We Have Got GDPRed. Have You?
Remember what year our beloved Facebook was invented in? That's right, 2004. What if I told you the last update in the data privacy was made back in 1998? Feeling a little less secure all of sudden, aren't we? Unfortunately, the reality is our personal information is currently protected by a very out-dated act released 20 years ago, which doesn't take into account the Internet's growth that has happened since.
You’ve got… what?
Gladly, GDPR (General Data Protection Regulation) is going to replace the old piece of a bill. It’ll protect and empower all EU citizens data privacy and reshape the way organizations across the region approach data privacy. If you haven’t heard about it yet, you’re probably wondering about all the what’s and how’s. Without further ado…
What is personal (and non-personal) data
A good question, which I probably should have led with. Well…
Personal data refers to data which can be used to identify a living individual directly or indirectly. On the contrary, non-personal data describes information which is anonymous and can’t be used to track a person.
End of TL;DR
Examples of personal data your business might collect are:
- Email address
- Phone number
- Medical details
- Bank details
- Online identifier
- Gender or nationality
Examples of non-personal data your business might collect are:
- IP address
- Access logs
- Browsing history
How to make your business compliant
Run an audit
You can’t move forward unless you define how much of personal and non-personal data you handle as a business. Therefore, the first step to making your business compliant is running a rock-solid audit. It’ll help you uncover all data processors, which then you can question whether they are needed or not. After all, the entire compliance is about proper spring cleaning and being aware of personal data you store and why. There’s no harm in that, right?
When you discover a new piece of data, ask yourself the following questions:
- What are you using the data for?
- Where is the data being stored?
- Do you still need the data? (no room for sentiments; get rid of as much as possible for your own convenience!)
Even though the audit sounds painful, it’s pretty much the most difficult and time-consuming part you’ll have to do on your way to becoming a better data protector (sounds like a superhero).
Make sure you answer the following questions:
- What data is stored?
- Where is data stored?
- Why is data stored?
- Is it secured?
- Who has an access to data?
I don’t process any data, but I use third-parties like MailChimp or Google which do
Even though most of those companies are based outside of European Union, they must comply with GDPR rules when dealing with EU based businesses. There’s nothing you have to do your end and they’re most likely already compliant with the new legislation. If not, they’ll soon be. It’s kinda a big deal, you know.
What have we done to be GDPR compliant
Being a web agency we process a plentiful of customers’ data including login credentials. That’s why we take security very seriously and we do our best to keep everything away from unwanted hands.
GDPR helped us to re-visit our internal processes, improve the way we store the data and ensure its maximum security.
Things we’ve done:
- We’ve gone through over 200 accounts and have changed passwords for each of them to a unique phrase consisting of numbers, lower case letters, upper case letters and symbols.
- We’ve instated a mandatory password reset for the above accounts every three months.
- We’ve wiped any personal data and login details that haven’t been used at least 3 months.
- We’ve permanently deleted e-mails older than 30 days, which didn’t include any important data to on-going operations.
- We’ve disabled passwords auto-saving in our internet browsers.
- We’ve got in touch with our business partners and suppliers to make sure they comply with GDPR rules (we were last to arrive at the party – oops).
- We’ve educated ourselves on the topic of handling personal data and recommended approaches to staying safe online.
I said we were quite serious about it. Plus, who would have wanted €20,000,000 penalty?
Let me know how you get on. You have time until 25th May 2018. Go!