It’s been less than a year since the GDPR began to take effect, yet since GDPR became a law on May 25, 2018, European Data Protection & Data Pri Authorities have received over 95,000 complaints and over 41,500 data breach notifications.
At its peak, GDPR got three times more media coverage than Mark Zuckerberg and had more Google searches than Beyoncé and Kim Kardashian.
While GDPR has gotten (and still gets!) a lot of
media attention, being on the safe side when it comes to how you handle user
privacy goes beyond obsession with GDPR. You should start by asking yourself
these basic questions:
1. Are You Well-Informed When it Comes to International Data Privacy and Data Legislation?
While a lot of noise has been made about GDPR, it
is important to realize that privacy legislation is a lot more than just GDPR.
Around the same time, the GDPR came into effect, California signed the California Consumer Privacy Act (CCPA) — and it becomes effective on January 1, 2020. You need to be compliant with the CCPA if you’re resident in California or if you deal with data belonging to any user resident in California.
Research by TrustArc shows that only 14 percent of companies are compliant with CCPA; among GDPR-compliant organizations, only 21 percent of companies, and a meager 6 percent of companies that are not GDPR-compliant are CCPA compliant.
There is also the Children’s Online Privacy Protection Act (COPPA), a U.S. law designed to protect the privacy of children under 13 years of age, California’s CalOPPA, Canada’s PIPEDA, and Australia’s APP to name a few. Generally, if you deal with data belonging to users in these jurisdictions, you need to comply with these laws:
Keeping abreast with these privacy regulations might seem difficult, but most of these privacy laws generally require the following:
- That you get consent before collecting data (or that you get consent from parents before collecting data on a minor).
- That you use data only for the purposes you received consent for.
- That you make it easy for users to opt out of data collection and communicate how they can go about this.
Of course, the above bullet points are just the basic, but the point is this: don’t get carried away by the news about GDPR. If you don’t deal with users in Europe, you are not affected by the GDPR. The privacy law that matters to you most is that of where your users are.
If you have users in California, you should know what the CCPA is all about. If you serve a lot of users in a particular country or region, you should keep abreast with the privacy laws operating in that country.
2. How Much Do You Know About Your User Data?
You also want to ask yourself how much you know
about user data you collect or process — this includes where user data you
collect is stored, how the data moves, who has access to the data, what kind of
access they have, and what they do with that data. While this seems simple
enough, it isn’t — data business is very profitable, and many organizations
will go extra length to obtain
It isn’t enough to be compliant. You need to know all you can about data you collect for security purposes as well. In an age where data breaches are a regular occurrence, with the IBM estimating the cost of the average data breach to be $3.9 million, it is important to know as much as you can about the data you handle for security purposes.
This means you need to understand the differing roles of controller and processor in handling your data while ensuring that the various service providers you use are compliant with all the relevant privacy laws that applies to you.
3. Do You Have a Data Deletion Policy?
Every major privacy legislation takes a stance about data deletion, and generally it is this: if you no longer need data, if you no longer need data for the reason you got consent for, or if you are unable to establish consent for data you got (due to getting the data without proper consent pre-GDPR or any other applicable data legislation for example), then you should delete that data.
The GDPR, Canada’s PIPEDA, Colorado law, and many other major privacy legislation require that you delete user data you no longer need. The FTC also generally condemns organizations when data they should have deleted suffers a breach.
Do you have a data deletion policy? If not, it might be a good idea to create one. It’s also a good idea to review data you keep and delete data you’ve long had that you can no longer establish consent for, or that you no longer need based on the reason you got consent.
4. Do You Properly Seek Consent and Communicate Your Data Policy to Users?
how you collect and handle user data, with a focus on getting consent: as
simple as it seems, many organizations do not have user consent for the data
they clearly explain the kind of data you collect and how they will be used?
Ensure that users know all the ways you gather
data on them, why you are collecting this data, how you use this data, as well
as the third-parties involved in handling their data. More importantly, provide
working contact information that allows users to reach out to you to ask
questions about how their data is used or to request modification and/or
deletion of their data.
5. Do You Educate Users on Their Data Privacy Rights?
It’s not enough for you to be compliant when it
comes to safeguarding user privacy, but you should also actively educate users
about their privacy rights when dealing with you. How do you approach users’
request to access their data? How do you handle users’ request to modify their
data? How do you handle users’ request to have their data deleted? These key
factors your users should be educated about.
6. Are Your Employees Educated About Privacy Matters?
With the implementation of laws like the GDPR, a core part of ensuring compliance involves educating your employees. Depending on how much data you handle, you might need to employ a DPO. Regardless, your employees — particularly any employee that handles user data — should be well-educated about how to handle issues related to user data: this includes how they respond to user requests for personal information, user request for information erasure, the medium they use to disclose personal information (disclosing personal information over the phone should be generally discouraged), how they respond in the case of a data breach (a data breach must be reported within 72 hours of occurrence), and confidentiality when it comes to sensitive user data.