6 no-brainer things you can do to comply if you have an app or website
What is it and Why should I care?
You may have heard of the General Data Protection Regulation (GDPR), and know that you and your organisation should be doing something about it. With so much to read, and such heavy penalties attached to non-compliance, it’s a topic that can feel overwhelming, particularly when it comes to your apps and websites. You might be tempted to bury your head in the sand and wait for it to pass – not a great idea!
Never fear! We’re going to break it down for you so you can understand how you can make sure your websites, apps and general business practices are compliant and ready to go once the law comes into play.
GDPR is the EU directive that is going to replace the existing Data Protection laws and will come into action on May 25th 2018. The key stipulations of GDPR are:
- Right to be forgotten: Users can request to have all their data deleted when it is no longer relevant
- Right to Access: Users have the right to request for confirmation that their data is being processed, access to all the information you hold on them, and the ability to rectify and amend that data.
- Explicit Consent: Businesses must request consent to collect, use and move data
- Mandatory data breach notifications: The authorities and users must be notified of data leaks within 72 hours
- Data Portability- Users have the right to obtain and reuse their personal data for their own purposes
- Privacy by Design: Privacy and data protection needs to be considered from start to end of a project
- Data Protection Officer: Organisations with 250+ employees need to employ someone dedicated to managing data protection
- Consequence of not complying: A fine of up to 4% of gross global profit/ €20 million (Itgovernance.co.uk, 2018)
Don’t worry it’s not the end of the world – it’s actually a positive change! Spending some time working through some simple tasks will pay dividends over time. There are benefits for these new laws to not only individuals but also for businesses themselves! By auditing and updating existing processes, you can strive for compliance and optimise your internal processes, leading to better business results.
Here are 6 no-brainer things you can do to comply:
1. Think before you collect
It is really important to remember to think before you collect data and not do it just for the sake of it. Keep only what is necessary and make sure it conforms to at least one of these reasons:
It is necessary…
- for legal obligation
- for “legitimate interests” of the controller or Third parties
- for the performance of a contract
- for the performance of a task in the public interest/exercise of official authority
If you find that you are collecting data unnecessarily, you will have to change your process to ensure that users have given explicit permission to use their data for those purposes, and/or remove this data.
You will also need to think about how long you hold onto data. For anything you collect, have a justifiable a timeline for removing it. In some instances you can ‘santise’ (or anonymise) personal data by removing names, email addresses or any ID numbers etc. This is useful if you’re using data to generate reports.
2. Get a Privacy Policy, or update your existing one
All apps and websites now need a privacy policy and terms and conditions that explain how data is used and why. Apple and Google Play now reject apps that don’t have these. So regardless of GDPR you will have to take this into consideration when releasing an app, but don’t panic! There are lots of templates and tools to help, and privacy policies should be written clearly without any legal jargon.
Your privacy policy must be made clearly available to users at the point that data is being collected (not just hidden in the footer!).
3. Get Consent
Before you collect, get consent! Make sure that when you collect user data, that you track where and when they gave consent to collect their data so you can provide proof of this. A good idea is to keep a clear database of dates to when and how people consented to you receiving their data. This applies to email collections for e-newsletters and any other processing you may wish to carry out, including website enquiry/contact forms.
Remember, not opting out does not equate to opting in! To help explain this, here is our favourite metaphor:
If you ask someone if they want tea they say ‘yes’, then make them tea. But if you ask someone if they want tea and they say ‘no’, do not make them tea. Don’t force them to drink it either.
4. Be Clear with Your Users
When asking for consent, it is important that your users know what you are asking for! Avoid burying details in privacy policies, and use clear, easy to read disclaimers/hints to make your users aware of how you use their data you need to explain:
- Why you are collecting the data
- For how long you are going to keep the data
- For what purpose
- Third party data sharing
The language you use should be clear and broken down; so no use of legal jargon. Make sure your users can understand so that they’re not confused.
Privacy policies should be written so that they can be easily digestible by your target audience.
For example, if your app is targeted at 12 year olds, you should make sure you explain how data is used in language that they can understand.
Example of what not to say
we use, share some of it and keep your data for services
Example of what to say
The personal data that we have collected from you will only be used in what is required in order to process your request and we will store only what is necessary. We don’t share your data with advertisers, nor do we sell your data.
If children ARE involved, more stringent consent will be required. You will require, and provide evidence of, parental consent being given.
5. Be Secure
This is vital as no matter how consistent you have been to make sure all the data you have collected has been consented to, you are still responsible for keeping that data safe and sound. In the unfortunate event that there has been a data breach, you must report it to the ICO within 72 hours.
Security begins with reducing human error, which is the leading cause of data breaches (Inquirer and breaches, 2018), so start by updating your passwords regularly. A great idea would be to use a password manager that generates unique passwords for you.
Make sure you have adequate network security in place to defend against unauthorised access and malicious content. Also ensure you have a monitoring strategy to watch over any unusual activity.
Even with the best antivirus software, secure connections and monitoring strategy in place, training should be provided to your staff so that they are able to effectively use your systems, identify potential cyber risks and mitigate them.
6. Check in with your suppliers
There’s no point putting in all that work, only to find that one of your key suppliers is letting the team down within GDPR.
Have those important conversations with and third parties now and make sure they are also GDPR compliant.
It is important that any third parties you use are based within the EU, unless a contractual agreement is in place. When working with organisations in the US, ensure they are members of the Privacy Shield program, which will require them to commit to certain privacy standards. https://www.privacyshield.gov/
It’s a Journey
Exactly as it says; “it’s a journey”, GDPR compliance is an ongoing process and will have to maintained and built upon going forward.Take your time and research thoroughly to make sure you’re doing it right. No one will ever be 100% GDPR compliant overnight, and definitely do not pay for it to be! You do not want to be tricked into a temporary quick fix that will cause complications in the future. It’s about developing your company culture to better understand data privacy and how to treat data.
This is what We’re Doing…
At GearedApp we have always valued data privacy and are using this as an opportunity to improve further. These are some of the processes we have been going through in order to comply:
Auditing all of the data we collect from our clients, and making sure we know what data we are holding, where and why.
Conducting an ongoing audit of our projects, which involves keeping a live document to track data collected and who has access on any given project.
Training our staff and growing our culture around thinking privacy first.
Encrypting our data so it is safe and secure.
Implementing additional staging environments to better protect the production versions of apps and websites.
We hope this blog cleared things up for you but if you’re still confused and would like to chat about and how GDPR will affect your app or website, please get in touch. We’re always happy to help! ????
Itgovernance.co.uk. (2018). GDPR Penalties. [online] Available at: https://www.itgovernance.co.uk/dpa-and-gdpr-penalties [Accessed 16 Mar. 2018].
Inquirer, T. and breaches, H. (2018). Human error is the root cause of most data breaches
TheINQUIRER. [online] http://www.theinquirer.net. Available at: https://www.theinquirer.net/inquirer/sponsored/2320308/human-error-is-the-root-cause-of-most-data-breaches [Accessed 16 Mar. 2018].