Getting ready for the GDPR

av Eddie Payton

In three months, the GDPR will go into effect in the EU. If you do business with EU citizens, you should know what to expect and what to prepare for.

On the 25th of May this year, the General Data Protection Regulation (GDPR) will change the way data about citizens in the EU is stored. Don’t expect any grace period when the day comes, so be ready to comply. Privacy is important for both you and the visitors entering your website, so start preparing now!

What’s all the hubbub about?

As per most laws, the GDPR isn’t a light read. You’re not going to find every piece of the regulation in this article, but we can at least look at the themes that the GDPR covers thanks to this infographic

  • Know what data you’ve collected and why
  • Keep the data safe, organized, and secure
  • Get everyone on board
  • Be prepared in case of a data breach

See? Not too bad. It will require some restructuring and new responsibilities, but protecting the user is beneficial for everyone. You’ll be ready in the event of a data breach as well as build on your reputation of being for the customers and mindful of their safety and privacy.

The terms…

Before we get started, let’s take a look at a term that will come up often. There’s going to be a lot of talk about “personal data.” According to the GDPR, any information that identifies a unique individual is considered personal data. This can include names, addresses (both online and physical), social security numbers, phone numbers, geographical data, behavioral data, financial information, and so on. Some information will require additional protection such as health information or data that could reveal an individual’s race or ethnic background.

Controller vs processor: What’s the difference? The organization that decides how the data is collected and what the data will be used for is the controller. The processor is then the organization that collects the data, structures it, stores it, and has the responsibility of managing the changing, use, or erasure of the data.The processor does this on behalf of the controller and is not responsible for changes in the data. In short, the controller manages the processor’s usage of personal data.

Hold my coffee mug, I’m going in

We’re about to dive in a bit deeper into the GDPR, so grab a pen. Let’s first look at a big part of the new regulation. It’ll update the current Data Protection Directive (DPD) by adding more rights for web-surfing Europeans. Many of these rights are already listed but should be mentioned again nonetheless. All of this will impact organizations in the EU and those that collect or process personal data of EU citizens.  

Consent is key. First and foremost, your visitors should have the right to be informed. It is crucial to receive active consent from visitors and save this response as well. Recently, you’ve probably seen pop-ups when you enter sites telling you that they’ll be collecting cookies. That’s an organization preparing for the GDPR! It tells you what they’re doing, how they’ll use it, and why.

It’s my data. Europeans shall have access to their own data. If so inclined, a user must be able to see the data that a controller has in their database and make changes to incorrect information. Not only that, but you’re required to remove personal data you’ve collected when requested. In addition, users have the right to object to their data being collected and used without losing access to the site. The user’s general right to restrict the processing of their data is a crucial theme to the GDPR.

Lock it up! Keep your database encrypted and protected from attacks.

Protect sensitive information. Personal data that is considered sensitive, such as ethnicity, sexuality, political opinions, and medical records, must be safeguarded. If your company deals with information like this, you may need to designate a privacy officer to oversee the protection of sensitive personal data.

Less automation. Under GDPR, you’re prohibited from making decisions based only on automated processing that significantly affects the individual from which the data was collected. This includes profiling. There are some exceptions such as if the subject or the state’s laws specifically approved using automated processing.

Keep it relevant. This one might be a bit obvious, but you must only use the personal data for reasons related to what was told to the subject when the entered the site. The sharing and use of data needs to be transparent and approved of by the user.

It’s mine to move. A big addition to the existing laws is the right to data portability. Just as it’s important to prevent unwanted sharing and use of personal data, there also needs to be an option to send one’s own data to another controller. Also, they have the right to receive their own personal data that they gave to the controller. The information must be readable and organized.

Be safe out there!

With so little time left until it goes into effect, you’d better be getting ready. The GDPR will affect a large number of organizations worldwide and is vital for the safety of the citizens of the EU. As challenging as it may be to transition to the data controlling and processing rules under the GDPR, it will benefit everyone’s online safety and privacy in an ever-changing digital age and into the uncharted waters of exponentially growing innovation.

 

OBS: Keep in mind! This isn’t legal advice, just some a summary with some tips! If the GDPR will affect you, make sure to also have a look at the regulation yourself or contact us at Racer for help!