For many organizations, the ticking of the countdown clock for General Data Protection Regulation (GDPR) compliance is growing louder as the May 25th deadline approaches. While many of the world’s largest brands have made huge strides toward compliance, most businesses still have significant progress to make. In fact, a recent survey shows that up to 60 percent of companies will likely miss the deadline.
Unfortunately, the consequences of this could be catastrophic: fines up to €20 million or 4 percent of a business’ global annual revenue, whichever is greater.
At Trellist, we’re recommending that organizations start their compliance efforts by creating a data privacy team lead by a data privacy officer (DPO) to oversee GDPR activities and raise awareness; if you do not already have this in place, do it fast. The DPO should review current security and privacy processes in place and, where applicable, revise contracts with third parties and customers to meet the requirements of the GDPR. They should also focus on these eight key areas of compliance that affects web properties.
The Eight Areas of GDPR Compliance for Your Website
The first steps of a complex journey are sometimes the most difficult, and GDPR compliance is no different. Follow these guidelines to help your business fulfill all the requirements:
- Step 1: Active Consent. Provide a website overlay that ‘follows’ the user on every page of the website until accepted. Provide an active consent on the overlay and keep that consent for 45 days to 1 year; when the consent expires, the overlay should appear again.
- Step 2: Clear Cookie Language. Provide a link to the cookie policy that has user friendly language. Develop a separate cookie policy page since the privacy policy could contain legalese. Explain the types of non-essential cookies that you use for ads and tracking, how you use that information, and if that information is shared with third parties.
- Step 3: Refine Your Data Collection Process. Identify the Personally Identifiable Information (PII)/Personal Data that is being collected and analyze how this information is being processed, stored, retained, and deleted. You will also need to assess the processes with third-party vendors with whom you disclose data.
- Step 4: Provide an Easy Way to Opt Out. The opt-out process should be simple for users. You can streamline their ability to opt out from non-essential cookies by categorizing types of cookies and providing an opt-in/opt-out mechanism for each.
- Step 5: Meet User Requests for Information and Changes. Establish procedures to respond to users when they exercise their rights to request information. Provide a clear way for users to contact you to request information collected, a mechanism for users to provide changes to their information, and have an internal process to correct their information in all locations.
- Step 6: Communicate a Data Breach. Consider a Dark Site for crisis communication in the event of a data breach; you can make the Dark Site live if and when needed. If a breach/unauthorized access of personal data takes place that is likely to “result in a risk for the rights and freedoms of individuals,” the public must be notified within 72 hours of becoming aware of the breach.
- Step 7: Communicate Changes. Consider proactive communication to customers to explain how your company is addressing privacy. This can be as simple as emailing customers to explain the new changes.
- Step 8: Require Parental Consent for Children's Websites. Any website or industry that could cater to children under 16 years old will need to have child-friendly language and require parental consent. If you do not cater to children, you may need to adjust your privacy policy to move your age of consent from 13 (as afforded under the U.S. Children’s Online Privacy Protection Act (COPPA)) to 16 under GDPR.
We’ve helped organizations large and small with their GDPR compliance roadmap. Let us help you figure out your next steps: enterprisetechnology@trellist.com.
Disclaimer: Trellist does not legally represent our clients and we are not providing legal advice. The information conveyed through these recommendations is not intended to give legal advice, but instead communicate information to help you understand the basics of the topic.