The General Data Protection Law was enforced on the 25th of May, 2018. The so-called GDPR is quite radical for many companies. Failing to comply with this regulation (that revolves around the use of data) will result in substantial fines. These four tips will help you to work with data according to the new privacy legislation – and prevent the sky-high fines.
There is a good chance that you will have to deal with this new European privacy legislation. You probably collect the data from your customers or followers, to have an idea of their needs or behavior. This makes your marketing efforts more efficient and allows you to develop additional revenue models.
If you process personal data, you will now have to comply with the new legislation from the 25th of May. Firstly, it is a question of accountability: you must demonstrate (with documents) that organizational and technical measures are being taken that comply with the new law. As a result, the processing of personal data no longer has to be reported to the Dutch Data Protection Authority. You may be required to perform a Data protection impact assessment (DPIA) and/or to appoint a data protection officer (FG). If you do neither, you risk getting a fine of up to twenty million euros or a fine that equates to four percent of the worldwide turnover (!). The tips below help you to prevent such a fine.
1: Consider data in the technical application design
Before you develop a new site or app, it makes sense to think about the implications of the GDPR. You do that, for example, by designing a data model that makes it easier to work in accordance with the GDPR guidelines. A good data model makes it easy to see how personal data ends up in the database and makes it easier to make changes to it. This also makes it easier (and therefore more anonymous) to store data.
For example, companies used to store the e-mail addresses in the same sheet as where the other information can be found. Given the new data legislation, this must be done in a more anonymous way. That is why you save that data separately. You want to organize this and any other outcome of the GDPR in an easy way. At the same time, it should also be easier for the customer or user to check what his or her data is used for. A data model makes that possible.
2: Create a data portal
The new data legislation means that it is necessary to explain to citizens what data you collect, why you do it and when you will delete it again. Investing in a technical solution that solves that problem in one go is therefore useful and advisable.
In fact, you want to relieve the consumer as much as possible. You do this by making the process of requesting the data as easy as possible. This is possible, for example through a portal in which all desired information is immediately visible. The portability of data is also an issue within the GDPR, which of course is made easier through a portal. It also offers your company tangible benefits: this means you don’t have to explain for every case what data has been collected and the user can offer control over his data. For this, it is necessary to be aware of the implications of the GDPR in time.
3: Data protection officer (FG)
From the 25th of May 2018, organizations were also required to appoint a data protection officer (FG). This applies in particular to public organizations, organizations that follow a larger number of individuals as their core activity, and organizations that store or process personal data of people as a core activity. This FG is concerned with supervising, making inventories of data processing, keeping records of data processing, handling questions and complaints from people within and outside the organization. He or she will also focus on the development of internal regulations and help prepare a code of conduct.
An FG is not only mandatory for many organizations but also offers a number of tangible benefits. Complying with legislation is not a hurdle that you only have to jump over once. An organization should always comply with legislation. That is why it is pleasant if there is someone (internally or externally) is designated to take care of it. He or she should underline the importance of the new legislation so that it is not forgotten.
4: Give something back
If you are going to process user data after the legislation, the users must explicitly give their permission. Organizations must (as soon as the new law comes into force) make clear what they will do with the data and declare that data will not be kept longer than necessary. This requires an update of your system, a new configuration of your database and also a completely new mindset.
As soon as the GDPR is enforced, consumers will become a lot more critical. Why do you, as an organization, want to use the customer’s data? Make sure that you offer clear added value if you want someone’s data, by giving something back. That could be access to content or a community, an easier login option or another benefit. Consumers will probably no longer share their data ‘just like that’. This requires the realization that you will have to do something for it.
We hope that you can get started with these four tips so that you are well prepared for the new privacy legislation. If you have any questions about the GDPR or the tips from this article, you can contact us via our contact form.