On May 25, the European Union’s General Data Protection Regulation (GDPR) takes effect, which means that the rules are changing on how companies collect, store or process large amounts of users’ data. Compliance with the law is required, and penalties for noncompliance are severe.
What is the purpose of GDPR?
The regulations, which extend to every company that operates in Europe or has customers in the European Union, is meant to give users access to and control over their personal data. Most recently this issue came to light in connection with the privacy policies of Facebook, which has now promised to institute GDPR controls globally.
What does it mean?
The new data protection law affects any company that operates in the EU or processes the data of any EU nationals. Companies must post easy-to-understand terms and conditions. and if there is a data breach, companies must let users know within 72 hours. Further, companies may only collect data if there is a specific reason for it.
How to be GDPR compliant?
User access and agreements
- If a user gets in touch with your company via an inquiry form on your website, that is not a consent for sharing your newsletter with them or adding them to your list of newsletter contacts.
- To ensure clarity for the user, the inquiry form should have a checkbox that explicitly states if a user wants to be added to the email marketing list. Also, the terms and conditions should state how a user's data would be used.
- A log that reflects when the user agreed to the terms should also be recorded and presented to the user when requested.
- If you are running an e-commerce portal, a user may have to agree to your terms and conditions for the purchase.
- A user should be able to unsubscribe from the list and the data should be deleted as well.
Cookie Policy
- Cookies are essential for any website, but acquiring unwarranted data using cookies as a facade is wrong. A pop-up stating that a website uses cookies is not mandatory, but it is an established way for or users to agree to share their data.
- It is strongly advised to have a page on your website that gives a clear description of cookies that are being used, data you capture and what you do with that data.
- A user should also be able to browse the website without complying with the cookie policy, but with an understanding that this might mean loss of some functionality.
Privacy Policy
- The privacy policy should explicitly state what data the website has captured, when is it captured, what it will be used for and details about any third parties involved.
- The policy should also include the option for users to request that their data be permanently deleted.
SSL Certificate
- The 'Secure Sockets Layer Certificate' establishes an encryption link between a web server and a browser. It securely encrypts all the details you enter in any field on the website.
- While you may come across free SSL certificates online, we advise buying one that offers verified protection and in some cases, insurance too.
Pseudonymisation
- The majority of websites and e-commerce websites in particular, need to have a user account, which typically stores user’s name, address and some other basic data. This data is stored in a database using SQL, a special language designed to manage data held in the database.
- An SQL database stores data securely and is used to update, delete and request information from databases.
- GDPR defines 'pseudonymisation' as “the processing of personal data in such a way that the data can no longer be attributed to a specific data subject without the use of additional information.”
- Generally, in the case of an e-commerce website or a website that asks a user to log in to access the entire portal, one not only needs an SSL Certificate, but also needs to store data using pseudonyms.
Payment Gateways
- As an e-commerce website, or even if you are a user of any of the online payment models, you need to ensure that the privacy policy of the payment gateway is checked and meets your compliance needs. This should be mentioned in your own privacy policy.
- Inquiry and Contact Form
- If your website allows people to send messages to you via an enquiry form, then, you need to ensure that your website has an SSL, and also that your SQL database stores encrypted details.
- If an enquiry form is sent to you by email in order to be GDPR compliant, your email service provider also must be in compliance.
- An enquiry form should not have any pre-ticked checkboxes that add a user to your newsletters. The enquiry is limited to that one instance unless agreed by a user.
Live Chats
- If you have a live chat service on your website, you must mention the third-party service in your cookie and privacy policy and review their GDPR policy. The reason is that the transcript of the chat is shared with both the parties once a user's task is resolved. This should be mentioned in both policies as well as the data being stored in an encrypted database.
Connected Email
- The GDPR regulations require that your email data is stored securely. Also, anti-virus vendors are required to be in compliance with GDPR.
- You need to formulate a data retention policy that details, among other things, how you retain data and how long it is kept.
Connected Social Media Accounts
- GDPR regulations also apply to your company's use of social media. While you do not have to ask permission every time a user follows your page, any information that is gathered from a user must be handled according to the regulations. This means if you have a chat with a user on any social media channel, once the inquiry is resolved, the chat history is to be deleted. You may ask the user to email you for a formal connection.
- Your privacy policy should also mention any third-party data controllers, such as SSO (Single Sign-on) on social media account logins.
- Users must give their permission before their details can be used for any business promotion on your social media channels.
Google Analytics (or similar tools)
- If your website runs Google Analytics or any similar tool for tracking, it must be in compliance with GDPR, and must be mentioned in the cookies permission and the privacy policy. The third party's privacy policy must also be in compliance.
CRM Connection
- If you are writing a user's data into a CRM, this must be mentioned in your privacy policy, as well as the third-party service.
- If the data is entered into the CRM directly from your website, review your consent policies. The GDPR rules set a high standard for consent.
- Users can legally ask where and when their data was captured, how it can be used and can also request to be “forgotten,” among other things. Under GPDR, users have eight basic rights.
As a business owner, you need to understand that personal data is not your property but that of the users. Like a bank holding money, you are simply holding data, with the requirement of letting the users examine it if they ask, as well take it back when they please. Above all, you have the legal responsibility to protect their data.
Though the Data Protection Law comes into effect for the Cayman Islands from the start of 2019, we understand that there are a lot of companies in the Cayman Islands that have clients in the European Union and/or handle and process data of EU nationals and it is imperative that such companies’ websites comply with GDPR regulations.
If you need help with making your website GDPR compliant, call Netclues on +1-(345)-925-2222 or email us on sales@netclues.com