As we fast approach May 25th 2018, organizations all across the European Union (and organizations that deal with European citizens and their data) are working to ensure that their business processes are compliant with the General Data Protection Regulation (GDPR) that comes into effect on that date.
What is GDPR?
The latest regulation in EU law on data protection and privacy, GDPR concerns data usage of all citizens within and outside of the European Union. It explains in detail all the rights and rules that EU citizens have over their personal data.
Why GDPR compliance is of vital importance?
The main reason for GDPR is about giving back to the people the right to be informed about the data that organizations are gathering of them and the right to know how it is being used and for what. Up until recent times, consent was considered to be given by default.
Secondly and more importantly for you as an organization is how you react to the new regulations. By complying and being proactive in your GDPR compliance process you are giving your visitors and clients the message that you have the users best interest in mind and that you play fair and square. You are then well on your way to creating loyal and happy promoters. It also gives you an added advantage as you take a strong strategic position favoring GDPR that sets you apart from your competitors in the industry.
The third and definitely not one that can be taken lightly at all are the penalties stated- fines that can go upto €20 million or 4% of the company’s annual turnover whichever is applicable.
How to become GDPR compliant?
The European Data Protection Regulation was adopted on April 14th 2016 but the regulation will fully come into effect on May 25th, 2018. Organizations will now have to review the systems and processes they have in place especially any data affecting people of the European Union. While it is going to take time for organizations to be fully compliant and effective, companies already dealing with personal data will need to prioritize getting consent from the users before the date.
Some key points to consider
One of the main things to focus on is to ensure that you do not gather data from visitors on the first page load. Even when gathering information, explicit consent checkboxes (that are not pre-ticked by default) should be there on all data gathering forms.
Right to Access
This is the basic right around which all other rights like ‘right to update and right to be forgotten are based; where the user should also be able to view all their information that has been collected. This could be through logged in access or through written or verbal means within a stipulated one month period.
Right to be Informed
Any form on the site with fields for personal information should explain how the information is going to be used. The information provided to the user includes why the information is collected and for what, with whom the information is shared (if any) and get explicit permission to do so for every piece of information. The user consent forms would need to be preserved too.
Right to Erasure or to be Forgotten
The user should be able to withdraw consent at any time and the user should be able to withdraw consent without any hurdles i.e the process of withdrawal of consent should be quite straightforward. When a person withdraws the consent to use their individual data, the removal of data, involves removing all data that is given and derived from the person’s usage of the services rendered. The consent withdrawal might be just a form for the registered user, but at the back end the submit button once clicked should activate the deletion of all data related to that unique ID.
Compliance of cookies
With the introduction of GDPR, all third-party integrations and cookies that have access to a site user’s data including IP address and other associated data are to be in compliance with the permission granted by the user. So your ability to comply will be affected by your third party’s ability to comply.
While complying with GDPR might be a tough task that must be overcome, it is possible by sticking to two simple rules. Do not ask for private information that you do not need and do not keep the data longer than you need it. All these involve a clearly defined data flow process (data lineage) and a few more fields in the ‘Contact Us’ section.
Get in touch with us for setting up GDPR compliant forms and workflows on your Drupal site.