Data is one of the most valuable resources of a modern-day business. You can sell it, monetize it, or use it to draw valuable insights about your users and improve your product/service accordingly.
Yet, with great power comes great responsibility. Security breaches and data leaks can result in millions of dollars in fines and lawsuits, and could eventually even cost you your business.
To address this issue, the European Union has introduced the General Data Protection Regulation (GDPR), setting clear requirements in the field of data collection and management. Being undoubtedly useful, the regulation poses a number of challenges for business owners.
In this article, we will answer some of the most burning questions related to GDPR compliance and provide a roadmap for GDPR implementation within your business.
What does GDPR stand for?
The General Data Protection Regulation (GDPR) is a piece legislation aimed at reinforcing and unifying the EU data protection policies. Simply put, it regulates the way businesses treat user’s data.
Who must comply with GDPR?
Any organization within the European Union that collects, stores and processes user data through their website, e.g. via a contact or subscription form (including third-party services), is obliged to meet the standards set by the GDPR.
Yet, the regulation will have an impact not just on the companies operating in the EU. Any business targeting customers in Europe needs to adapt to the GDPR website requirements as well.
When does it take effect?
GDPR was first introduced back in 2016, and officially takes effect on May 25, 2018. That means businesses had two years to prepare for it and safely navigate the possible risks of violating its requirements.
What if I don’t comply?
Those businesses that fail to meet the new data security requirements will be subject to an administrative fine (up to €20M or 4% of the global sales of the previous financial year, depending on what’s higher). With such a hefty price at stake, business owners need to take GDPR compliance seriously.
The 5 main GDPR compliance principles business owners will need to take into account when building their products are as follows:
- Increased data transparency. The GDPR grants consumers the right to know how their personal data is being treated by businesses and organizations.
- The data portability principle is aimed at making it easier for users to switch providers or transfer their data from one business to another.
- Users are free to revoke their consent to share data at any time. This means if they no longer want to share their data, a business or organization possessing it is obliged to delete it immediately (except for when there is legitimate grounds for keeping it).
- Organizations are obliged to inform users if their data privacy has been violated. If there is a security breach, the organization has 72 hours to notify the authorities as well as all affected parties. This allows users to protect their data by taking respective measures as soon as possible.
- Data protection should be built into any product or service “by design and by default”. Businesses should take into account the newly-established principles starting from the earliest stages of development.
According to a PwC survey, 92% of the respondents (mostly US-based) consider GDPR readiness either the highest priority or one of several top priorities on their security agenda.
If you are one of them, here is an easy 10-step guide to get you started.
GDPR compliance checklist:
- Understand the core principles of GDPR and their possible impact on your business. Start with reading the official documents.
- Educate your employees who have any access to personal data about the new regulations.
- Perform an audit to identify the data your apps collect. Do you really need all of the datasets you request from your users? Try to keep the amount of stored personal data to a minimum.
- Create a secure registry of your users’ data. It’s important to know where it is stored, who has access to it, who it is being shared with etc. Data encryption should be a default solution for storing this information.
- Identify all of your data processors, including all internal apps as well as third-party services. Make sure they all meet the GDPR requirements.
- Make your data privacy policies clear by listing them on the corresponding website page (or within your app). Your users need to know if their data is being collected, including the type of data you collect, why, and how long you will store the information.
- Introduce and test out incident response plans. To be able to take the required actions in case of emergency, put a detailed mitigation plan in place and make sure all of your employees are aware of it.
- Assess and review your existing security policies. Find out how exactly they work (e.g. with encryption, tokenization, or pseudonymization).
- Fix any aspects of your data protection policy that don’t comply with the GDPR.
- Revise and repeat. Make GDPR compliance an integral part of your business strategy.
If you are not ready for a complete revamp, consider starting with the following data security tips:
- Integrate secure OAuth protocol as a sign in/up option for your website or app. Thus, you can enable a secure login without requesting or storing users’ credentials (other than ID authentication).
- Adopt HTTPS to eliminate the vulnerabilities in your website.
- Encrypt the user logs.
- While tracking users’ activity on-site is a common practice in eCommerce, they should be aware of this and give their consent for you to collect and use this info.
- Use a two-factor authentication where possible.
GDPR implementation is an ongoing process. That’s why we recommend hiring a designated Data Protection Officer (DPO) or engage with a reliable technology partner that will help you establish a solid data protection strategy so that your business can be GDPR compliant.
According to Gartner, more than half of the surveyed companies potentially affected by the introduction of GDPR will not fully comply with its requirements by the end of 2018. That means at least half of the businesses could be subject to fines. Taking into account the penalty size, not all of them will be able to recover from it.
In case you are still wondering if you need to prepare your website for GDPR, the answer is, most likely, “yes”. And you need to do it fast. The best way to adopt the new data protection principles is to engage with a professional, who can handle the process from A to Z.
We at Eastern Peak are working with several global companies, including Western Union and Gett, and have been dealing with data protection and security on a daily basis. We can help you identify the bottlenecks in your data management process, suggest improvements, and implement the required changes to in order for your app to comply with the GDPR requirements and not violate any laws.
To get a full data security check of your website or app and develop a comprehensive GDPR compliance approach, get in touch with us today.