Okay, so May 25th is basically upon us. GDPR is here, and the Internet is full of not so rosy articles, such as: “No one’s ready for GDPR.”
The Information Commissioner’s Office (the UK’s enforcement agency), has openly stated that there will be no “grace period,” as the law was adopted in 2016 and is to come into full effect on the 25th of May. Looked at optimistically, much of GDPR is centers around the worthy idea of building a culture where privacy is front and center. Notice the word, “building.” Technically I believe that is called a “gerund,” as it ends in “ing” something my 8th grade English teach is far better at explaining than I. It’s certainly not a past tense verb, such as “built.” The point? Where you are in terms of GDPR compliance on May 25th will probably look much different than June 25th, and July 25th, etc.
The enforcement timeframe of the law has come into question for a number of reasons, two of the primary being that there is a side of the regulation that is completely outside of the control of an organization (the exercising of the rights of the Data Subjects) and the regulators’ capacity to enforce the law.
As we near the deadline, if you haven’t taken the necessary steps to comply, it’s best not to throw your hands in the air and forget about it. Continue on the path towards compliance. Here’s a few steps you need to take now:
- Anywhere you collect data, (website cookies count), ensure you are gaining consent and allowing a method to opt-out (this may involve users, or data subjects, being unable to use your services but you must give them that choice).
- Ensure your written security policies are current and that the reality matches the narrative.
- Respond to all data subject’s requests in the timeframes required under GDPR and you must give the data subject unimpeded access to reasonable requests for their data and its chain of custody under your control.
- The timeframe for reporting a breach is short, 72 hours short. Ensure your incident response capabilities can handle this.
- Ensure your grounds for legal processing of data are in fact, legal.
- Give your users, data subjects, informed consent. The key word here is “informed.” Giving them a 254-page dictionary of a legal document to review in order to be informed is no longer acceptable.
- When in doubt, either gain explicit consent or don’t collect the data to begin with. There is actually a provision in the GDPR stating that companies are not required to expand their data holdings in order to come into compliance with the GDPR. This is a bit of “fun” in international regulatory speak, but this basically means if your processing requirements fall outside of the scope of the GDPR, you are not required to expand them in order to come into compliance.
Building a culture of privacy will mean very different things for different organizations, but for nearly everyone, there is this reality: the users of your platform get the option to change their mind about how you must safeguard their privacy. They willingly accept your terms and conditions on Tuesday? They must have the option of opting out come Wednesday, and for all intents and purposes, it must look as though they were never there. In other words, you as the platform owner are responsible for making your former customer’s digital tracks disappear. The 8 steps above will help you do that.