If you want to avoid the sanctions, you’ll have to adjust your application to satisfy GDPR requirements.
Below are the steps you can take to make your software solution GDPR-proof, and turn the new law into a business opportunity.
Are you liable to GDPR?
GDPR is the latest EU regulation meant to tighten control over the way companies handle the personal data of its citizens. From the moment it comes into effect on May 25, 2018, noncompliant businesses will face heavy fines and penalties.
Still have doubts on whether your solution is subject to the new european data protection regulation? Check out the following criteria:
- Do EU citizens use your solution?
- Is there a subscribe function on your website?
- Do you have any comments sections?
- Can users log in to your website with third-party apps?
If you answered yes at least to one question, congratulations, you are a definite candidate to the GDPR. So better start getting ready.
How to make your application GDPR-compliant?
1. Consider whether you really need all the data you collect
The first step to making your application GDPR compliant is to check what kind of personal data it stores. Do you really need it? The best course for the privacy-conscious future is to collect only the bare minimum of personal data that you can’t possibly do without.
2. Encrypt all personal data
Encryption scrambles data in a way that makes it unintelligible for those who don’t have the decryption keys. Although it’s often mentioned as a key factor of GDPR compliance, the word “encryption”is mentioned only 4 times throughout the GDPR text:
- “…implement measures to mitigate those risks, such as encryption.” (P51. (83))
- “…appropriate safeguards, which may include encryption” (P121 (4.e))
- “…including inter alia as appropriate: (a) the pseudonymisation and encryption of personal data.” (P160 (1a))
- “…unintelligible to any person who is not authorised to access it, such as encryption” (P163 (3a))
Based on the wording above, encryption is not mandatory under GDPR. But this doesn’t mean you should ignore it.
As any cybersecurity expert would tell you, data breaches are inevitable. In July 2015, hackers have attacked Ashley Madison and stole more than 25 GB of personal data from the adultery dating website.
The information, including names, emails, and addresses, was stored as plain text which allowed anyone to track the would-be cheaters. This negligence resulted in a wave of blackmail, ruined careers, and broken marriages. The website owners had to pay over $11 million to settle ensuing lawsuits.
Moreover, at least three people have committed suicide due to Ashley Madison breach.
This is just one of many accidents that prove the importance of encrypting the users’ personal data.
But what if for some legitimate reason, such as cost-efficiency or drop in performance, you can’t use encryption as a part of your data protection policy? In such a case, you should either gather enough evidence to back up your claims or use the alternative methods such as pseudonymization.
3. Consider HTTPs as an essential part of your application
“Contact us” forms often contain personal data such as emails, phones, or even home addresses. If you store and send this information as plain text, you’re opening the door to hackers.
So again, use encryption for the “contact us” forms. Also, inform your clients how you store this data and for how long.
The next step is to employ HTTPS, a secure version of the HTTP communication protocol.
It encrypts all the data sent between a client and a server using the SSL/TLS cryptographic protocols. When a user requests an HTTPS connection to your application, it sends him/her your SSL certificate. It contains the key required to initiate the secure connection.
Also, make sure that your certificate isn’t susceptible to the protocol vulnerabilities.
4. Get your consent forms in order
Starting from May 2018, forget about any kind of pre-ticked boxes.
This means you should get rid of forms that contain pre-ticked opt-in boxes.
Your consent forms must default to a “no” or be blank. In such a way you don’t force your users to actively opt-out.
5. Implement granular opt-in
As a website owner, you want to occasionally reach out to your clients for marketing purposes. You’ll have to ask for explicit consent for each type of data processing you handle.
This means that if you’d like to sent promo materials via email, phone, and post, your consent form should have three separate opt-in boxes:
If all you need for your marketing is the email address, a marketing consent will suffice.
But if you use personalization, segmentation or targeting, you’ll need both the marketing consent and consent (or legitimate interest) to collect and profile any additional behavioral or demographic data.
6. Be specific about the third parties
If you pass your customers’ personal data to the third parties, you should accurately identify and name each of these parties in your consent forms. Have a look at this example:
The names of all three companies are well defined. Note how each permission has its own checkbox. It’s a pity that in this example you’d have to opt-out of the permission instead of opt-in which is a big NO under GDPR.
Still, giving third parties access to the personal data of your users for analytics or other purposes is definitely a bad idea. PageFair has recently conducted a survey to discover how users would react to the consent forms in line with GDPR requirements.
According to more than 300 industry experts, the majority of users don’t want third parties anywhere near their personal data.
The best way out of this problem might be using self-hosted web analytics platform which guarantees that you will be the only one to collect, process and store personal data.
Note: GDPR doesn’t impact the usage of Google Analytics as it can’t track individual users.
7. Separate the Terms and Conditions agreement from other consent forms
The terms and conditions agreement will no longer go hand in hand with other types of contests. You’ll have to request user agreement separately for any kind of personal data handling.
8. Make Terms and Conditions section highly visible
Under GDPR you’re no longer allowed to hide your Terms and Conditions section or bury it in the fine print. The following scheme will not be appropriate according to the data protection regulation:
Your users will have to acknowledge they’ve read the Terms and Conditions and agree to them before getting access to your app.
9. Make sure users can easily withdraw their consent
Due to the new GDPR principle – Right to be Forgotten – a user must be able to unsubscribe and remove his/her consent at any time. If, for example, you send newsletters to your customers, your links and emails should contain the “unsubscribe” feature.
But don’t despair if some users decided to unsubscribe from your mailout! With a dash of creativity, you can change their hearts and encourage them to resubscribe. Here’s an example which proves that even “unsubscribe” link can be at your best service:
10. Change your cookie policies
In the official GDPR document cookies are mentioned in the following context (Recital 30):
Natural persons may be associated with online identifiers […] such as internet protocol addresses, cookie identifiers or other identifiers […]. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.
By May 2018, you should either stop using such cookies or find lawful ground for collecting and processing personal data. For applications, those can be:
- Legal obligations;
- Legitimate interests (as long as they don’t violate individual rights);
- Requirements for a contract execution (i.e. gathering payment data from contractors)
- User consent.
Under GDPR, the act of visiting your website for the first time doesn’t automatically grant consent for processing user’s personal data. Even if you display a notification like “If you use this website, you accept cookies”. According to the Recital 42 of the official GDPR document, the consent in such case is not considered as “freely given”.
Granular consent still applies, so if you want to track your visitor behavior via web analytics and at the same time use their data for advertising, you should obtain consent for each activity. You’ll also have to allow visitors to withdraw their consent as easily as give it.
Remember, you can’t block access to your website for the users who withheld consent. And after they log out, you’ll have to destroy their cookies and sessions.
11. Avoid security questions that disclose personal information
When signing up for a web application, you can often see the security questions like this:
This is a big NO under the new law.
Since May 2018, security questions mustn’t contain any information related to the customer’s family, preferences, homes, etc.
The best option is to use two-factor authentication (2 FA), which combines a password with the user’s phone number/fingerprints etc. Such systems are a powerful deterrent for cybercriminals.
If, for some reason, this option is not possible for you, let your users create their own secret questions. Just warn them against disclosing the personal information.
12. Inform users about logs containing their IP addresses
Check if your system uses IP addresses or location data in the authentication process. If your logs contain such data, you should inform users about the way you store them and how long they persist in your system.
Also, encrypt your logs and never store the particularly sensitive data (i.e passwords) in them.
13. Make sure all personal data is removed after being passed to payment gateways
This is a crucial step for e-commerce applications. If you use payment gateways, you are likely gathering your customer’s personal data. In most cases, after being passed to the payment gateway this data remains in your system.
This is illegal under the new data protection regulation.
By May 2018 you must rework your web processes to delete any personal data of your customers within a set period of time (60 days, for example).
14. Allow users to reject your business intelligence tracking
E-commerce websites often track the visitors’ behavior and tastes to improve their recommendations. Under GDPR, such activities require a clear and explicit consent. You’ll also have to tell users how this data will be stored in your systems and for how long.
If a user rejects tracking, you’ll have to respect his or her choice.
15. Erase unsubscribed user data
According to GDPR’s Right to be Forgotten, users are free to delete their accounts together with all their personal data. Your task is to clearly show them that their data will indeed be deleted as well as erased from all your backups.
Treating the deleted accounts as merely inactive will be viewed as an infringement of the law.
Now you’re armed to teeth for the coming GDPR. You can use these steps to rise high above your competition. In the privacy-conscious future, the ability to ensure security and transparency of your application will be a huge advantage.
But you must hurry up for the clock is ticking. Only the most prudent companies will benefit from the new law while the rest will face the penalties.
And if the task seems too tough, you can always rely on MindK to develop GDPR-compliant applications or modify existing solutions to meet the new requirements.
And of course, don’t forget to subscribe!