The new data privacy law General Data Protection Regulation (GDPR) (EU) will start to be enforced on May 25, 2018, after a 2-year transition period. The GDPR aims at giving control back to EU citizens and residents over their personal data. Taking into effect, the GDPR will replace the 1995 Data Protection Directive (Directive 95/46/EC).
The GDPR is different from the 1995 Data Protection Directive, as the GDPR doesn't require governments to pass any legislation to enable the enforcement of a directive. Thus, the GDPR becomes binding and applicable immediately. Any entity that violates the GDPR can be fined up to 20 million Euros.
If you own a business, both online and offline, which serve EU citizens and residents for paid or free products and services, you're obligated to comply with this new GDPR law. The business itself can be located in the EU or elsewhere.
Here are 15 important tips to comply with this new law, which you can implement immediately. Please note that this article is written to inform and educate only, not as a legal or data security advice. You will need to consult with an attorney and a data expert for their expert advice.
1. Carefully store all data on employees, customers, and suppliers.
This is the first step to comply with the GDPR. You need to carefully store all data on your employees, customers, and suppliers and be ready to show them when audited by the GDPR Committee or when requested by the data subjects. "A data subject" is the person who owns the personal data, which is usually the customer, employer, or supplier of a business.
What constitutes "personal data"? Any information that can be used to identify a person, such as a name, address, email address, photo, bank account details, social media posts, medical information, credit information, IP address, and others.
2. Ask for parental consent for children under 16 years of age.
Parental consent is required for children under 16 years of age to use online services. However, EU member countries have their own laws on the minimum age. GDPR rules that the lowest age possible for age consent is 13 years old.
3. Keep the data securely.
Make sure that nobody can leak, hack, or misplace any data. This means you'd need to enforce safety measures to secure cloud storage and use anti-virus software. Also, make sure that when devices are lost, you could still wipe out the data. If you keep the hard copies, are they safe from thieves and prying eyes? To be sure, write down all the safety protocols, so you can refer to them whenever needed.
4. Keep data only if it's necessary.
If you don't know what you're going to do with the data, don't ask nor keep them. You only ask and keep data if it's necessary and there is no other way around it.
Whenever you interact with customers, suppliers, and employees, make sure to clearly explain why you need their data. And the information sheet provided to them should be written in layman terms, not legal jargons. They must understand what they're agreeing.
Who is collecting it? It's your business.
What information is being collected? The data subject's personal information.
How is it collected? Online via subscription form or other methods.
Why is it being collected? Describe the reason, such as for servicing or marketing purposes.
How will it be used? Describe how it will be used, such as to deliver products or send promotional emails.
Whom will it be shared with? Describe the third parties with whom the data will be shared.
Is the intended use likely to cause individuals to object or complain? Describe the intention clearly.
What will be the effect of this on the individuals concerned? Describe the effect to the data subjects.
6. Have a process in place for providing asked information.
If a data subject asks for information on the data you have on them, you're required by law to deliver all the data about that person within one month and free of charge.
7. Have a process in place for deleting data if asked.
If a data subject asks for their data to be deleted, you're required by law to honor the request and erase the data completely.
8. Allow people to positively opt-in for storing their data.
A data subject must confirm that they allow you to use their data for a specific reason, including for marketing purposes. The pre-ticked box is not allowed anymore. People must actively tick the box to "accept" before you can send them anything. Alternatively, you use double opt-in such as confirming an email subscription. In the case of using a paper form, they must tick a check box.
9. Use a layered opt-in form.
Under an opt-in form where there are 2 boxes (such as name and email), place a statement like this "Yes, I want to receive the latest marketing tips from XYZ Company. Read more about how we use your information here." Link "here" to a page where you explain in detail how you're going to use their information and their right to unsubscribe and request and delete their personal information.
Make sure that the wordings in the information page are in layman terms, not in legal jargons. To make contact and subscription forms compliant to GDPR, considering using a plugin for this purpose.
10. Make sure that people can easily opt-out.
Make sure that people can easily unsubscribe email newsletters. Ease for unsubscribing is also required for paper mails. It's your duty to ensure that the information for opting out be clear and obvious, with no small prints and no legal jargons.
To be on the safe side, it's recommended that you have a strict policy that when someone has opted out, they would no longer receive any marketing materials. This is where you can really fall short on GDPR laws, get reported, and be penalised up to 20 million Euros.
11. Train your team members about the new GDPR laws.
Train all employees on this new law. Make sure that they understand the legal repercussions to your business if they violate this law. Whenever possible, it's recommended to appoint a Data Protection Officer.
12. Perform due diligence on a list before purchasing it.
If you need to purchase a list, investigate the sources beforehand and whether it is GDPR complaint. Make sure that the people listed have actively opted in to receive information from third parties.
13. Sign the "assignment clause" when selling your company including the data.
Signing the "assignment clause" would allow the new owner of the company to store and use the data for the same purposes upon transfer of ownership. Otherwise, they aren't permitted to use the data for any purpose.
14. If you want to use the existing data after May 25, 2018, have data subjects sign a new opt-in.
To use data collected prior to May 25, 2018, you must contact all people and ask them to positively opt in again before you can send them anything starting that date onward. For this, you'd need to explain that the law has changed and you're required to comply. The simplest to do it is by sending each person an email asking them to tick the opt-in box or reply with a "yes" to stay in the list.
15. Comply with GDPR rules in the case of breached records.
When it happens, you must notify the local data protection authority (DPA) and the data subjects of the breached records within 72 hours, particularly when the occurrence may post identity theft risks. Failure to do so may result in hefty penalties.
In conclusion, all online and digitalised businesses regardless of their locations must implement GDPR guidelines to ensure that they don't violate any EU data protection law. Since all EU customers are protected by this law and there is no way for an online business to select the legal residency of their users, protect your business by implementing GDPR guidelines.
Data Protection in the EU