Lately, things on the Internet have gone a bit out of control.
Data breaches and unauthorized use of customer data by companies big and small have become burning concerns among the media and Internet users globally.
Fake news are flooding the Internet and increasing distrust in online media. There was a massive Facebook data breach where personal data of 50 million Facebook profiles was exposed in the Cambridge Analytica scandal. Misfortunate Internet security events are shaking the web daily with over 3,500 data records stolen every minute as we speak.
The need for better protection of our personal data has finally become the main talk of the global village. In Europe, however, it’s been more than just a talk.
The European Union authorities have brought into effect General Data Protection Regulation (GDPR) to protect the right of every EU citizen to the privacy and security of their personal data.
This article will help you prepare your business for GDPR data protection.
You will find the information and tools to prepare, but, ultimately, it is your responsibility to adjust your business, your website, and your forms to meet the GDPR requirements.
Here, let’s start by answering these questions:
What is GDPR? What does GDPR regulate? Main principles (integrity, lawfulness, limited use, data minimization, accuracy, storage limitation) When does GDPR go into effect? Who is affected by GDPR? Why is GDPR important? If you have a business, where do you start with GDPR?
What is GDPR?
General Data Protection Regulation (GDPR) is the European Union’s comprehensive new data privacy protection law which aims to protect the data of EU citizens on the Internet no matter where in the world their data is circulated and used.
What does GDPR regulate? Main Principles
In the light of recent events that shook the Internet, there’s been some anxiety among businesses and Internet users regarding the scale and implementation of such extensive global regulations.
In reality, GDPR’s main principles are pretty straightforward and logical. They seek to establish higher accountability of companies and their employees in handling user data.
These rules and regulations are calling for:
- Regular system and data audits
- Maintaining logs of actions performed with user data
- The record of team members who have access to user data
- Modern account authentication practices for users and anyone dealing with their data
- A person responsible for data protection and control — Data Protection Officer
- More integrity and control for EU users over their data
- Legitimate and transparent use of the collected data
- Regular data expiration (per user request or your Data Retention Policy)
- Server maintenance and checks
- Third party apps security and compliance
- Data encryption in transit and at rest
In short, GDPR gives more control to users over the data on the internet that represents them. It gives them access to their data, the right to be forgotten, and to make corrections for accuracy.
Similarly, companies will need to have more responsibility in handling user data.
They will have to get user consent every time they collect sensitive information and allow users to view and have their data deleted anytime.
When does GDPR go into effect?
GDPR will take effect on May 25, 2018.
Though this may seem like too soon, there’s no room for panic yet.
Our team has taken the measures to start preparing EmailMeForm’s system infrastructure and internal processes to comply with GDPR. We are dedicated to supporting our customers in getting their businesses ready for GDPR too.
Anyone collecting EU customer data via EmailMeForms will need to apply a few rules to their forms. Learn how to make your forms GDPR compatible in this article.
As far as data safety and encryption is concerned, you don’t have to worry when you use our forms. EmailMeForm has got you covered.
Who is affected by GDPR?
Most likely anyone doing business online.
Because most businesses collect personal data from their customers world-wide, including Europe.
Personally Identifiable Information (PII) include, but are not limited to:
- Social Security numbers
- Email addresses
- Phone numbers
- IP addresses
- Login IDs and usernames
- Credit card information
- Social media accounts
- Geolocation information
- Biometric and any other data that identifies a certain individual
By GDPR definition, PII are the data about a directly or indirectly identified or identifiable person:
“To determine whether a natural person is identifiable, account should be taken of all the means reasonably likely to be used, such as singling out, either by the controller or by another person to identify the natural person directly or indirectly.”
It makes no difference where your business is — you are liable for GDPR as long as you collect and process personal data of EU citizens.
According to Steve Durbin, managing director of the Information Security Forum (ISF), the world’s leading authority in data security and risk management:
The GDPR is putting data protection practices at the forefront of business agendas worldwide. Its scope is unmatched by any other international law, and we estimate that more than 98 percent of ISF members will be affected by its requirements because they process the personal data of EU residents, or are based in the EU.
Why is GDPR important?
GDPR is the first global initiative of this scale that stands to defend data privacy. It demands responsible and accountable handling of user data and regulates the hectic Internet data nebula.
As companies world wide adopt GDPR, it is estimated that these rights will expand not just to EU citizens but to all Internet users, making it a precedent in the way the world treats privacy and data protection. Most global companies have already started changing the game for all their customers.
This represents an important step in the history of humanity as we progress towards a data-driven society based on the Internet.
Hopefully, GDPR will lead to more responsible data handling in the future, making Internet a safer place for everyone to enjoy.
If you have a business, where do you start with GDPR?
GDPR is just around the corner and you need to act now to make your team aware and your organization ready for it.
European authorities will have the power to control the execution and implementation of the law and penalize organizations for non-compliance.
The penalties for breaches are substantial, no matter the size of your business. Up to €20 million, or 4% of your global annual revenue of the previous financial year, whichever is higher.
Without further ado, here’s how to prepare your org for GDPR in 6 steps:
- Identify how much and which personal data your organisation collects
- Identify data entry points (signup, payment, subscription forms, etc.)
- Assess which of your processes are affected (marketing, sales, customer support, etc.)
- Assign a Data Protection Officer (DPO)
- Design a compliance programme
- Execute the programme
Depending on the size of your operations and your data collection practices, you might need to apply all or just a few of these steps to achieve GRDP compliance.
1. Identify how much personal data your organisation collects
Start with the estimation of the amount and type of personal data that you collect. Ask your team the following questions:
How much personal data do we collect?
The types of data?
Where do we store the data?
Are the servers we use certified and regularly maintained?
Do we have encryption?
Do we use 3rd party apps to store, process, and utilize the data?
Are these apps GDPR compliant?
The answers will expose where your org is strong on data protection, which areas need more attention, and possible further engagement of your team.
2. Pinpoint data entry points
You’re probably using different forms like signup, payment, and subscription forms to collect customer data.
These forms might need to be updated to explain clearly how you’re using your users’ personal data and to explicitly ask for their consent.
Here’s an example:
This is usually done by adding a few textual notes at the end of your forms with checkboxes and opt-ins for users.
Besides standard SSL form encryption, EmailMeForm offers Mask Email option, storage and specific field data encryption to our higher plan users.
3. Assess which of your processes are affected
Just like most companies today, you’re using data across departments and possibly your processes will need to go through a few structural changes.
Revise the 3rd party tools your team uses for accounting, sales, marketing, SEO, and other processes that involve data processing.
Make sure you have clear logs of operations your team performs with the data you collect. If you’re using 3rd party tools to store and manage the data, they must provide logs and options to export and delete data on the request from user.
4. Assign a Data Protection Officer (DPO)
DPO will be responsible for implementing the GDPR strategy and managing your internal audits.
Here’s an infogram from NetworkWorld that explains it briefly:
5. Design a compliance programme
Once you’ve got a DPO and your team is on the same page with GDPR, you’re all set to devise a compliance action plan and programme.
Action plan will help you implement GDPR for the first time. Outline the steps to take (using our guide), timeline, and tasks for each team member or department.
Compliance programme will help you continuously stay on track with GDPR, making it easy for everyone in your team to stick to the general rules and their specific obligations.
6. Execute the programme
GDPR compliance is not a one-time thing.
From May 25 onwards every business dealing with EU customer data will need to stay compliant for the years to come. That is why it is crucial that your Compliance Programme is sustainable and easy to implement and execute on a daily basis.
If you feel like you need more guidance on the implementation of the GDPR legal framework, you can always download the Information Security Forum’s Preparing for the GDPR: Implementation Guide.
Changes are never easy, but once your organization gets used to working GDPR-compliantly it will become a daily routine that no one will question or find difficult anymore.
Needless to mention the positive impact that these global security measures will have on your customers and your business. Data thefts and breaches are expected to shrink significantly, promising a better stability and less risk for your business.
Together we can reduce vulnerability of personal data and ensure that every Internet user has their privacy respected and protected.