5 Ways to Prep for the General Data Protection Regulation

The regulation has existed since 1995, but in less than a month it begins affecting American companies that do business with European organizations. European data protection rules are extraterritorial. They apply to all personal data mined, processed, and kept about persons within the European Union (EU) regardless of citizenship or nationality.

Regulation

That means any company that processes data from someone residing in the EU without adhering strictly to the GDPR can receive fines of up to 4 percent of a company’s gross or €20 million—whichever is greater, according to EUGDPR.org. The regulation takes effect on May 25.

In regards to websites, it comes down to collecting lead and customer information of EU residents as well as data in transit such as cookies, telemetry, metadata, and consent for marketing. Furthermore, if that information is only stored in third-party software it does not exonerate you.

5 Ways to Protect Yourself & Your Clients

One of the biggest shifts is the rights for users to obtain the data you might have stored about them. Here are some simple rules you can implement right now.

1. Update Your Privacy Policy

First and foremost, amend your privacy policy. The regulation requires that you do not use legalese; thus, you must use plain, easily understood English. You will need to fully explain what data you are collecting (i.e. IP addresses, operating system, contact info, etc.) and how you use that information. Please consult a lawyer before enlisting our help.

2. Add a Cookie Disclosure

The majority of websites will need a “Cookie Disclosure,” showing users what cookies you are using and for what purpose. If you utilize Google Analytics, Hotjar, Pardot, Hubspot, SharpSpring, SalesForce be prepared. Essentially, you need to explain how third-party software interacts with their data, and at a bare minimum, list all your third-party data providers—and be sure to record (database entries) when you do share customer info with third parties.

3. Remove Predating Personal Data

A major hurdle that GDPR requires is the removal of previous personal data and/or be able to easily export the info on a whim! 30 days or less to be exact. Note: in your privacy policy you should provide reasons on why you keep it and for how long.

4. Prove Consent

You must prove consent on all data entry points through data collection systems such as contact forms, estimate requests, and statistics. Thus, a simple solution is providing a form for consent where users can select, “Yes, you can store my info,” or “No, you can’t store my info.”

5. Share Timely Hack Alerts

If you are unfortunately hacked you must tell all your customers within 72 hours.

A Quick Reference To-Do List

For the sake of brevity, here’s a recap of action items that should be addressed before May 25:

  • Update your privacy policy in plain English
  • Provide a way for consent
  • Prove individual consent
  • Establish and re-establish consent
  • Provide a way for consent to be withdrawn as easily as it was given
  • Check to see that all third-party services are compliant
  • List the contact information of associated third-party data providers
  • List all the data you collect inclusive of third-party services
  • List how you process and use their info
  • List how their info and third-party data interact
  • Allow individuals to request that their data be permanently erased
  • In your e-newsletters, create “unsubscribe” footers visible and accessible