If you have a site, an app, or you run a business that collects information on your users then General Data Protection Regulation (henceforth called GDPR) applies to you. Even if you use marketing tools (such as analytics software) for your site or apps, this definitely still applies to you.
GDPR is a set of rules that prescribe how businesses like yours and ours need to handle a user’s information. These rules grant consumers more rights and imposes greater restrictions on how businesses can handle user data.
Here are key takeaways that you should be aware of:
- It was passed in Europe, for European citizens anywhere. Because it is a lot more difficult to apply different rules to data of EU citizens and non-EU citizens, businesses are choosing to treat all their users’ data with the same level of restrictions
- There are no exceptions written in GDPR. However, common understanding would be that if you are a local business that is completely analog and doesn’t store any personal data on its customers, then the agencies enforcing GDPR likely aren’t interested in you.
- Why should you care? If you do not follow these rules you could get fined up to 4% of your revenue anywhere in the world or 20 million Euros, whichever is greater. Google just got fined 50 million Euros
What do I mean by “data” of users?
- Anything that can be used to identify a user or glean information about a user. Such as: name, age, their IP addresses, their political beliefs, gender etc.
Here are the rights users have been given under GDPR:
- They can request your business to delete all the data you have on them. You have to get it done in a timely manner.
- Users should be able to take their data away from your business which means you should be able to provide them this data in a usable format (like a CSV file)
- If you or any company/tool you use to handle or store the data of your users faces a breach, then you are still responsible for proactively notifying your users within 72 calendar hours of that incident and putting things into place.
- You also need to be able to show records of when and how each user gave you their personal information and the permission to use it for specific, listed purposes.
- This is why you have been noticing those annoying “Accept” popups on many sites.
Here are some actionable takeaways:
- Ensure your privacy policy is updated, says exactly how each piece of info is going to be used
- Get an ‘opt-in’ from all your users for storing and using their info. Save records of these approvals
- Get a process setup for how you will handle requests for data and requests for deleting a user’s data
- Go through the info you are collecting and keeping on your users, only keep the things that you absolutely need and only keep them for as long as you actively need them. Delete when not using.
- Ensure that if you are using a diff company that is collecting/ keeping this data on your behalf (such as Google Analytics) that they are also in compliance and have processes to make this seamless. PulseMetrics.io is.
That’s it for now folks. Let me know in comments or by tweeting @ddevjani if you have any other questions or think I should include something I forgot to include.
Guest article written by: Deepak Devjani