Logo Alt Here

Sidekick news

GDPR: How small companies can get ready for it – and why it can’t just be ignored

21/05/18 | GDPR, Limited Company, Regulation

We’ve been working on getting ready for the EU General Data Protection Regulation (GDPR) for the past few months, and have made significant progress in advance of when the law goes into effect on May 25, 2018. We had to make some interesting decisions along the way, especially since we’re a small company. I wanted to share a few thoughts on what we learned along the way to becoming GDPR compliant, with the hope that it will help streamline the process for your business.

First, it’s important to note that this is not just another obscure privacy law that you can ignore.

Businesses that are not compliant may get sanctioned up to 4% of the annual worldwide turnover or fined up to € 20M (the higher of the two), per infringement. If your company processes any information of EU citizens you should start paying attention.

TLDR; When you collect data linked to a citizen of the EU, they are entitled to know what data is kept, for what purpose, and for how long. Users are entitled to access (“Right To Access”), export (“Right to Data Portability”), change, and permanently delete (“Right To Be Forgotten”) all their data from your systems (read more here). They should be able to access their data as easily as they entered it in the first place.

Changes every company will need to make to become compliant with GDPR include (but are not limited to):

  • Updates to your Privacy Policy to indicate what information you store about your customers, and how you’re using it.
  • Changes to your sign-up process to ensure explicit consent is given to collect this data (no more “by clicking on this button you agree to shenanigans).
  • Have a process in place to respond to DSR (Data Subject Rights) requests such as exporting or deleting customer data.
  • Make sure that appropriate data security is in place to prevent unauthorized access to customer data (GDPR calls this “Data protection by design and by default”), and make these security measures abundantly explicit. This includes binding commitments on what you’ll do if a data breach occurs. In most cases this will require you to have a Data Processing Addendum (DPA) in place with your customers. (Spoiler: you might find this to be the most time-consuming and expensive part of the process.)

 

Privacy Policy and explicit consent

In brief we explain here what exactly what the new law requires with regard to personal information:

  • Requires that consent is given or there is a good reason to process or store personal information.
  • Gives a person a right to know what information is held about them.
  • Allows a person to request information about them is erased and that they are ‘forgotten’ — unless there is a reason not to do this — e.g. a loan account.
  • Makes sure that personal information is properly protected. New systems must have protection designed into them (“Privacy by Design”). Access to data is strictly controlled and only given when required (“Privacy by Default”).
  • If data is lost, stolen or is accessed without authority, the authorities must be notified and possibly the people whose data has been accessed may need to be notified also.
  • Data cannot be used for anything other than the reason given at the time of collection.
  • Data is securely deleted after it is no longer needed.

This will most likely result in two fairly major changes for most companies.

Privacy policy

First, you will need to adapt your Privacy Policy to explicitly indicate what data you collect about users, what you use it for, and who is allowed to access it. You also need to indicate how the data is secured, and what the process will be if a breach happens.

I want to stress this again: you will need a lawyer for this part. There is no way you can just wing these changes. The penalties for getting it wrong (or providing misinformation) are huge.

Explicit consent

Going forward, you will have to get explicit agreement to your Terms of Service and Privacy Policy from customers. To be more specific and way more wonky… You will need to:

  • Place an unchecked check box next to the call-out line regarding the Terms of Use and Privacy Policy. Customers will need to check this box before they sign up for an account. Companies (including us) have been using just a button without an explicit checkbox.
  • Have each of “Terms of Use” and “Privacy Policy” be a hyperlink to the relevant page. Make sure the relevant page opens up in readable format and can be saved / downloaded if the customer wants.
  • Put the “Register” button right underneath the call-out line so that it is not possible to miss.
  • Retain the following information in connection with each click-through so you can prove you acquired consent properly: who consented, when they consented, what they were told at the time (terms and policies they agreed to), how they consented, and whether they have withdrawn consent (and if so, when).

 

Data Subject Rights

Data Subject Rights (DSR) is a big topic in GDPR, but for most SaaS apps it will be related to two main things: the right to be forgotten (delete) and the right of data portability (export). For delete requests, all personal data must be deleted within thirty days of receipt of the request. For export requests, customers require all personal information that is held for more that forty-eight hours to be easily accessible upon request.

GDPR law states that DSR requests have to be fulfilled within 30 days of the request being received. So we are committing to our customers that we will respond to their DSR requests without undue delay, thus enabling them to respond to their customers who have made this request within the 30 days required by GDPR. That should give our customers plenty of time to respond to their customers if/when they receive such requests.

Whatever way you choose to go, this is another important aspect to thing through for GDPR.

 

We’re in this together

This appears to be every company trying to get ready for GDPR right now:

Confused dog

It’s true that we’re all stumbling around a little bit. But it’s also great to see so many companies take this law seriously — as they should. My sincere hope is that this post contributes a little bit to the discussion, and helps some of you figure out what you need to do to prepare for this law to go into effect.

admin

Find out how
we can help you.

Fill out the form and an adviser
will be in touch, usually within 30 minutes.

You can also sign up to our newsletter for
news and insight from us.

FacebookTwitterLinkedIn
FacebookTwitterLinkedIn