Fines for non-compliance with GDPR are on the increase. October and November 2018 have seen an increase in GDPR investigations affecting companies such as Microsoft and the German adult chat platform Knuddels.de, the latter eventually being fined for non-compliance.
For this reason, we’ve put together a list of 10 tips which companies should follow asap, to avoid potential disaster.
The message for online businesses is clear. Compliance with new GDPR regulations is not optional.
1. Avoid GDPR Fines by Getting Audited
For the most part, non-compliance with GDPR stems from confusion. GDPR guidelines don’t make for easy reading. For the less technically minded or less legalese savvy it is, therefore, crucial to invest in a full GDPR website audit.
2. What User Data are You Collecting & Why?
New GDPR regulations are designed to protect the privacy of EU citizens. To fully comply with GDPR, businesses need to know what consumer and visitor information they are collecting. More importantly, companies need to establish what lawful basis they have for gathering information in the first place.
For most businesses, the lawful basis for data processing will depend on what your business does with the data, why and in what manner you have collected the data. There are various types of lawful basis such as legitimate interests or consent, there are six lawful bases for processing. The most important thing to remember is that your lawful basis must be justified. Dedicated processes must also be in place for protecting, processing, and removing any data gathered.
New EU general data protection regulations stipulate that all website visitors must be made aware of the lawful basis a business uses to justify the collection of personal information. For this reason, website privacy policies must clearly state what personal information is gathered, how this information is processed, and how visitors can opt-out or have data deleted.
GDPR fines have already been levied this year, against several businesses which haven’t explicitly stated in privacy policies how user data is shared among third parties.
Affiliate ad tracking cookies and third parties who help fulfill orders, will often all have access to personal data collected by you. Privacy policies, therefore, need to list any third-party data processor and explain clearly what data is shared with them and why.
5. Should You Consider Encrypting All Stored Data?
Under GDPR, data encryption is not mandatory. However, as seen with Equifax recently, GDPR fines are applicable whenever personal data is stolen via a hack or other security breach. For this reason, businesses should consider it imperative to encrypt any sensitive information. This way even when a hack occurs, no unauthorized third party will be able to make use of stolen data.
6. Handling & Sharing Encrypted Data
Encryption can be used as a useful tool for safeguarding sensitive data in the event of future security breaches. However, businesses also need to put into effect standard operating practices for handling data as it passes through different systems or is exchanged between third parties. Wherever possible, data should be encrypted, but with some third-parties, this might not be possible.
7. What is Your Process for Dispensing with Old Data?
Article 5(1)(e) of GDPR, states that personal information should not be collected for longer than is necessary. This means that businesses need to implement a policy of dispensing with personal data after a fixed period.
At present, there are no official recommendations concerning the maximum length of time data should be retained for. However, GDPR fines will be applicable in future to businesses who store data indefinitely.
It also needs to be remembered that different web browser cookies will retain user data for varying periods. Websites should, therefore, inventory all the cookies they use, before specifying what data each gathers and how long information is retained in website privacy policies.
8. Do You Have a Process in Place for Answering Data Subject Access Requests?
Under GDPR, EU citizens have the right to file Data Subject Access Requests (SAR) with websites. SAR requests must be formally responded to within one calendar month unless you require more time dependent on how much data is involved. You must always keep the applicant updated. Requests can be requested either verbally or in writing.
Subject Access Requests allow website users to discover what (if any) information is held on them. For every request, website owners should, therefore, have a system in place for informing individuals of the following:
- What personal data has been collected and processed
- Why the data had been processed.
- Which third-parties have had access to any stored personal data
- Confirm how long the data will be stored for or if they would like to request the right to be forgotten.
9. Are you able to Verify the Identity of Those Whom Place SAR Requests?
GDPR is all about protecting privacy. However, even full compliance comes with potential pitfalls. Under GDPR, it is possible that a person making a SAR request might not be who they profess to be. For this reason, website administrators need to implement processes for validating the identity of individuals making SAR requests
In most cases, if email addresses are used to file SAR requests and they match those you have on file, this should suffice as far as validating a person’s identity is concerned. Where data doesn’t match, website owners should ensure the person requesting the SAR is the person they say they are. For example, best practice is to request two forms of identity i.e. utility bill, passport, driving license, medical card.
10. Do You Understand Your Users Right to Erasure?
Article 17 of GDPR gives all EU citizens an online right to erasure. After filing a SAR request, web visitors can, therefore, request complete removal of any personally identifiable information from business databases. During such requests, website administrators need to delete all relevant data from live business systems and backups. Also, because requests can be made verbally, it is essential that businesses put in place systems for recording requests, as well as later recording when requests have been satisfied.