We have got GDPRed. Have you?

You’ve got… what?

Gladly, GDPR (General Data Protection Regulation) is going to replace the old piece of a bill. It’ll protect and empower all EU citizens data privacy and reshape the way organizations across the region approach data privacy. If you haven’t heard about it yet, you’re probably wondering about all the what’s and how’s. Without further ado…

What is personal (and non-personal) data

A good question, which I probably should have led with. Well…

How to make your business compliant?

Run an audit

You can’t move forward unless you define how much of personal and non-personal data you handle as a business. Therefore, the first step to making your business compliant is running a rock-solid audit. It’ll help you uncover all data processors, which then you can question whether they are needed or not. After all, the entire compliance is about proper spring cleaning and being aware of personal data you store and why. There’s no harm in that, right?

When you discover a new piece of data, ask yourself the following questions:

1. What are you using the data for?
2. Where is the data being stored?
3. Do you still need the data? (no room for sentiments; get rid of as much as possible for your own convenience!)

Even though the audit sounds painful, it’s pretty much the most difficult and time-consuming part you’ll have to do on your way to becoming a better data protector (sounds like a superhero).

Update privacy policy page

By now you should have a pretty good understanding of what personal data you handle. It’ll allow you to craft an accurate privacy policy page (or update an existing one) to reflect your findings and reassure your visitors and customers that their personal data is in good hands.

Take a look at our privacy policy page if you need a template or hand-holding.

Make sure you answer the following questions:

• What data is stored?
• Where is data stored?
• Why is data stored?
• Is it secured?
• Who has an access to data?

I don’t process any data, but I use third parties like MailChimp or Google which do. What should I do?

Even though most of those companies are based outside of European Union, they must comply with GDPR rules when dealing with EU based businesses. There’s nothing you have to do on your end and they’re most likely already compliant with the new legislation. If not, they’ll soon be. It’s kinda a big deal, you know.

What have we done to be GDPR compliant?

Being a web agency we process a plentiful of customers’ data including login credentials. That’s why we take security very seriously and we do our best to keep everything away from unwanted hands.

GDPR helped us to re-visit our internal processes, improve the way we store the data and ensure its maximum security.

Things we’ve done:

• We’ve gone through over 200 accounts and have changed passwords for each of them to a unique phrase consisting of numbers, lower case letters, upper case letters and symbols.
• We’ve instated a mandatory password reset for the above accounts every three months.
• We’ve wiped any personal data and login details that haven’t been used for at least 3 months.
• We’ve permanently deleted e-mails older than 30 days, which didn’t include any important data to ongoing operations.
• We’ve disabled password auto-saving in our internet browsers.
• We’ve got in touch with our business partners and suppliers to make sure they comply with GDPR rules (we were last to arrive at the party – oops).
• We’ve educated ourselves on the topic of handling personal data and recommended approaches to staying safe online.

I said we were quite serious about it. Plus, who would have wanted a €20,000,000 penalty?