
How We Prepared for GDPR
We heard about the looming GDPR law last year. Wanting to be compliant with this personal data legislation we got to work before the law had a chance to come into effect.GDPR applies to European residents. But despite where you're business is located, if you have ever interacted with anyone from the EU, the law applies to you. May 25th 2018 is the deadline to become compliant. What's worse, violators of GDPR, you can face a hefty fine of up to 20 million euros (Yes, that's "million").Aside from avoiding fines, EU residents are going to be keeping a close eye on potential violators. GDPR compliance also means keeping EU customers and their confidence.Being a company with a 30% EU customer base, we couldn't afford to overlook this.Let's first go over some guidelines on what GDPR entails and how to conform. Keep in mind, as you investigate your own company it's wise to document the process so you're 100% ready if the authorities come knocking:
1. Know what data you have on your customers and visitors
This means digging into your databases, doing an inventory of every single field and row of data you have on people around your company. This includes your own server databases, your 3rd party app accounts, physical documents you have on file and any other form of personally identifiable information.Anything that constitutes personally identifiable data should be written down. This includes but is not limited to:- IP Addresses
- Emails
- Phone numbers
- Names
- Geo-location data
- Sensitive, private personal information
- Avatars
- Addresses
2. Take measures to secure personal data
Audit where this data is stored, who has access to it and procedures you have in place in the event of security being compromised.You should already have the best possible security however now you'll possibly face scrutiny in regards to how it's implemented and clear policies surrounding it.GDPR states that you must report security breaches to the owners of the data involved. So having a way to mass mail your customer base is another process to consider.3. Don't hold onto data without a specific purpose
Data for the sake of data is now dangerous. Unless you have a specific reason for holding on to a piece of information, shred it or delete it.Data without purpose is a GDPR violation. Keeping data that doesn't aid in supporting customers, using in reports, filing your taxes or complying with other laws, makes no sense to keep. Explaining why you hold onto this data will be part of the following document:4. Write a clearly written Fair Processing Notice
Since holding onto data without a specific purpose is a case for a fine, you must have a Fair Processing Notice in plain view (on your website) that details what you use customer data for, who accesses it, it's lifetime in your possession and what happens breaches, sale of your company, etc.Keep in mind that "Clearly written" is actually part of the law. No legal jargon or vague language is acceptable.5. A process for supplying information when requested
GDPR requires that you provide all information in your company's possession when requested by a European resident. Having a process in place to handle this situation quickly and accurately is key.Better yet if you can make this part of your digital platform so it can be sent out with one click.6. A process for deleting data when requested
Again, if you're a software company, this should be built into your admin panel. An EU resident can request to have all of their information removed from your company's databases. This should not be a difficult task.7. People must explicitly opt-in to your marketing (no pre-ticked checkboxes)
A refreshing part of GDPR is that services are no longer allowed to send you marketing without you explicitly opting-in. No more pre-ticked checkboxes. I can't imagine the number of online services that are going to be in violation of this one come May 25th.8. Make it easy to opt-out with a policy that explains how you're not going send them marketing in the future
Once someone opts out of your newsletter or campaign, the law entails that you have a strict policy to ensure that they don't receive future marketing, emails, SMS messages or mails from your company.This one is going to be a bit tough. We have to make sure our newsletter lists are maintained very well and don't have duplicate addresses. However, this is a case you should have in your Fair Processing Notice.9. Let your entire team know and make sure they're on board
Your team has to be entirely on board with your GDPR-related policies and know how to execute the procedures. Send out a document with guidelines for each role on your team and how they can easily comply with GDPR without overcomplicating their lives.What we did to make Dedupely GDPR compliant
So we got past the basic guidelines for complying with GDPR. Now I'm going to go over a few areas Dedupely needed to brush up on. Like I said, our second biggest market is in Europe and there was no way we were going to wake up on May 25th and not be prepared. Hopefully, this helps you get a feel for where to start in your own organization.1. We did a thorough personal data assessment
We've never been sloppy with data security and it's something we built into the platform from day one. However, for the sake of disclosure, we wrote some policies and documents outlining how our company handles user data in regards to security--without compromising our security secrets.After that, we decided to assess where the data was stored. This was not hard since we keep our collections pretty tight and well maintained.2. Added a Fair Processing Notice to our Website
A Fair Processing Notice is the new requirement for GDPR. You can view ours here.It has to follow some ICO guidelines.A few tips we learned while writing ours:- It has to be human-readable (as in no technical, legal sounding jargon no one with a law degree can't understand)
- It has to cover the who controls the data, why it's asked for, how it's used and who has access to it
- Be tailored for your company
- Cover unique cases your company handles differently
- Has to have your company information and address
- Data you do not ask for and what you do not do
3. Sending out a newsletter to clean the list
Our Mailchimp lists were full of past customers. We decided to delete our Previous Customers list as it didn't serve any specific purpose besides marketing.For our Member Newsletter, we decided to send out an email asking for permission once again to be in contact with them about future news and updates. This gave users a chance to opt-out if they no longer wanted to be subscribed.We also added our Fair Processing Notice to the newsletter checkbox: