On May 25, the European Union’s General Data Protection Regulation (GDPR) takes effect, which means that the rules are changing on how companies collect, store or process large amounts of users’ data. Compliance with the law is required, and penalties for noncompliance are severe.
What is the purpose of GDPR?
The regulations, which extend to every company that operates in Europe or has customers in the European Union, is meant to give users access to and control over their personal data. Most recently this issue came to light in connection with the privacy policies of Facebook, which has now promised to institute GDPR controls globally.
What does it mean?
The new data protection law affects any company that operates in the EU or processes the data of any EU nationals. Companies must post easy-to-understand terms and conditions. and if there is a data breach, companies must let users know within 72 hours. Further, companies may only collect data if there is a specific reason for it.
How to be GDPR compliant?
User access and agreements
- If a user gets in touch with your company via an inquiry form on your website, that is not a consent for sharing your newsletter with them or adding them to your list of newsletter contacts.
- To ensure clarity for the user, the inquiry form should have a checkbox that explicitly states if a user wants to be added to the email marketing list. Also, the terms and conditions should state how a user's data would be used.
- A log that reflects when the user agreed to the terms should also be recorded and presented to the user when requested.
- If you are running an e-commerce portal, a user may have to agree to your terms and conditions for the purchase.
- A user should be able to unsubscribe from the list and the data should be deleted as well.
- It is strongly advised to have a page on your website that gives a clear description of cookies that are being used, data you capture and what you do with that data.
- The policy should also include the option for users to request that their data be permanently deleted.
- The 'Secure Sockets Layer Certificate' establishes an encryption link between a web server and a browser. It securely encrypts all the details you enter in any field on the website.
- While you may come across free SSL certificates online, we advise buying one that offers verified protection and in some cases, insurance too.
- The majority of websites and e-commerce websites in particular, need to have a user account, which typically stores user’s name, address and some other basic data. This data is stored in a database using SQL, a special language designed to manage data held in the database.
- An SQL database stores data securely and is used to update, delete and request information from databases.
- GDPR defines 'pseudonymisation' as “the processing of personal data in such a way that the data can no longer be attributed to a specific data subject without the use of additional information.”
- Generally, in the case of an e-commerce website or a website that asks a user to log in to access the entire portal, one not only needs an SSL Certificate, but also needs to store data using pseudonyms.
- Inquiry and Contact Form
- If your website allows people to send messages to you via an enquiry form, then, you need to ensure that your website has an SSL, and also that your SQL database stores encrypted details.
- If an enquiry form is sent to you by email in order to be GDPR compliant, your email service provider also must be in compliance.
- An enquiry form should not have any pre-ticked checkboxes that add a user to your newsletters. The enquiry is limited to that one instance unless agreed by a user.
- The GDPR regulations require that your email data is stored securely. Also, anti-virus vendors are required to be in compliance with GDPR.
- You need to formulate a data retention policy that details, among other things, how you retain data and how long it is kept.
Connected Social Media Accounts
- GDPR regulations also apply to your company's use of social media. While you do not have to ask permission every time a user follows your page, any information that is gathered from a user must be handled according to the regulations. This means if you have a chat with a user on any social media channel, once the inquiry is resolved, the chat history is to be deleted. You may ask the user to email you for a formal connection.
- Users must give their permission before their details can be used for any business promotion on your social media channels.
Google Analytics (or similar tools)
- If the data is entered into the CRM directly from your website, review your consent policies. The GDPR rules set a high standard for consent.
- Users can legally ask where and when their data was captured, how it can be used and can also request to be “forgotten,” among other things. Under GPDR, users have eight basic rights.
As a business owner, you need to understand that personal data is not your property but that of the users. Like a bank holding money, you are simply holding data, with the requirement of letting the users examine it if they ask, as well take it back when they please. Above all, you have the legal responsibility to protect their data.
Though the Data Protection Law comes into effect for the Cayman Islands from the start of 2019, we understand that there are a lot of companies in the Cayman Islands that have clients in the European Union and/or handle and process data of EU nationals and it is imperative that such companies’ websites comply with GDPR regulations.
If you need help with making your website GDPR compliant, call Netclues on +1-(345)-925-2222 or email us on [email protected]