Over the last couple we have written about what the GDPR is and why it’s important to be compliant. In this blog we’re going to give you some helpful hints to getting your business and data collection processes within the guidelines. We do stress though, unless you directly deal with clients or customers in the EU you do not have comply or be answerable to these rules. We do recommend adopting to some of these practices so that your users have a greater understanding of how your business collects, stored and uses their data.
Audit Your Current Data Collection Processes
(And Make Sure Privacy Is Factored Into Any New Ones)
Like with most things, it’s always a good idea to audit and analyse prior to rolling out any changes. As part of this, we recommend making sure that no data that you have currently stored is from anyone in the EU. The main processes to start thinking about are:
- How are your users consenting to their data being stored?
- What are you going to use the data for?
- Where are you currently storing data? Most online businesses have a newsletter database or CRM that holds client information. The other important ones to consider are Google applications, such as Analytics. These platforms can store user information in the form of IPs addresses and such. To see more on Data Retention in Google Analytics, click here.
- How long are you going to store the data for?
- How is the data going to be deleted once it reaches that timeframe?
- How are your users being informed about all of the above?
- What is your process for if/ when there is a data breach?
Once you have asked these questions and made a decision with the relevant parties in your business, you can start to implement the controls.
From there, always ensure that privacy and the guidelines are taken into consideration when rolling out any new initiatives that include customer data capture and storage.
Adopt Strict Opt-In & Consent Practices
Do you have a newsletter or contact form on your website, or does it store ‘cookies’ in a users browser? The GDPR don’t allow for passive consent – such as relying on failure to opt-out. The new legislation means that all user must agree specifically to their data being stored, used and what for. If you send email marketing to customers or clients in the EU, we recommend checking out this article from Active Campaign. If you use landing pages, this post from Unbounce is very useful.
Popular EDM tools like Mailchimp have developed specific forms that their users can implement that are GDPR compliant. Onya Mailchimp!
Be Prepared To Delete Data
The GDPR empowers customers and citizens of the EU the right to request personal data erased from businesses’ databases. This can take place once a customer withdraws their consent or where the data was obtained unlawfully, after the 25th of May 2018, or where the original purpose for collecting the data no longer in effect.
Make Some Someone Is Responsible
If you do a lot of business with the EU, we recommend that you hire a Data-Protection Officer (PDO) to make sure that you’re business is compliant and handle any issues that arise. If you’re in New Zealand you can make someone in your business up-skill and become accountable as part of their job description. This way if there is a breach or a request to delete data, it is clear who is responsible to deal with it and make sure appropriate actions are taken. They would also be responsible for all of the other points raised above!
Again we stress – your business only needs to comply by these rules if you offer goods or services to the EU. If you have any questions or would like some help though, please get in touch with our friendly team.