by simply informing the users about their data being collected after the fact or in the fine print of a long Privacy Policy. With GDPR, it is required for users to consent with affirmative action. This provides users with more control over what data is being used and how they can access or rectify it.

What’s the impact of user data?

Companies need to understand what impact that their processing has on the privacy of user data. If it’s not clear which data is sensitive to users, there could be processing done which doesn’t comply with GDPR policy and keep data safe.

To understand the impact of your data processing, you can think about attributes like:

  • What’s the collection type of the data?
  • How is the data being stored?
  • How is the data being shared? Is it publicly accessible?
  • How long are you keeping the data?
  • Where is the actual location of the data?

How can I protect the data?

Once you understand the data that you’re collecting, you need to find ways to protect this data for users. This can be done through creating controls that ensure a basic level of security.

  1. Anonymize and encrypt personal data
  2. Create controls that protect the confidentiality, integrity, and availability of the data (see CIA controls)
  3. Create restoration backups
  4. Regular testing and evaluation

How can I comply with GDPR?

There’s an awesome GDPR Compliance Checklist that gives you checklists in key areas of Your data, Accountability & Management, New rights, Consent, Follow-up, and Special cases. You’ll want to make sure you go through this checklist step by step to ensure you meet all the requirements.

Create a Data Controller List

You can create a master list of data types outlining the data that your company will collect from users. (Download a free “Master Customer List” handout here)

Outline how user data flows through your company

You should outline all the ways data will flow through your company. This can be best described in a flow chart. (Download a free “Data Flow Chart” handout here)

Update your Privacy Policy

Your company should include information about all processes related to the handling of personal information. This should include (or have links to) the types of personal information the company holds, and where it holds them. This should also outline the reason the company needs to process personal information.

Appoint a DPO (If you’re at enterprise scale)

If your company is at a larger scale, you will need to appoint a DPO and create awareness among key executives in the company. This DPO will also need to make sure technical security is up to date, the staff is trained on GDPR compliance, and have outlined any sub-processors involved.

If you are outside the EU, you will need to have an appointed officer within the EU.

Make sure you have contracts with Data Processors

If you share data with partner Data Processors, make sure you have a contract in place to protect user data with these partners.

Create DSR accessibility

Your company should provide an easy way for users to access their data and exercise their Data Subject Rights. (Check out GDPR Form for a simple solution.)

Automate backup and data pruning

If you are not using user data for a longer period of time, you should consider deleting it to avoid any compliance issues in the future. This should be automated after a set period of time.

Update your website with a consent checkbox

If your website collects personal information from EU visitors, you should have a clear link to your Privacy Policy and terms and conditions, confirming that the user has reviewed and accepted your documentation.

Always include a child consent checkbox

You should have a consent checkbox to make sure that children under 16 have obtained parental consent before their data is collected.

You have informed existing users of your updated Privacy Policy

You will need to communicate to your existing users via email or mail that you have updated your Privacy Policy to comply with GDPR

Next Steps with GDPR

As we move into a new era of big data, intelligent technology, and higher risks with cybersecurity, it’s an important time to take a new approach to creating digital products and services. Companies should of comply with GDPR to protect the privacy and security of their users, but also approach their growth with thoughtful steps forward.