The moment we have all dreaded has come: the European Union's General Data Protection Regulation (GDPR) act is upon us, and there's no doubt it will have a huge impact on digital business, as well as on any other business that has an online presence.
Yet, almost half of the organizations surveyed by Ponemon Institute won't be in compliance with GDPR any time soon. Eight percent of the respondents don't even know when they will be able to comply.
Source - The Race to GDPR, a study by Ponemon Institute
If your company is one of the 8% that is lacking a solid GDPR compliance plan, I have some bad news for you. Failure to comply can cost you up to €20 million or eventually ruin your business by eroding your customers' trust.
How to make software GDPR compliant: 5 steps you should have already taken to avoid penalties
The GDPR data protection policies put certain limitations on how businesses collect, store, and use users' data. As a result, the first step in your GDPR compliance checklist should be to identify the types of data your applications deal with.
Make sure to understand which data is of primary importance to your business and separate it from any other information that is not necessary. Don't gather and store data that is irrelevant. Thus, you will reduce the effort needed for your GDPR implementation strategy and minimize the risks of non-compliance.
As soon as you understand the type of data your business needs, you can further focus on your GDPR implementation plan.
Here are 5 major aspects you should take into consideration when preparing for GDPR:
- Put proper data protection policies in place
GDPR compliant software should, above all, keep the users' information safe. In this regard, encryption and anonymization are the two common solutions for preventing data privacy violations. Moreover, using HTTPS communication protocol provides an additional level of protection.
Another major point to take into consideration: Get ready to act fast in case of a data breach. You must provide any affected users with a proper notification (as well as authorities) within 3 days (72 hours).
Due to the numerous challenges, both organizational and technical, preparing for data breach notifications is considered one of the most difficult GDPR requirements, according to the Ponemon Institute study quoted earlier.
Thus, you need put in place a clear action plan in case of violations. Secondly, make sure your employees understand their roles in this plan and that they are prepared to act accordingly. Last but not the least, you need to implement a technical strategy for notifying your users. It is preferable to automate the process in order to avoid any delays.
For example, you can implement an algorithm that detects any suspicious activity and notifies the individuals in charge of your data security, legal department, or top management. Once they look into the issue and confirm that there was a violation, the system can trigger an automated notification mailout to your customers and the authorities. In the meantime, you can focus on fixing the problem and restoring your system's security.
- Review and update your consent forms
Under the GDPR, you are required to obtain permission from your users before you can collect and use any of their personal data. This means you should, first of all, rethink your approach to the consent forms (or put one in place in case you don't have it already).
Here are the major rules for designing consent forms in GDPR compliant software:
- Get rid of any kind of pre-ticked boxes.
- Clearly articulate what is meant by each of your consent requests.
- Each data processing activity you request should be approved by the users separately.
- Make the opt-in and opt-out process equally easy and convenient.
- Allow users to access and use your website/app even if they don't agree to share their data.
- Keep record of every consent given by your users.
Every consent that is given should be recorded as a separate column in your database, so, in case the user withdraws it, it will be easier for you to handle that request.
Analyze the third-party services you use
Be careful with any third-party integrations you use. If they violate the GDPR requirements, your whole product will be at risk. In case you are not sure how the integrated third-party tools use personal data and whether they comply with the GDPR at all, remove such integrations altogether. Choose only trusted providers to avoid any implications.
If you redirect to, or share users' data with any third parties, make sure to inform them about it. Put your users in charge of who is allowed to access their data.
In case you have to delete someone's information from your database, make sure the third-party tools allow to do so too. Fortunately, most integrations like HubSpot or SalesForce make removing users' data relatively easy: You simply call their API with the corresponding request.
Conduct a thorough cookie audit
Under the GDPR, the common notifications (which we have become accustomed to seeing) regarding how cookies are used will no longer suffice. Now, unless you have legitimate grounds for collecting that kind of data, you need to get clear consent in order to track a user's activity on your website.
There are basically two main challenges for cookie usage under GDPR:
- Secondly, you need to give your users the ability to manage (opt in or opt out) each category of cookies separately.
But, before you implement the required changes, reconsider the importance of the information you get through cookies, and to determine whether or not it is worth your effort.
Set up solid internal policies for data management
In addition to the consumer-facing GDPR implementation activities, you need to make sure your internal data handling processes also complies with the new data protection standards.
Revise your internal infrastructure for data processing and storage to verify that it is safe, map the possible risks, and fix any issues. Regular vulnerability scans and penetration testing can be a good way to ensure that your internal infrastructure is sound, and that your customer-facing components are secure.
There should also be a technical means for data recording, tracking, erasing/changing/providing access to the users' personal data that the website collects and stores. Every operation involving users' data should be logged, so you always know who accessed it, when, and why. You should also consider implementing some sort of authentication process for data access and/or modifications.
You should be also ready to erase the user's data on request. However, data deletion shouldn't pose any technical challenges as long as you use a regular data model. In case you use blockchain or event-sourcing models, the process might be more difficult.
Another challenge for GDPR compliant applications is ensuring the portability of your users' data. As the information collected from a single user can be dispersed among multiple internal systems, you will need a solution that can compile the information that you have on a single user across multiple databases and transmit it to another system using an external API.
One more step toward GDPR-compliant software: leave it to the professionals
All in all, having the right person in charge of your GDPR compliance is half the battle. Namely, 92% of the companies surveyed by Ponemon Institute in the study I quoted earlier consider appointing a data protection officer (DPO)
one of the most important steps when preparing for GDPR.
Source - The Race to GDPR, study by Ponemon Institute
Yet, it might be hard to find an experienced and qualified DPO to lead your GDPR compliance operation. If you lack the internal skills or are struggling to find the right person outside of your company, hiring a trusted GDPR data protection consultant can be a viable option.
GDPR is a massive change for both technology businesses and non-tech businesses. Despite the act having already come into force it will take for many to adapt and become compliant. But the end result -- better data handling, more privacy, protection and rights for consumers, and more stringent regulation from the EU -- will make how we handle data better in the long run.
If cutting-edge technologies are of interest to you, be at the forefront of change and see first-hand how technology is transforming industry, lives and society at Digital CX World 2018. Digital CX World is taking place June 12-14, 2018. To find out more, click here. Pre-registration is now open and it's free – register your interest here.
— Alexey Chalimov, CEO, Eastern Peak