The new European General Data Protection Regulation (GDPR) officially takes effect on May 25th, 2018, and all European companies, small to medium enterprises, as well as all those collecting data in Europe must be be prepared in order to avoid facing penalties. In this article, we will outline the various elements to apply to your business in order to ensure it adheres to the new regulations of the GDPR.
What is the GDPR used for?
As the influence of digital continues to grow, protecting user data is an incredibly critical and sensitive topic. The GDPR is the new referential text for which users can control their personal information being shared with the sites they frequent. The law strengthens and unifies the protection of personal data within the European Union by empowering those whose data is being collected, returning the balance of power back to the user. The GDPR has three clearly defined objectives:
- Give control of personal data back to users
- Regularize and establish credibility to the system through a penalty structure
- Empower stakeholders with data processing
How do you obtain user consent to use their data?
It’s important that all stakeholders involved in the GDPR make it clear to the users of their sites
- What data your site is collecting
- How their data will be used
- Who will have access to their data
Data collection must be done carefully, and it is essential that businesses respect the new rules in order to comply with the law.
- Getting your company organized
Depending on the nature of your business, you will need to appoint a Data Protection Officer (DPO) equipped with technical, legal and risk management skills.
HIghlight the fact that your website collects cookies. You can use a discrete message at the top or bottom of your website, such as:
- Modify your General Conditions of Use (GTC) and/or your General Conditions of Sale as well as your legal notices
In order to explain exactly how user data will be used, make you do not forget the 8 items to include in your general conditions to be in good standing with the GDPR.
- Clearly insert your request for consent
Add a clear sentence between the form and the checkbox explaining to the user that they are agreeing to share their information.
- Add a checkbox to validate consent
The user must perform a conscious action allowing you to use their personal data and information.
- Keep a record of all consents
At any given time, you should be able to prove the consent of each individual user.
- Facilitate user management of their data and information
Create a page that allows each user to view, modify or delete their data.
- Update your emails
Make sure that all your business emails contain your data processing conditions, an unsubscription button and a link for the user data management page.
How do you save recorded data?
To be in good standing with the law, you must make sure that you keep proof of all the consents you’ve obtained. The user must also have easy access to their data. You must carefully record the following information:
- The date the user consented to share their personal information
- General condition to which the user has consented
- How the user has given consent (signature, checkbox, etc.)
- The date the user requested to be removed from this list
What will happen if I do not comply with the new rules of the GDPR?
Ignorance of the law is not a valid excuse. Those who do not comply may face penalties of up to 20 millions euros or a fine of 4% of the previous year’s global annual turnover. It’s therefore extremely important to ensure that you have taken all appropriate measures in advance.
Two days from the official date of legal entry, most companies are busy updating all the above elements. In order to stay on course, it’s highly advised to start these updates as soon as possible.