Hey guys, welcome to the Business Bites Podcast. I am your host, Rachel Brenke, and I wanted to get this podcast out to you guys fairly quickly because we are now coming down to the wire on the GDPR or the general data protection regulation deadline. In fact, we are only a couple of weeks away from anybody that is servicing under the EU to fall in line with these regulations. This episode, I’m going to walk through some of the data protection and privacy for all individuals within the European Union. We’re going to talk about the exportation of personal data outside the EU. Please remember that the GDPR as a main goal is to give the control back to citizens and residents over their personal data, and to simplify the regulatory environment for international businesses by unifying all the regulations. Don’t let that freak you out though, because if you guys have already been using proper privacy policies in place, you already have a lot of this information.

So it is coming into force on 25th of May 2018. This has already been a couple of year transition period, so many of you may already have this all under control. But we want to go ahead and get into this so that you guys understand what you need to do to update on your privacy policies on your website to make sure you’re properly in compliance and protecting any of your visitor, your website visitor, or your customer data.

Personal data is any information relating to an individual, whether it relates to his or her private, professional, or public life. Guys, this can be anything from a name, a home address, a photo, an email address, bank details, post on social networking sites, medical information, or even the computer’s IP address. All right, so let’s go ahead and just dig in, and if you guys are having a website, a blog, eCommerce site, or any of you with an online social media presence, and you are reaching out into European Union countries, you’re potentially selling to anybody in those countries or gaining their information, you need to be in this GDPR compliance. We need to make sure that all data processors and sub-processors are compliant as well. And again, GDPR covers all and only data held in your organization and with third party data processors, okay?

Keep in mind though, that the GDPR does not trump other laws. For example, if you have to keep personal data to justify certain charters, and you need to keep that for your tax compliant data, then the GDPR does not trump that. All right, so if you guys are not even wanting to have to deal with this yourselves, you’re just merely using this podcast episode as a knowledge base, good, good, good. Just keep in mind, you’re still going to have to have someone that takes over the data protection, whether you hire someone on staff to do that, or a third party as well. Whoever you’re going to have that’s doing this, particularly if they’re going to be an employee that’s on your staff, make sure you get the proper data protection training and a certification in order to do this.

But most basically, y’all, guys, everyone’s freaking out over this because they think that it’s such a big departure from what we’re already doing. But like I said, if you already have the proper privacy policies in place, it’s not that big of a deal. So most basically, we are going to update our privacy policies and ensure that we include a GDPR compliance line. That is really the only big departure that we have going on here. The other stuff that I’m about to outline for you is stuff that already should have been included in any proper lawyer drafted privacy policy.

For example, what information you’re collecting and you’re storing from your website visitors or customers, such as access information, cookies, visit duration, IP addresses, device information, visit tracking, mouse and swipe actions, email, phone, name, address, and billing addresses. You also want to make sure you’re specifying how and where you process this personal information. For example, sales reporting, marketing, any user experience research and accounting, specify who has access to this personal data, such as yourself, or maybe use a customer management system like Ontraport or Salesforce, or maybe your email manager such as MailChimp, or even down to Google, a way is using the tracking with Google Analytics.

Make sure you specify the contact details of whoever you are assigning as your data protection officer within your organization. This is also another change you guys need to have in play, specify how someone can launch a data subject access request, and also specify how long for and in what capacity you hold personal information. Please keep in mind, we cannot just put arbitrary, vague language out here, of, “We may use your information like X, Y and Z.” You need to specific and honest with how you’re using people’s personal information. Again, when I’m saying information, that’s not just like their name, their email and their address, and all of that. That is also including the IP addresses, device information, and everything else that I listed.

Now, this sounds like common sense, but maybe it’s a good time to put it in play if you’re not already doing it, in order to be GDPR compliant and to make it easier on you, collect only information that’s really required for you to run your business. If you don’t need extra information, then don’t get it. Delete any other information that you’re not utilizing, you’ve no sense in keeping it and running the risk of a breach. But should you have a breach, it needs to be recorded and acted upon with a preventative measure. Examples of data breaches can be passing a personal data into a non-GDPR compliant country, passing personal data to a third party without the knowledge of the data subject, personal information being passed or coming into possession of an unauthorized data processor or sub-processor. But we’re not going to have a problem with that hopefully, because we are going to get in play and make sure that all processors and hosts and website security is going to be in line.

And last but not least, most commonly in the data breaches that most of you are probably thinking is, personal information leaked as a result of a hack on a website. Now, obviously with all data breaches, need to be recorded and actioned upon with a preventive measure. You want to make sure that before this even happens, that you’re going to have a data breach process and plan in place. Make sure that you dream up and get creative of all the worst possible situations that could occur, to make sure you can reverse engineer and come out with a data breach process plan, so that you’re not scrambling should it happen.

Probably the most relevant that you guys could do besides updating of the privacy plan and creating of the data breach process and policies, is also having a process in place for when someone is looking for a copy of their data. Someone may reach out to you and want to know all the personal data that you hold on them. So the tips would be, obviously, identify who the person is and check to see if you even have the data on-hand. If you don’t have the data, then you need to have some standard language just letting them know that you appreciated their request, but you don’t have any data. However, if they’re already an existing customer, they’ve opted in for like a newsletter, eBook, etc., or they’ve just visited the website and you’re utilizing other tracking devices, you’re going to have some form of data. More than likely, if they have come to you and are asking and they’ve submitted through your website, and you have all this tracking stuff in place, you then at least have some data in there as well.

Process the request once you’ve verified it, and then record it also in your data protection policies. Create a log so you have that in play. Common sense, but do not reveal other people’s personal data. Just make sure that it’s only the person that is requesting and only the information that is tied specifically to that individual that is requesting about it as well.

On the flip side, while you may have someone who just wants to know what data you have for them, they may take the steps to saying they want to be forgotten by your company, all right? So let’s say they come to you and say, “I’ve purchased from you before, but now I want you to get rid of my data.” Just like before, verify their identity, make sure that you have the data before processing in their request, which we’ve already identified more than likely we will. Remove or redact any of the personal information stored, recorded in your data log, and make sure you do it on a timely basis to be in compliance with GDPR. However, whether GDPR requires it or not, this is a very good process that you guys should have in play in your company handbooks, because you should just want to honor and respect your customers as well.

All right, so moving on. In line with that as well, because there are people who want to be forgotten, but they also may want their information withdrawn. So say for example that they ask for the data not to be used after the order, or the opt-in delivery, maybe they don’t want to get an email anymore from you, or they don’t want to get any more marketing materials after their product has been shipped and delivered. Same steps. Verify the delivery, flag the data in any customer database that you’re using, so it’s not used in any marketing reports, or targeting campaigns, and then just let the person know that you have done it, again, with the templated response that you’re going to end up using. And when I say templated, it doesn’t need to be cold-hearted and sterile, but just come up with something that is a professional statement that unequivocally shows that you have abided by their request and that you are confirming the action that they are requesting.

All right, also, all of this, make sure we have updated the privacy policy, like we talked about before, but this is also going to include any other contracts, NDAs, intellectual property acknowledgements, or any other documents that you are working with with your staff, so that you can also let them know about GDPR for data protection, give them the good training, and then make sure that they have also signed these proper documents to ensure that they’re protecting the client data that they may potentially have access to as well.

So I know that’s a lot of information for you guys. Just a brief rundown again. GDPR, the drop date is coming here at the end of May 2018. Make sure that you have these data protection plans in place, whether it is the logging of data, a breach, a forgotten request, or a no longer use of data request. Update your privacy policies. Update your NDAs and contracts with all your staff. Make sure you also identify somebody on your staff and give them the proper training to handle any data protection issues. Again, any breaches that you have, make sure that you investigate, locate its source, and get it taken care of, and notify any potential leakage of personal information to the individuals whose information may be in there.

Please do not be overwhelmed, please do not be scared. Just know that you guys can easily institute this. I think there’s a lot of hullaballoo because it is important, but I think everyone’s making it out to be a lot harder than it needs to be. So just dig in, go back through the steps that I just provided through this episode, and you’re well beyond your way to getting compliant. On the things that I’ve identified where language needs to be created, this would be an opportune time for you to reach out and get to know an attorney, a solicitor, whatever they’re identified in your country, in order to draft the proper language for you to ensure that you are legally protected.

Hope this helps you guys. Have a wonderful day, and make sure you stay protected and abide by this, because you don’t want to be caught with your pants down later on.