In May 2018 European companies began working with data according to a new document – GDPR (General Data Protection Regulation). The new rules have to be followed not only in all 28 countries of the EU, but each business that deals or may deal with European citizens should also comply with these norms. So, if you think that you have nothing to do with it, you may be wrong. Here is an example: you have an online shop outside the US, and an EU citizen visits your shop and looks through it, adding some goods to the cart. You track this activity and save this data with the user’s IP and e-mail in your database. In this case, you definitely fall under the rules of GDPR.
Thus, everyone who works or plans to work with EU citizens has to adapt the processes of work with data to new the EU standards. The rules have become stricter, and non-compliance may lead to penalties of twenty million euros.
What does it mean?
You cannot gather all possible information about your user anymore, and neither can you use it for purposes known only to you.
Your user should:
- know which data you collect
- understand what you are going to do with this data
- clearly give you a permission to collect and use this data. It cannot be a check by the default checkbox that would not even be noticed by the user before pressing the OK button. Only strict active actions of the user can be considered as permission. Permission is considered invalid if the user has no choice and cannot cancel it without harm/loss for him(her)self. Information about the possibility to cancel permission should be conveniently placed on the website and the user should have a possibility to easily find it if needed
- have an opportunity to find out which data you already have about him/her
- have an opportunity to delete his/her information from your database anytime
What do we mean by ‘data’ in GDPR?
By data, we mean all kinds of information about the user: not only the name, surname, photos, email, home address, but also the history of views in your online shop, personal preferences, location, health condition and any other relevant information.
Here are six key principles of work with data according to GDPR:
- Legality and transparency. All information should be collected according to legal requirements. The reason for collecting data should be clear, comprehensive and accessible.
- Limited goal. Collection of data should have a clear goal, and using this data for any other purpose is prohibited.
- Minimization of data. You should collect data only needed to achieve the described goal. Collecting any additional data is forbidden.
- Accuracy. Data should be accurate and the user should have an opportunity to correct his/her data if there are some mistakes.
- Limited storing. Data cannot be stored longer than it is needed for reaching the goal.
- Security and integrity. The company should guarantee safety of the user’s data. It means that data cannot be damaged or illegally used by the third parties.
What to do?