Another major requirement is obtaining visitor explicit consent for collection of personal data. Simply providing an option to opt out is insufficient, an obvious and clear opt in is required to be explicit.
Opt in boxes and fields that are checked by default are definitely not compliant, as these are not explicit opt ins. Similarly, providing neither an opt in or an opt out is certainly in breach of the regulations.
In addition, visitors must be provided with appropriate mechanisms to view, collect, rectify and delete their data, and exercise their right to be forgotten at any time.
GDPR defines persons below the age of 16 years to be children and can not give their explicit consent for their personal data to be collected, stored or processed.
Finally, to ensure you are able to demonstrate compliance in obtaining explicit consent, it is strongly recommended to have in place a system to record and store identifiable consents indefinitely. This again will require input from IT personnel.
Enhanced Awareness and Training
Awareness training of key personnel and decision makers (or just yourself) regarding the principles, individuals’ rights and primary mechanisms of GDPR is essential, to identify potential impacts and to design compliant data management systems.
Similarly, as GDPR is likely to result in changes to your business and perhaps the way you do business, procedural training may be required also.
Resultant changes to business may impact operating costs, though are more likely to scale up with the size of the business or organisation.
Highly recommended is the implementation of employee and sub-contractor data confidentiality agreements to further protect personal data.
If you use third party services and sub-contractors then you need to communicate with them and reach agreements on handling data according to GDPR, which may affect their business processes also.
It is your responsibility under GDPR to know how the data you collect and share is being treated by third parties you employ.
Know Where Your Data Goes
Vital to informing of your potential risks and exposures under GDPR is to understand how and where data moves within your company or organisation. Assessing and documenting how information flows through your systems will help to comply with GDPR.
Essential to this process is creating a Data Flow Map that illustrates how and from where data is collected, how it moves through the organisation, how and where it is processed, and what third parties may be involved.
This will make potential GDPR compliance issues clearer and also highlight actual and potential data security risk areas and processes.
Furthermore it may be pertinent to instigate GDPR related conditions and clauses in contracts with third party data processors, sub-contractors and suppliers to ensure “downstream” protection of your customers’ personal data.
Demonstrate Your Integrity
Specifically you must explain the legal basis for data processing, how long you retain the data, that users have the right to complain if dissatisfied with your data processes, if their data is subject to automated decision making, how their data is being shared, and their various rights under GDPR.
In addition you should explain and provide mechanisms for registering complaints with your organisation and preferably regulators also.
Remember that transparency is the key ethos here, and if you are complying with the principles and regulations of GDPR you have nothing to hide and should be very open about your data management.
Privacy Will Generate More Business In Time
In fact, you should make a point of your commitment to privacy and sing it from the roof tops so that customers current and future will know you value their data security very highly.
Key movers and shakers like Google regularly comment that in the coming years online brand will be a massive determining factor in search rankings and indexing.
Why? Because there is such a proliferation of websites, blogs and Apps with massive amounts of content being generated every day that it is increasingly difficult to determine what is good, valuable content and what is not.
More and more the big players like Google look to factors that indicate the strength of your brand as a marker of your products, services and content being worthy of attention.
In the future, data privacy is going to be a major aspect of how consumers view your business. Clearly, if you have a reputation for less than secure data privacy and management, you’re going to lose customers fast!
Remember, those who complain the most loudly about data privacy compliance are usually the ones who have the most to hide about what they do with personal data!
I know I want my data kept private and secure and it’s the primary commitment I make to my customers.
Privacy As An Ethos
Compliance with GDPR is best achieved if you make data privacy a key ethos in your organisation. In fact you owe it to your business to do so, because the security of your data processes is directly proportional to the overall security of your business.
Data security is a hugely important aspect of the online marketplace and continually increasing in importance. If you fail to comply with GDPR you have a business model that most likely has potentially critical data breach risk areas.
Hacking of digital assets and identifiable personal data breaches can be massively costly to any business, with potential to cripple a business depending on the severity of the breach.
GDPR recommends “data protection by design and by default” and I recommend it as a key step in addressing all potential security risks, even if not involving personal data. If you haven’t taken personal data security seriously, then for sure you are not taking your overall digital security seriously enough either.
Protect yourself from liability and secure your business by designing privacy safeguards and measures into your data processes from the very beginning. This is called data protection by design.
Collect only the minimum amount of data necessary to perform service and functionality to your customers and visitors, with a short storage period and with limited and secure accessibility.
So that by default, personal data isn’t accessible to unauthorised data processors or any other third parties, without explicit consent of the individual. This is data protection by default.
It’s Not Just Online Data
A common misconception is that GDPR applies only to personal data collected from websites. It applies to all forms of personally identifiable data collected from social media, email, correspondence, accounts, online and offline forms and applications.
Therefore, no matter what means of collection were used, all personal data of EU subjects is protected by GDPR, as the core principle is protection of data in any format.
As a result this has potentially far reaching implications for any business as there are technical and legal considerations in the fields of human resources, marketing, general IT and security.
An Appointed Controller
First of all GDPR stipulates the appointment of a Data Protection Officer (DPO) in specific circumstances, typically related to large volumes and specific types of more sensitive data. In such cases it may be required of either a Data Controller or Processor to appoint a DPO.
For the reason that your data collection, storage and processing parameters are not likely to fall into these categories, you would not likely be required to appoint a DPO.
However, as it is a requirement to provide mechanisms for users to register complaints and make other requests pertaining to their data, it is a wise step to appoint an officer responsible for conducting procedures as required by GDPR.
Therefore it is a good idea to have a responsible and suitably trained person to act as Data Controller, if you are a solopreneur then yourself is the obvious choice here!
The controller must be easily contactable in the event of registering a complaint, making data protection enquiries and communication in the event of a data breach incident.
Noteworthy however, typically IT and marketing personnel are not the most appropriate choice as Data Controller or indeed a DPO. It is reasonable to assume that the nature of their work would pose a potential conflict of interest regarding personal data.
Providing For Individuals Rights
There are a number of rights of the individual provided for under GDPR, the full list we explained in Part 1 of these articles.
Others such as right of access, right to rectification, right to erasure and the right to data portability need to have a user friendly mechanism for the user to execute these rights.
Mechanisms must provide for communication with the data controller, functionality for the user to edit and download and export data.
Furthermore it should record all user requests and subsequent proof of processing of data requests, to provide evidence of meeting duty of care in personal data matters.
This will require alterations to websites, requiring IT personnel input, and other data streams including email, marketing (especially email marketing), social media and purchasing processes.
The Dreaded Data Breach Incident
Firstly let me explain that a data breach incident is any event whereby personal data has, or is suspected of being accessed by unauthorised parties.
If no personally identifiable information (PII) has been breached then the reporting requirements to both regulators and individuals are more relaxed, however irrefutable evidence that no PII has been breached will need to be provided in this case.
Therefore it is essential to develop Data Breach Policies and Procedures that cover monitoring for internal and external breaches, and detail appropriate responses including reporting to regulators and individuals.
Furthermore, all available digital security methods and mechanisms should be implemented to ensure data security, these measures then audited frequently to ensure continued security against evolving threats.
Finally, Article 33 of EU GDPR defines the data breach notification to the supervisory authority procedure as;
In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.
And notification of a data breach to an individual, or data subject as;
When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay.
Advisable is to make this notification as quickly as possible and certainly not more than 48 hours after detecting a possible breach. Time is required to determine the nature, content and severity of a breach. (Note: this is not legal advice!)
Making Sure It All Works
GDPR compliance and data protection in general is not a one time fix, it is a moving goal post, most certainly because cyber security threats are evolving daily.
It certainly is a relief to arrive at a point of compliance no matter the scale, but the process does not end there.
As your business or organisation evolves new aspects and processes will arise. All of these must also comply with GDPR, so new aspects and processes must incorporate data security by design.
It may be necessary to conduct Privacy Impact Assessments (PIA) for new technology or where processes have potentially significant data protection implications.
Existing processes and procedures should be regularly audited for efficacy and against new cyber threats.
Furthermore, legislation is never static so your processes, policies and procedures need to be re-evaluated against changes in regulations as they evolve.
If you want to get GDPR Compliant fast and simple, contact us, we service SME’s and solopreneurs in the fields of Ecotourism, Wellness Retreats, Nature Conservation and Wellness Professionals.