The EU General Data Protection Regulation (GDPR) will set a new standard for how companies use and protect EU citizens’ data. It takes effect on May 25, 2018.
At BizBudding, we’ve been working hard to ensure that we fulfill GDPR’s obligations and maintain our transparency about customer information and how we use “personal data.”
Below is an overview of GDPR and how we are preparing for it.
What is GDPR?
The EU General Data Protection Regulation (“GDPR”) is a new comprehensive data protection law that goes into effect on May 25, 2018. It will replace existing EU Data Protection law to strengthen the protection of “personal data” and the rights of the individual. It is a single set of rules to govern the processing and monitoring of EU data.
“The GDPR aims primarily to give control to citizens and residents over their personal data” – Wikipedia
GDPR most likely affects most of our clients. We strongly encourage you to do the research necessary and plan. If you hold or process the data of any person in the EU, the GDPR applies to you, whether you’re based in the EU or not.
You need to make sure your company:
- Is handling sensitive contact data securely and appropriately according to GDPR’s guidelines
- Gives people the ability to request that their contact info be modified, deleted, or given to them
- Is transparent about how you handle people’s contact information in your privacy policy
- Has consent from contacts to use their contact data for marketing purposes and for delivering your services
How is BizBudding preparing for GDPR?
Our team has been working to define our GDPR roadmap. This is a massive overhaul of processes and data models to make sure we’re meeting our legal obligations and doing the best thing for our customers while still letting us move fast, scale, and build great products.
Here are the main things we’ve been doing to ensure we’re setting ourselves and our customers up to meet GDPR obligations:
We’ve updated our Data Processing Agreements (DPAs).
Strong data protection commitments are a key part of GDPR’s requirements. Our updated Data Processing Agreement shares our privacy commitments and sets out the terms for BizBudding and our customers to meet GDPR requirements. This is available for customers to sign upon request.
We’ve certified for International Data Transfers.
The EU-US Privacy Shield is a framework negotiated and agreed by the European Commission and U.S. Department of Commerce as a lawful way of transferring personal data.
To comply with EU data protection laws around international data transfer, we self-certified under the E.U.-U.S. Privacy Shield and the Swiss-U.S. Privacy Shield framework and are awaiting final acceptance of our documentation.
We’ve appointed a Data Protection Officer.
We have a dedicated Data Protection Officer to oversee and advise on our data management. Get in touch through the messenger or by emailing compliance @ bizbudding.com.
We’re coordinating with our vendors.
We’re reviewing all our vendors, finding out about their GDPR plans and arranging similar GDPR-ready data processing agreements with them.
We’re taking new security measures.
Security is a priority for us. We’ve built a robust security framework over the past couple of years. We are reviewing our internal access design to ensure the right people have access to the right level of customer data. More details are available on our Privacy Policy and Standard Terms and Conditions pages.
Tracking Progress
We’ll keep sharing information on our progress, and we’ll also help our customers and prospective customers be compliant. Some steps you can take are:
- Get familiar with the GDPR requirements and how they affect your company.
- Map out everywhere you process data and carry out a gap analysis.
- Consider how you can leverage BizBudding to help with your GDPR compliance.
- Look at your product roadmap and think about privacy when you’re planning.
- Chat with your lawyer about what your company needs to do to.
- Keep an eye on the developing guidelines from the GDPR Article 29 Working Party.
Questions?
Feel free to reach out to us in the Messenger if you have any questions about GDPR—we’d be happy to chat with you about it.
What should you do?
Update WordPress
First things first, make sure you are running (at a minimum) WordPress Version 4.9.6. This version of WordPress was released to include tools for you to manage private information inside WordPress.
If you are a BizBudding customer, and we are providing hosting services for you through our Touchstone.io platform, your version of WordPress will be automatically updated for you by the May 25th GDPR deadline.
Set a Privacy Policy
Having a privacy policy that is easily accessible on your website is very important. Your privacy policy should be transparent about how you handle site analytics, cookies, personally identifiable information, and more.
We recommend that you consult with your attorney for your privacy policy and terms of use. Upon updating your privacy policy, you will need to inform and update your existing contacts about the changes.
Provide Contact Information
With GDPR, you need to be able to provide, easily update, delete, or export your contact’s personal data. In the context of GDPR, most organizations with websites are “data controllers” with specific responsibilities.
It needs to be easy for your contacts to request that any of the personal data you’ve collected be given to them, modified, deleted, or moved to another party.
Make sure your website and company give people the ability to make these requests easily.
Review Site Security
Handle sensitive contact information securely by making sure your website is using SSL. Let’s face it though folks, if you’re not using SSL already then there are bigger issues at play with your site security. (All customers’ websites on BizBudding’s Touchstone.io platform are deployed with SSL.)
You should map out all the places where you are storing contact personal data, whether it’s your systems or third-party tools (referred to as “data processors”). You need to work with and confirm that all data processors are handling information securely.
Get Consent
The old adage about requiring consent in real-life personal relationships now rings true on the Internet. You must get consent to store personal data.
Consumers are being bombarded with emails and ads from companies that do not have consent to market to them. How many spam emails do you receive?
GDPR could level the playing field for everyone and give marketers who are legitimately building their audiences a massive advantage. It’s always best to provide real value to your audience and customers instead of buying email lists and marketing without consent.
Unless you have a legitimate reason (“legitimate interests“) to hold personal data, such as fulfilling purchases, it is best that you do not store personal data without consent.
Collect and Store Consent
Collecting consent from your contacts for data processing requires that:
- You are transparent about what you’re using contact data for at the point of data collection
- You store a record of the contact having given consent
- You don’t store data on contacts who have not given consent
Use active consent checkboxes with your contact forms, and make sure the consent box is not checked by default.
Try to be as transparent as possible and have your checkbox link to your privacy policy and/or your terms of service. Be sure to appropriately state how you are handling their personally identifiable information.
Be sure to store consent in your systems so that you can quickly filter out contacts who have not given consent.
Best practice would include reaching out to contacts who have not accepted your revised privacy policy and asking for consent. If you have existing contacts in your system, and you want to have them agree to your privacy policy, here’s an easy way to do this using some of our lead generation tools.
Again, this article’s objective is to provide actionable steps, not serve as legal advice. As you work towards being compliant, we recommend consulting with a lawyer who can help you work on becoming compliant.