GDPR is coming. What do you do?

For those who still don’t know why they’ve been receiving several emails a day with “GDPR” in title — a little explanation.

GDPR — General Data Protection Regulation — is a new set of data protection rules, which was adopted by EU back in April, 2016. It becomes enforceable on May 25, 2018 and supposed to protect the rights of EU citizens regarding their personal data. It also implies multi-million fines for companies that do not comply with new rules.

If your company (service, application) works with users from EU then these rules apply to you as well.

While working with our clients and their compliance we prepared this little list of things you should do and things you should pay attention to in order to fully comply.

1. Identify and document what personal data you collect, how long you store them and in what way (personalized or depersonalized). If you collect more data than necessary, you should reevaluate it and get rid of excess parts. You should also add a paragraph to your Privacy policy describing how long do you store personal information and what happens to it when the user leaves the service.
2. Privacy policy is one of the main documents you should update. (An example of a GDPR-updated Privacy policy from Wargaming). Your privacy policy should contain the list of data you collect about the user, goals of said collection, terms of storage and sharing with third parties and the name of data protection controller with information about the controller.
   Universal goals to collect data:
   — account registration
   — providing tech support
   — providing a service or product
   — sending company news and promotions
3. Identify and document what personal information you transfer to third parties, especially payment information and other sensitive data (medical records, financial information, etc.). Make sure you delete all payment information when the payment is complete.
4. If you use standard payment forms, you probably collect your users’ personal information. In some cases, this data stays in your system. GDPR makes that illegal, so you should refactor your processes and delete the data after a specified amount of time.
5. Nice to have: encrypt user data on your side, use End to End encryption or pseudonymization. Using HTTPS is highly advised.
6. The right of access — you should give the user the ability to request the information you collect about him.
7. The right to rectification — the user should be able to change their personal information and/or request controller to rectify any errors in their personal data.
8. The right to erasure (“right to be forgotten”) — the user should have the opportunity to delete their personal data. You should consider two options — full deletion (important to think on procedures of account recreation) and partial deletion.
9. The right to object — the user should have the ability to object to the PII processing by contacting your tech support.
10. You should determine the legal basis to data collection and be able to provide evidence of receiving user’s consent if needed. Here’s a guide on how to do that.
11. Cookies. All cookies that you use should be listed in your Privacy policy with the indication of the type of cookies (analytical, internal service cookies, third-party cookies), the purposes of using cookies and terms of storage. On the web-site or in the application it is advisable to make a pop-up window about cookies with a link to the paragraph about cookies in your Privacy policy. Also, be sure to specify that the user can always refuse to allow cookies by using browser extension or changing your browser settings.
12. Examine your checkboxes and agreements. The user should give their direct consent to use their personal data (including cookies). The user should be able to see the list of said data and your Privacy policy in explicit form before agreeing to proceed. At each stage and for each item (collection, processing, storage) there should be a separate unmarked checkbox. If the data is to be transferred to independent services, then it is advisable to specify the names of these services and enlist them using separate checkboxes.
13. If the service is provided to children (up to 16 years in the EU, up to 13 years in the UK), then consent for processing should be provided by their parents or legal guardians. Regardless of the focus of the website or application, the paragraph about its potential use by children should be added to the Privacy policy.
14. It is necessary to add procedures for prevention, investigation, and reporting of data leaks. If there is a data leak that could affect the personal data of users, you need to notify the ICO (Information Commissioner’s Office) and the users whose data was leaked, within 72 hours.
15. When working with more than one state within the EU, it is necessary to determine the chief supervisory authority. Link to the guide. An easy way to determine it is to select the country you have the most users from.
16. Nice to have — PIA, or Privacy Impact Assessment. The process of assessing and reducing the risks of violation of privacy. The detailed full guide here.
17. While working with mailings, the same principle applies: it is necessary to obtain consent, create a list of data to determine the notification channel and so on. To avoid sanctions from the mailing service, you must use double opt-in for all mailings. Also, the registration form needs to have an unmarked checkbox, by marking which the user agrees to email receiving. The text by the checkbox must provide a link to the specific part of your Privacy Policy, which states the terms of marketing-related usage of PII. The detailed guide here.
18. Even if users have previously signed up and agreed to use the service, they must be notified once again about the new GDPR Privacy Policy, so that they agree to their data being processed, stored, and transferred in accordance with the new rules. If you use mailing services, you must necessarily re-sign all of the double opt-in. Your database should include the acceptance status of the new GDPR Privacy Policy for every email.

Implementation of all these policies isn’t so hard for almost every project:

• Most part of these policies already have templates you could use.
• Editing and deleting data is a simple ability (don’t forget about backups)
• Rules for temporary storage of data and end-to-end encryption are already de-facto standard and should be in place by design.

So implementing GDPR — isn’t the hardest task for most of the well-done projects.