Also available as PowerPoint Presentation and PDF Slides
Cliff Notes what is GDPR?
GDPR is concerned with the collection, storage and processing of personal data
The two sets of rules to be aware of are General Data Protection Regulation 2016 ("GDPR") and Privacy and Electronic Communications Regulations 2003 (“PECR”), electronic marketing communications.
It is for all people in EU member states, even if the company is not located there. GDPR comes into force May 25 2018 and as a Regulation does not need member countries to make it law first (though each country will then add it to their own laws). It replaces the Data Protection Act 1998 with the General Data Protection Regulation.
Each country has its own authority, each company must register at one. If you have offices in multiple countries then choose one where your head office and legal council is located. Otherwise you will be accountable to each country.
In the UK the organisation is called ICO and their website contains the regulations and many other guides and 12 step programs.
The GDPR provides the following rights for individuals:
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
- Rights in relation to automated decision making and profiling
These come with the following levels of HANDLES
- Warning
- Reprimand
- Suspension of data processing
- Top level Fine: €20 million or 4% of global annual turnover
Clear what’s inside
clear listing of use and audible processes
Reason for each ingredient
With the new regulations data collection and partners who process any of your personal data need to be listed clearly in your Terms or Privacy statement.
Visitor Opt-In
- Log the location and time of opt-in
- Each form should be screen grabbed and filed
- Provide link to Privacy Policy from the form
- Use email double opt-in
Visitor Opt-In Controls
- Clear, natural language
- Granular
- Opt-Out by default
- Group same intent
Cookie and Services
- Audit your current cookies and 3rd party services
- Cookie and Services
- Be able to disable services based on Opt-In
Re-engagement
- Where no record of opt-in
- Wake non-active email
- Warm a subscriber action
more on re-engagement campaign
Separate Personal Data
- Storage should be encrypted at rest
- Data should be secure in transit
- Extract personal data to separate and control
- Consider Single Sign on system
more on separating personal data
Export requests (The right of access)
- Develop a process to:
- Receive customer requests
- Process personal data to machine format (csv)
- Start with just a form and a process, add automation later
- Can not charge for access
Removal requests (Right to be forgotten)
- Develop a process to:
- Receive customer requests
- Remove personal data
- Unsubscribe from own automation
- Unsubscribe from 3rd party email and systems
- Keep business record, by anonymising emails
- Can not charge for process
more on request to be forgotten
On-going process so bake in Privacy by Design
The description that best summarises this evolution to a better set of practices is, Privacy by design. Starting these processes to every new point of data collection or processing will make it a more transparent and easier to implement. Company and systems buy in from the planning stage up bakes it in for the users too.
_Photo: Reddit: annon _
#gdpr
See also
- Using Laravel to implement good GDPR privacy practices
- Do you have a list of GDPR plugins for my website?
- Preparing for the GDPR, step 1 Awareness
- More articles
Tristan Bailey
Founder Developer Holdingbay & Podcast Host Full Bio
Runs the Holdingbay web development agency with a love of actionable data for business results. With over 16 years building for ecommerce, engineering and publishing, he has seen the web grow up. Makes time to be a father by taking time with his kids to stay young. Enjoys working in the community as well as mentoring younger colleagues.
Contact tristan at holdingbay.co.uk
Tweet to @tristanbailey