The GDPR enforcement date is May 25. Will it be the End of the World as we know it?
What will happen when the EU General Data Protection Regulation (GDPR) goes into effect on May 25, 2018? The potential consequences of violating the new privacy legislation are severe, and we’re all talking about it.
Inbound AV is updating our data practices and policies and those of our clients. And, we want to help you prepare, too. This is the first in our series on GDPR readiness: a common sense guide to beginning your GDPR compliance project.
Please know that is not intended to be legal advice, and you may want to consult an attorney. Our recommendations here are based on studying the regulation and also the actions of enterprise organizations as they prepare for the GDPR to take effect.
Getting your arms around data practices is probably more complicated than rounding up your policies. Depending on the size of your organization, you might have different departments or resources managing the various customer touchpoints that collect data. Here are two big questions to ask your teams:
1. Where do we collect email addresses?
This might be on your website, on social media channels or even offline in your physical store. Think beyond your marketing activities — do you capture email addresses to fulfill orders, or to gather customer feedback? Those touchpoints count too!
Most websites rely on cookies for basic web browsing. Other activities that are often cookie-dependent are remarketing, analytics tracking, conversion tracking, displaying ads, commenting and logging in.
Make a Plan
You will almost certainly need to update all of your data policies and practices. Your goal is to address these crucial GDPR requirements:
- Identification of the business that manages the website, along with a physical address.
- The full name of your Data Protection Officer if you have one.
- The bases on which you collect information about your customers. GDPR identifies six legitimate bases. Learn more here.
- A description of how you use the information you collect.
- How users can view the data you have collected about them.
- How users can complain about your policy or your data practices.
The right to access data.
Users have the right to see the data you’ve collected about them. As a website owner, this means you’ll need to implement some form of logging that will surface customer data upon request.
The ability for a user/customer/visitor to be forgotten.
Not only do users have a right to see the data you’ve collected about them, they also have the right to request deletion of that data. This will is likely the most challenging to-do of your GDPR readiness program. As this topic is fairly complex, we’ll cover it in greater detail in a future article.
Your users must actively consent to your data policies, and you must document this consent action.
The way you collect consent is also important. The regulation is fairly clear on this point: you cannot have a consent box checked by default. Your users must actively check a box stating that they agree to your policies.
Further, you’ll need to ask for consent again whenever you make substantive changes to your data policies. And that means you’ll need to implement some type of versioning control for those policies, along with the ability to track consents by version.
Implement the Plan
If you’ve done nothing with respect to GDPR just yet, don’t worry. We’ve identified the bare-bones first steps to take.
1. Rewrite your data policies.
2. Craft an email letting your customers know you’ve updated your policies.
3. Update all email signup forms to include a required checkbox.
The key dynamic to remember is that none of us know how this new regulation will play out. We are implementing a plan based on what seems most reasonable. As the regulations come online, we will be iterating and tweaking our implementation.
If you plan to do this on your own, I’d highly recommend keeping an eye on successes and failures that will be easily researched. Inbound AV will be posting relevant news as it comes in. Make sure you stay aware, as real businesses are impacted by the regulations after May 25.
Now it’s time for you to become a GDPR Ninja.
Was this post helpful? Or do you have more questions? Send us an email.