For those that have been living under a rock, General Data Protection Regulation is here.

GDPR, initially approved by the EU Parliament on 24 April 2016, becomes enforceable on 25 May 2018. The GDPR effectively replaces the 1995 Data Protection Directive.

Its purpose: to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy.

In GDPR, R stands for Regulation, therefore European governments are directly bidden and can’t pass any domestic legislation like they would in the case of a Directive.

Enough with the legal jargon though, because this is a practical guide.

Let’s shed some light on this hot issue, shall we?

 

GDPR in a sentence.

A new regulation to control the way companies collect, store, and use customer data.

 

Is it for me?

If you can control where your customers live then GDPR is here for you. All EU residents should enjoy the benefits of GDPR regarding their private data as of the end of the month.

To what kind of industries does it apply?

Any kind of industries that collect data is subject to GDPR. For example:

  • E-commerce sites (for the customers or newsletter subscriptions)
  • Blogs/e-newspapers/Newsrooms (thus any kind of large or small Publisher – for subscriptions or shares or engagement)
  • SaaS products (for the customers or various kinds of engagements through chat or other channels)
  • Services companies or Agencies (for any kind of customer data they collect when a customer expresses an interest in the products or services)
  • Static websites for the contact-us form or other touch points

To what kind of data does it apply?

From data you collect for your customers to your newsletter subscription, your forms, your marketing touch points, thus in every interaction you have with your customer where you collect ANY kind of data.

I underline the word ANY as it could also apply to a single email (which doesn’t consider as private data) or to the combination of the email with the name and the IP of the user (which is considered private data).

It’s not that you will be liable for the active collection of the simple email BUT you need to put a mechanism in place to manage this consent specifically, and delete the record of asked by the user (following an authorization process).

What kind of user engagement does GDPR cover?

If you have any of the below elements or engagement points (aka touch points) in your project or product or website, then consider complying with GDPR the soonest.

  • Contact forms
  • Signing-up forms
  • Pre-launch campaigns
  • Subscribe to newsletter forms
  • Ambassador, referrals and loyalty programs
  • Chats chatbots and FB extensions

When should I start worrying?

When GDPR goes into effect on May 25, it will be the most important change to data privacy regulation in more than 20 years. But I would suggest to start worrying as of… today. Because what needs to be done is not something that could be done overnight. It all requires a significant investment on your part to audit and comply with the new law.

What do I have to do if I am a company?

You need to create a Privacy Center to take charge of your digital identity. Your customers should be in control of their personal data, and a privacy center should be implemented to help them towards this direction.

Remember, those are the customer facing implementation details. In your back-end, you need to do many more that will allow you to comply and document everything in the best possible way.

Here are what need to be done in details:

  • A blog or a section in the blog explains:
    • What information you collect about your customers
    • How you use information about your customers
    • If and how you share your customers’ information with third parties, other tools inclusive as they consider third parties
    • How your customers can manage the info you collect about them
  • A page where your users/customers may request a copy of their personal data in an electronic format that you can take to other service providers (automatically or manually). You should respond to this kind of requests within 30 days by providing a link to a location where the data can be downloaded.
  • A page for account closure and Data Deletion. You can make any request you wish but If you make a request to delete your personal data and that data is necessary for the products or services you have purchased, the request should be honored only to the extent it is no longer necessary for any Services purchased or required for your legitimate business purposes or legal or contractual recordkeeping requirements. For example, your customer cannot require deleting orders of transactions that are necessary for a bookkeeping and legal or commercial aspect.
  • An application form where you ask for consent from the users/customers. Something like this: https://www.appocalypsis.com/widgets-for/gdpr

 

What can I do if I am a customer?

For all of your customers, there are a number of key benefits to the GDPR:

  • Data Consent — Users must be notified when their data is being collected, what is being collected, and actively consent to the collection of that data.
  • Right To Access — Users will now have the right to know whether or not their personal data is being collected and processed, where it’s being processed, and for what purpose. They can also correct any errors or inaccuracies in that data. In addition, any company that collects personal data is required to provide a copy of that data to the user, free of charge, in an electronic format.
  • Right To Be Forgotten — Also known as Data Erasure, this means that users will have the ability to request their personal data be erased, cease further dissemination of their data, and potentially have third parties stop the processing of their data.
  • Data Portability — This gives users the right to receive a copy of all the personal data about them that has been collected, and give that data to another company.
  • Breach Notification — If a data breach is likely to “result in a risk for the rights and freedoms of individuals,” then the company that was breached must notify the government and users within 72 hours of first becoming aware of the breach.

What are others doing regarding GDPR?

One-by-one all companies start supporting and complying with the GDPR.

Here are the resources pages they built for this purpose:

Godaddy – The well-known domain registrar
https://uk.godaddy.com/help/privacy-center-27875

HotJar – The popular heatmaps software:
https://www.hotjar.com/legal/compliance/gdpr-commitment

MailChimp – The famous emailing platform:
https://kb.mailchimp.com/accounts/management/about-the-general-data-protection-regulation

Albacross – The widely used B2B platform for companies identification:
http://help.albacross.com/pricing-privacy-and-terms/albacross-gdpr

Mixpanel – Top destination for advanced mobile & web analytics:
https://help.mixpanel.com/hc/en-us/articles/360000345423-GDPR-Compliance

HubSpot – The huge inbound marketing and sales platform:
https://www.hubspot.com/data-privacy/gdpr/product-readiness

Facebook The Facebook:
https://www.facebook.com/business/gdpr

Google Cloud – Google Search, YouTube i.e.
https://cloud.google.com/security/gdpr/

 

Where can I find resources about GDPR in my language and country?

🇦🇹Austria: https://www.computerwoche.de/a/die-anforderungen-auf-einen-blick,3331104

🇧🇪Belgium: https://gdpr.wolterskluwer.be/nl/nieuws/de-privacycommissie-wordt-de-gegevensbeschermingsautoriteit/

🇧🇬Bulgaria: https://www.cpdp.bg/?p=element&aid=1043

🇭🇷Croatia: http://azop.hr/info-servis/detaljnije/opca-uredba-o-zastiti-podataka-gdpr

🇨🇾Cyprus: https://www.offsite.com.cy/articles/eidiseis/topika/250014-ti-einai-to-gdpr-kai-giati-epireazei-tis-zoes-olon-mas

🇨🇿Czech Republic: https://www.uoou.cz/gdpr-obecne-narizeni/ds-3938/p1=3938

🇩🇰Denmark: https://www.datatilsynet.no/regelverk-og-skjema/veiledere/hva-betyr/

🇫🇮Findland: http://www.tietosuoja.fi/fi/index/euntietosuojauudistus.html

🇫🇷France: https://www.retis.be/gdpr-explication/

🇩🇪Germany: https://www.searchstorage.de/lernprogramm/DSGVO-GDPR-Was-bedeutet-Speicherkontrolle-und-wie-setzen-Sie-es-um

🇬🇷Greece: https://www.generaldataprotection.gr/

🇭🇺Hungary: http://gdpr.blog.hu/2018/03/26/a_naih_allasfoglalasai_a_gdpr_alapjan_az_adatvedelmi_tisztviselo

🇮🇹Italy: http://www.garanteprivacy.it/regolamentoue

🇮🇪Ireland: https://www.dataprotection.ie/docs/GDPR/1623.htm

🇱🇻Latvia: http://www.baltic-course.com/rus/es_baltija/?doc=134308

🇱🇹Lithuania: https://www.ada.lt/go.php/Renginiai975

🇱🇺Luxembourg: https://cnpd.public.lu/de/actualites.html

🇲🇹Malta: https://idpc.org.mt/en/Pages/Home.aspx

🇳🇱Netherlands: https://autoriteitpersoonsgegevens.nl/nl/onderwerpen/avg-nieuwe-europese-privacywetgeving/algemene-informatie-avg

🇵🇱Poland: https://gdpr.pl/

🇵🇹Portugal: https://www.cnpd.pt/

🇷🇴Romania: http://www.dataprotection.ro/

🇸🇰Slovakia: https://dataprotection.gov.sk/uoou/

🇸🇮Slovenia: https://www.ip-rs.si/

🇪🇸Spain: http://www.agpd.es/portalwebAGPD/temas/reglamento/index-ides-idphp.php

🇸🇪Sweden: https://www.datainspektionen.se/press/nyheter/2018/enkel-guide-underlattar-for-foretag-att-folja-gdpr/

🇬🇧United Kingdom: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/

 

Please note that this guide is for informational purposes only, and should not be relied upon as legal advice.

 

Theodore has a 15-year experience in running successful and profitable software products. During his free time, he coaches and consults startups. His career includes managerial posts for companies both in Greece and abroad and he has significant skills on intrapreneurship and entrepreneurship.