If your business collects any sort of online personal data (and whose doesn’t?), then you’re probably counting the days until May 25, 2018, when the GDPR (General Data Protection Regulation) takes effect.
Although GDPR is an EU regulation which emphasizes that users must give “active consent” to any platform collecting their personal data. Here are a few things to consider when evaluating your business’ collection and use of personal data:
Explain How the Data Will Be Used
If you plan to store data, use it to target ads, share it with other entities, or just to add a personal touch to the user’s interface, explain so clearly and prominently. The GDPR only considers the collection of necessary information to be lawful, so if you ask for a user’s demographics when all you do is sell shoes, explain why you absolutely need that information or expect legally-backed resistance from informed users.
Do Not Use Passive Opt-In
It is not the responsibility of the individual user to opt-out of data collection. There must be a clear opt-in option in order for you to obtain data–no pre-ticked boxes and no lumping in special conditions with typical terms and conditions. If you intend to use sensitive data like their genetic information, be crystal clear that they are opting-in for that usage.
Specify that users can to opt-out in the future or ask that their data be erased.
Remember Your Employees’ Data
Don’t forget that all personal data your business stores is covered by GDPR. Your employees must provide active consent just like any online user. If a data breach compromises their information and you did not obtain their active consent, you will be fined.
Double-check Your Current Approach
If you were compliant under the Data Protection Act you may be able to roll into the GDPR without an overhaul. The GDPR standard for data collection is that it be “specific, granular, clear, prominent, opt-in, properly documented and easily withdrawn.” For a detailed explanation of these qualifications or to ensure your system already complies, visit IP Draught.
When in Doubt, Start Over
If you aren’t GDPR savvy or haven’t fully read the Guide to the GDPR, sending an email to those whose data you already have and adding a website pop-up explanation of your data use policies is a good idea.
Here is an example of a pop-up from Podio.com:
With fines reaching as high as 4% annual revenue or €10-20 million, the GDPR is clearly not messing around. Double-check your permissions with your users to be safe or accept the risk of not doing so.
Active Consent Is an Opportunity
Asking users for active consent and being transparent in your use of their data builds trust and enhances your reputation. If users feel educated and in control they will want to continue their relationship with you.
Active consent is a positive step for the protection of us all in this digital economy. Show your users you care by obtaining it.