GDPR compliance for the latecomers
I involuntarily spend time getting a decent compliance level for several companies the past few months.
This article is a product of my thoughts during and after the process. It includes a list of steps you should take in order to reach an acceptable compliance level.
This doesn’t need to be just time and money spent but can actually turn it to competitive advantage for your company.
On a quest for GDPR compliance
GDPR or General Data Protection Regulation is one of the most trending topics these days. Especially in Europe, where most companies are working hard to reach at least some level of compliance before the 25th of may 2018.
So, is it really that complicated?
The answer varies, depending on the size of your business. For the majority, the new regulations do not have to be that big of a deal. It could even be an advantage.
GDPR is, in short, a shift in ownership of the personal data that is collected when a private person is interacting with a company. Keep in mind; this only applies in a B2C relationship, so you don’t have to worry about GDPR for your personal emails or your personal blog.
An opinionated note on the new law
Some business owners look at the new regulations with annoyance and despair, because it will demand a lot of resources, but will not contribute to the companys income or further development.
But this is a necessary step to take, since the current management and distribution of personal data is like the Wild West. It is crazy how badly a private person’s data is protected.
Some companies are created with a business plan that depends on selling personal data to advertisers.
Enforcing a law that brings the control back to the users will set some requirements to how the companies handle and process this data and more importantly, who has access to them.
We have seen some actions towards a less data chaos, where browsers blocked 3rd party cookies and extensions like ad blockers that simply blocks the advert noise.
But this is still not enough.
Every time you voluntarily use a service, you lose control of the data you trust the company with. They can distribute it to their partners or sell it online for revenue.
Depending on the level of sensitivity of the data, it can become a problem.
With that in mind, some services also need the data in order to present their service in the best way. Of course the plan is to sell more products, but presenting relevant products to a user should be considered a service.
So there is a fine line between a service and intrusive advertising.
How to reach a decent level of compliance?
Let’s start with a short overview of the road to compliance.
Go through the following steps and make sure you check if there are any special regulations in your country. The European Union made the general regulations, but each country have the option to tweak some of the laws a bit.
It varies, for instance, what age separates a child from a grown-up. Some countries it’s 14, others it’s 15 or 16-years-old.
During this example I’ll use a small business as proof of concept. It is a webshop with a Shopify installation, email system and a economic system.
Small businesses vs large corporations
I see a lot of posts where small businesses owners are worried about the GDPR. It is usually private people who run a small web shop and where they are the only employees.
In a situation like this, you should still reach for GDPR compliance, but keep in mind that an acceptable compliance level is not hard to reach.
These laws are not made to make life harder for entrepreneurs or to stop innovation.
So unless you have a business where you live off selling people’s data, then you should consider the following steps and avoid storing data you do not use.
Bigger companies have the option to either hire consultants to do the job or put together a team who will get the job done. It usually requires some training, but it is not wasted, since the GDPR laws isn’t a one-time-thing that just needs to be done on the 25th of may.
It will be something we have to consider in the future, each time we deal with personal data and/or new products/services.
System overview
First of all, it would make sense to list all the systems you are using. Split them in 2: Those that contain personal data and those that don’t.
Now you will have an overview of where to focus your energy.
A list of personal data systems could look something like this:
- Mailchimp
- Wordpress
- Shopify
- Google analytics
Identify personal data
With the list of systems that contains personal data, list what data is collected and what it is used for. Go through the list and ask yourself; Is it really needed? — If not, delete it.
Do you use it? If no, delete it.
Some would argue that they might want to use this data at some point. This is not good enough. If you are not using it when you collect it, then you are not allowed to store it. Not even for future use.
An example could be your shop. Usually there is an option to create a user, where some data is collected. The data could be:
- Email
- Name
- Address
- IP
- Orders
This is personal data and needs to be handled with care. So listing what data is collected in each system and what it is used for should in order to inform your users about it. Usually this goes under the privacy policy notice, which you must create on your page.
More about this later.
It is important to not only list what data you store and what it is used for, you must have a good reason for storing it. A good reason for storing an email address is that once a user makes a purchase, their receipt is sent to that email. It makes sense and is a valid reason.
Storing personal data, where you can’t come up with a good reason to store it or if you are not using it, would make sense to delete. Or at least that’s my recommendation in order to reach compliance.
A lot of services are automatically setup to store users IP addresses.
Is this really needed?
For an shop it might be; in cases of fraud, where you have to document who made the order and IP address is a good thing to have.
But you could ask yourself; Is tracking the users IP address in Google Analytics something you need?
It will affect the geo-location data, but on the other hand, by removing it you can cross Google Analytics from your list above, since it won’t contain personal data anymore.
You can do it by adding the anonymizeIp tracking to your script:
ga(‘set’, ‘anonymizeIp’, true);
One thing to consider; Google tracks page urls, so if you send an email through as url params, it will get picked up by Google Analytics and therefore contain personal data.
Keep in mind that GA collects all sorts of data, which might not be personal data at first, but as soon as it is correlated with their other data, they might be able to identify users and thereby becomes personal data.
What options do we have? — There are lots of other services similar to Google Analytics.
You can get compliant with Google Analytics on your site, but if you are handling very sensitive information, I would consider removing it and/or find another way to track interactions with your site.
Direct marketing and marketing consent
Direct marketing requires a marketing consent.
So what is direct marketing?
It is when you push marketing to a user. It could be an email, a text message or a web/app push message.
If you already do that or are about to do it, you need a marketing consent from the users.
This is a legal document and you can find a template by doing a Google search. Remember to find a template that suits the regulations from your country.
The typical solutions I’v seen so far, is just a checkbox you have to click before you can subscribe to a newsletter. This checkbox confirms that the user is informed about the marketing consent he is giving.
So you have to keep track of 2 things;
- Do you have a permission to send the user mails?
- Do you have a marketing consent to send the user mails?
The marketing consent is not required for transactional emails, like order confirmations etc.
Also, the list you currently have with permissions is still valid. So there is no reason to delete it. You could send them an email and ask for their consent, but it is not required by law, since the permission was obtained before the GDPR. As long as it fulfils the laws at the time it was collected you can keep them on the list.
Users do have the option to withdraw their consent. So you should be able to delete them and also document when you got their consent.
Most systems supports a confirmation process, where a user will have to accept through a link sent to their email before they are subscribed.
Privacy policy
The privacy policy is another legal document. By now I am sure you have received quite a few mails from services/companies you have used or are using, where they explain that they updated their privacy policy.
By reading some of them you will quickly see the pattern and again you are also able to find a template online. You just need to fill out details about your company.
Such details could be what data you save, why you save it and what you use it for.
A few important notes regarding the privacy policy;
- It should be easy to find on your website
- It should be written in a clear and understandable language
- It should link to or explain how to enforce the right to be forgotten / right to data portability.
There is another twist when you store personal data. You are responsible for keeping the data up to date. It is of course not an easy task, but one solution could be that delete all user-data on users you haven’t interacted with for 2 years.
Also, you could setup an automated process where you email them, saying that you haven’t hear from them, so their account is about to be deleted. That will give them an option to keep their accounts if they want.
Right to be forgotten
With GDPR and the fact that users own their own data, another feature is born.
The right to be forgotten deals with users who want their data deleted. They can contact a company and request deletion or insight into their data.
Furthermore they can also request extraction of the data, covered by the law about data portability.
In this case you are obligated to extract it from your service and send it to the user in a secure way. There are a few requirements to the format of the data. The right to data-insight should be exported (or made visible) in a human readable format. I have seen a few examples of simple tables in a pdf or txt file. Or even just visible on a users profile page.
When a user wants his data extracted, there are no requirements to the readability, but i have seen a lot of examples where it is exported as a csv file, because the user might want to load the data into another service or system.
Remember to make sure that the request comes from the actual user, so you don’t send personal data to the wrong person. Also, consider a good and secure way to send this data to the subject.
If a 3rd party processes the personal data on behalf of your company, the user is also able to request this to stop.
From the time you receive a request like one of the ones above, you have 4 weeks to do it. And remember, you have to document that you did it.
Also the process should be documented.
So, what to do?
I am sure there is a service somewhere on the internet that does exactly this.
Either use that, or build your own.
It is pretty simple; You need to direct the users to a form where they can fill-out their request.
The purpose of the form is to document both the request, but also the response.
If a user is asking to get their data deleted, it should be executed no later than 4 weeks after the request.
Most systems support this already and if not, you will either have to develop that functionality or do it manually.
For our web shop, we would look for a GDPR plugin for Wordpress, in Shopify and Mailchimp. They are all major companies who have developed a solution to this by now.
Data processing agreements
This is another important GDPR step. The data processing agreements are contracts that you will have to sign together with the companies/services you use.
The contract basically puts the responsibility for the data in the hands of the processing unit.
It should list what data is shared with the 3rd party and how they handle it. Furthermore there are options to add yearly checks of their systems, in order to make sure they follow the contract.
This is another legal document that you need to find a template for.
Make sure you read it thorough, even though it can be tedious. It’s important to have a complete understanding of the contract, before you sign it.
In our example we would have to get a data processing agreement with:
- Mailchimp (They actually already support it: https://kb.mailchimp.com/accounts/management/about-the-general-data-protection-regulation)
- Hosting company
- Shopify? Unless there is no data shared with 3rd party and it is hosted at the hosting company.
- Google Analytics. This one is hard, since Google can’t make contracts with everyone. You can either agree to their terms or use another service. There are lots of similar services. Also, a simple google search will reveal the fastest way to GDPR compliance with Google Analytics.
Shopify? Well, shopify is a huge company, so naturally they have taken steps towards helping their clients to GDPR compliance. You can read more here: https://help.shopify.com/manual/your-account/GDPR
Does Google Analytics really contain personal data?
Yes. The users IPs are tracked and if an email address is sent through the url params, they are also able to pick that up. More importantly, the data you share with Google, combined with their other data, turns the data into personal data.
Are you using any other systems? — Go do a google search on <system name> GDPR and you will find your answer.
One important thing to keep in mind is; If the service is free, user data is the product. Figure out what it is before you build your business up around a certain service or free product.
And use GDPR to purge systems or services that you do not need.
3rd party cookies
This is one of the harder tasks in the GDPR compliance.
There are 3 types of cookies:
- Session cookies -> These cookies are just there within the session. It could be keeping a user logged in, adding products to the cart. They are removed after you close to browser, but stay there as long as you are on the site.
- Permanent cookies -> The permanent cookies are not removed after you close the browser. They are there to help you remember login credentials and so on. Usually they are deleted after 6 months.
- 3rd party cookies -> This is the ones we should focus on. They are called 3rd party cookies, because they come from a 3rd party vendor. This means, it is not from the business operator of the website you visit.
It could be everything from a Facebook pixel that tracks data, to an RTB advertiser who serves advertising on the website.
If you are not using 3rd party cookies, you can skip this part.
For a long time I thought all 3rd party cookies would be banned or illegal. Since there is not 100% clarity on this, it is a matter you should follow closely.
The issue with the 3rd party cookies is that data is sent to (in most cases) advertisers in order to target and re-target users with relevant campaigns. Before GDPR the users’ only option to prevent this from happening would be to install ad-blocker extensions in their browser.
After GDPR, the website is actually obligated to inform its users of what data is shared with a 3rd party and what it is used for.
Is this possible? — Well, in some cases, but for RTB advertising it seems impossible. Of course the website could have a data processing agreement with the network that serves the advertising, but currently the data distribution is all over and not monitored in order to benefit the users.
One option to deal with 3rd party cookies is to use a service like cookiebot. https://www.cookiebot.com/
This service adds a pop-up on your site, where users can check/uncheck the different cookies and read more about them.
Some cookies are needed for the website to work, so they cannot be ticked off, but it is possible for the user to block the 3rd party cookies on the website.
How to handle a breach?
Another part of the GDPR is how to handle a data breach.
A breach is if some personal data is somehow leaked.
It could happen in a few different ways;
- An email containing personal information is sent
- Personal information is displayed on a monitor and is ??
- It can even be printed out data that can be viewed, stolen or copied.
As you can sense it is a bit complicated.
The reason for this being a part of GDPR is because if you, as a company, experience a security breach or data-leak, then, depending on the sensitivity of the data, you have to inform the data subject(s) and/or the government.
I am not sure how you are able to discover if there is a breach. Some are obvious, but a lot will happen without you knowing about it.
Here is what you can do though;
You do not have to list all scenarios where and how data could be compromised. You should rather make a process for how to handle a breach.
First things first;
- Ask yourself; what data are we talking about?
- Is it sensitive?
- Who received it? -> Is this a problem?
- Will it actually damage anything?
In the majority of the known incidents, you will ask the receiver to delete the data.
Depending on the situation, you can inform the data-subject.
In cases where you have to inform the government, is if very sensitive data is leaked. It could be a patient record or something similar, which is considered very sensitive.
If this happens, you should get help, unless you are big company with legal people as a part of the team.
A big step on this task is simply to write down what you will do. A step by step guide and maybe even with a few use-cases.
Then you can at least document that you have some kind of action plan.
Who can help me?
This might be a bit controversial, but you basically have 2 options;
1. Do it yourself.
2. Get a company to do it.
You should avoid package-solutions though. I haven’t seen any of those “100 dollar for GDPR compliance”-packages that are worth the money.
If you are running a Wordpress site, then you can use a GDPR compliance plugin, which will take care of some of the tasks. Remember to crosscheck that everything is covered. And keep in mind that external systems will not be covered by just installing a plugin.
If you are at a big company, you could put together a team, usually featuring a law person, an IT person and possibly someone to do project management. Depending on the size and complexity, you can add more, of course. In most cases they have it sorted already.
If you run your own small business, then I would recommend doing it yourself. It might seem complicated and hard to understand, but it does not have to be.
You can even turn it into an advantage with just a little extra effort.
Follow the steps above, search for GDPR compliance within the systems you already use and look at it as a clean-up or optimisation process.
Can this be an advantage?
Yes! It can be turned into an advantage, and you should approach the tasks with that mindset!
As I’ve seen pointed out during a presentation, this procedure is very similar to what you would go through if you were want to level up your business and move towards a more data-driven approach.
Using the GDPR regulations to get closer to your data and cleaning up your systems will help you get a more narrow focus, which is one of the key steps to take if you want to become more data-driven.
It could be both data-driven when it comes to decision-maing process, but also using automated flows, personalisation and recommended products.
With a smaller data-set you can narrow your focus to only analyse the most important parts of your business.
With this focus, you are also only spending energy on the most important data.
Often what happens when companies start using big data or BI, is that they don’t have a clear plan or goal and they drown in data.
They fail at keeping this narrow focus.
It is way easier to start from a narrow data-point and using that as a stepping stone towards a more detailed analysis with a more advanced data-set.
What usually happens is that initial analyses reveal some patterns or insights that are very valuable and can be used to understand where to go from here.
Taking small steps and continuous reviews makes it easier to deal with, but usually gives analyses of higher quality as well.
Final words
When it comes to data and GDPR, these regulations are a natural part of the development. It is a bit late, but rather late than never.
Most of what’s written about GDPR focus on the negative part of the work that follows and lists what action that needs to be taken in order to reach compliance.
I urge you to try to use it to your advantage. Both as a consumer and as an entrepreneur.
There is no way around it, this law is here to stay and we might as well adapt.
With that said, not all the data collecting stuff is a bad thing. Often you would like to get relevant suggestions and all that. I actually think the internet would be an unbearable place without this. The question you should ask yourself is; does this put the user in focus? And does it benefit the user?
Or does this benefit the advertiser/product?
It is essential to know and understand the difference.
When Netflix suggest movies or series based on what you have seen earlier, it is very visible. That makes it transparent and understandable.
But I am guessing that pregnant women don’t understand why their mailbox is flooded by baby-stuff as soon as they start to think of getting a baby.
The GDPR is not about making it illegal to use data, or stop the data-innovation. It is rather about the control of the personal data that is all over the internet in what seems like a unmanaged chaos of user segments based on personal preferences, they might not even be aware of.
Most of all it seems like an all you can eat buffet for advertisers.
Have some faith in the consumers, if you have a good product, then they will find it.
GDPR calls for smarter and better advertising.