GDPR traps to avoid
Since the tech developed superpowers and the online activities became almost uncontrollable, the time got ripe for a legal frame change to regulate the whole virtual real-people-database. Somewhen there in the European Union appeared the General Data Protection Regulation (GDPR). There are some traps in this effort to stop the misuse of information and protect our privacy. At the same time, there may be penalties for lack of adherence.
Watch out for these snares to be sure that you are an excellent GDPR performer:
- Do not put any ticks in advance. People have to exercise their choices. Such a thing as the silent agreement does not exist. The approval has to be given freely, without pressure or deception. It is a serious trap not to respect one’s choice. For example, sending a newsletter to a person who has not subscribed with the opportunity to unsubscribe, is not GDPR compliant (“lawfulness, fairness and transparency”).
- Make separate registers for the agreements with the general conditions of the site and any other consents, like for example newsletter subscriptions, with the exact purpose of data collection (“purpose limitation”);. This list has to provide information not only for the persons that have agreed to receive it or to get push notifications but also specific data when (date and hour/minute) when this consent was given or withdrawn.
- Ask parents for agreement to collect data if your website offers services targeted at children under 16 years, for example, video streaming.
- In the GDPR the rule of sufficiency applies – do not collect more data than you need for the specific purpose you have stated. For example, for a newsletter subscription, you may ask for a name and e-mail address, but you do not need to collect data about gender, interests, physical characteristics or whatever else not directly related to sending out the newsletter. (“data minimisation”);
- Explain clearly what kind of information you gather aggregated and what – non-aggregated. For example, names, IP addresses, email, or details related to political and religious views.
- Describe why it is necessary to store the data and who will have access to it. You must clarify if you provide the information to third parties. But even if so you need to make them bindingly comply with all regulations and data processing requirements to protect the customers’ rights, or you may become a subject of penalty (“integrity and confidentiality”).
- Give the users the option to edit information about themselves. They also have the right to request their data to be “forgotten” or deleted. The company/organisation must ensure the personal data is accurate and up-to-date, having regard to the purposes for which it is processed, and correct it if not (“accuracy”).
- Еnsure transparency. It has to be made clear which is the organization that collects data and for how long it will store it (“storage limitation”). Provide contacts for the data processing responsible person on the website and enable easy communication with them.
- Be specific about your role in the data processing. The GDPR divides the legal responsibilities for handling personal data into two categories. The first is for the data controller who determines the purposes for which and the means by which personal data is processed. The other responsibilities are for the data processor, who processes personal data only on behalf of the controller. The data processor is usually a third party external to the company. The duties of the processor towards the controller must be specified in a contract or another legal act.
- Do not assume that the GDPR is only for big companies. It is incorrect to think that if your business is small, these regulations are not binding. And it is also wrong to think not being based in the EU, GDPR doesn’t affect your company. The only thing that matters is whether you collect EU residents’ data. If you do, you need to comply with the GDPR. There are only two exceptions – the Regulation doesn’t apply to personal email or phone contacts, and the requirements are relaxed for organizations with fewer than 250 employees.
- If there is even a small GDPR gap on your website caused by anyone in the operational chain, you are to be held responsible for it. No matter whose fault it is. And the penalty you are facing is absolutely real. So make sure that the whole process is regulations compliant. The GDPR is watching you!
In this battle for personal data classification, the General Data Protection Regulation acts as a brake on the malicious gathering of information. Think of GDPR as a way to respect the user’s choices, be ethical by getting consent and acknowledge their right to be informed.