9 things you can do to become GDPR compliant
The European Commission decided to apply strict regulations on Data Privacy. Since the inception of the internet, companies and organizations have been collecting data, including Names, Email Addresses and IP addresses from virtually everyone.
While, the EU had already strict privacy laws in place, the GDPR basically is an update on the already existing data privacy laws that takes into account modern databases. It is already reported that the vast majority of companies will not be GDPR compliant by the date that this is officially required.
So, the law is also coming at a relatively turbulent time, think Facebook and Cambridge Analytica and the potential swaying of elections. While, we don’t think the data you hold would be relevant for those kind of purposes, it is still very important to comply with some basic requirements. So here they are:
- Make a list of all data-elements that you hold of a person or business This might seem easy, but since data is widely dispersed, it is important to make a list of all the elements including, first name, last name, email ,etc that you are holding of a person or business. It is also important to keep a list of databases or systems that this person’s name on. For example, let’s say you have a leadcapture pop-up on your website, similar to Chris Ducker’s website. In that case, there is a real chance that the lead is captured inside of your database, but also inside a system like Mail-chimp. In that case, you will need to write that down on your sheet as well. So, this point is where larger corporations are really at a loss, because Accounting might have data, Marketing, their database systems might be over different locations and yes they still would need to comply to the same law (and are under a lot more scruitiny than others)
- Ensure you have an SSL certificate - Not having an SSL certificate really hurts your SEO rankings in Google, and if your site gets hacked it really hurts your reputation. Now, changing your site from HTTP to HTTPS is not easy if you are not Technical and it depends a lot on your CMS and technology. However, it is a need to have…so just do it!
- Have or Update your Privacy Statement - Now, we are techies and not lawyers, so we are not the specialists here, but bring the list you made in point 1 (you did that already right), to the Lawyer and that should give you a basis for the part that is variable for every of our clients. Want recommendations on what lawyers to use ? Feel free to reach out!
- Allow anyone to see a copy of their data Okay, this might be the most difficult one, so how do you do this? Basically, you are required to provide a copy of the data that you hold. We recommend setting up Zapier with Google Sheets and connecting that to 1-2 systems that you hold the data in, so you always have a copy. For larger corporations, this is not possible an they will need to have staff internally to gather the information.
- Encrypt Encrypt Encrypt So this one is tough as well. So let’s say you have all personalized data on a server , NAS (network attached storage), a USB flash drive or your laptop. Now imagine that someone gets access and steals the Harddrive. It’s a horror story, I know, but even the worst dreams sometimes become reality. So only use Cloudservices that are relyable, GDPR - Amazon Web Services (AWS) for example has a complete GDPR policy. If you are using a Mac, you can use Filevault to encrypt your data, for Windows we don’t know and for your Synology Nas, you can turn this on in the settings. This way, you are well on your way to being not only compliant with the law you are also way smarter.
- Tell People Well, if you checked your inbox in April or May, you might have seen 1 or 2 GDPR emails. You will need to tell people what data you store. That is a nice opportunity to get in touch with them! So take it as an advantage!
- When Asked, Delete So the GDPR states that when requested you need to delete someone’s data. Might seem easy, but now think about this situation. Your organization likely has a backup and if you are doing your backups right, at least one backup will be stored somewhere very deep in a Salt Mine. So how to delete in that case? We don’t really know how to answer this and complying with the law in this case requires some significant effort we believe. So backups really destroy the feasibility of this data.
- Appoint someone to be a Datamanager Well, yeah if your company is just you, that will be you! You are responsible, but in larger corporations, it is important to appoint someone.
- Don’t worry While this law changes everything, it’s very unlikely going to change a lot for 99% of the businesses. Like if you are not a corporations and you are not having a log-in for your clients, it is very unlikely going to affect anything. That being said, you are responsible for the data on your drives inside your organization.