The General Data Protection Regulation is a regulation that demands businesses to protect the personal data of EU citizens. This unprecedented regulation becomes enforceable from 25 May 2018 and non-compliance with it might lead to dire financial consequences. Since May 25th is just around the corner, I’ve decided to put together this guide to help you understand what GDPR is, how it is being implemented, whether it will affect your company, and if so, how to prepare for it.
I have mixed feelings when it comes to GDPR. The regular fellow in me is thrilled by the prospect of having my data security and privacy guaranteed. The business owner in me, on the other hand, is frustrated. It is a major distraction from our key development goals. It stops us from growing and innovating. But at the end of the day, our customers are what matters, so I’d say that GDPR is necessary.
If you don’t implement GDPR you might get fined 20 million dollars or 4% of your annual income. But, will they really come for us? Small business like mine and yours are the least of their concern. It is the big fish they are interested in. The likes of Google, Facebook and YouTube should be worried, but a small business owner is very likely to fly under the radar. In my humble opinion I think you’re secure after May 25th, or maybe even until the end of the year. And depending on how things go after that, if they start fining everyone it might cause a lot of backlash. Still, I believe it’s better to do it than face the risk of ending up like Facebook and Cambridge Analytica.
To Comply or Not to Comply
I am a firm believer that your data should be your own. Your data shouldn’t belong to a corporate or a company. So, ethically I like the ideals of GDPR and I think we should all comply. Developing it, though, would be a pain. This is why I have talked to a lawyer and made some notes that will be of great help to you as they are to me. Before delving into a more thorough explanation, I should inform you that GDPR affects you if your customers are from an EU country. Regardless of whether you live in the US, or India as long as your customers are EU citizens you have to oblige.
So, now we are going to cover each of the core seminal segments of GDPR followed by how kyvio is going to be complying.
Always Ask for Permission
The very first thing you should do when asking someone to opt-in is asking for their permission. It is mandatory to have a checkbox where potential customers say “Yes, I approve of you, marketing to me”
The days when people opted in or logged a ticket and it automatically creates their accounts are over. This feature is one of the least favorite to me since it changes the usability of the platform. Now GDPR dictates that people have to click submit, they have to check the box themselves, it shouldn’t be automatic. And if this is not enough, we need to keep a record of consent in our database.
When a person opts in, when they click to consent, we have to record that together with that person’s IP address, as well as the date. This is where things become confusing. If no one is using the data, or if it’s inactive then you should delete it after a certain amount of time. The annoying thing is, there’s a tick box, but also an agreement, so the whole thing is double locked. It is what the GDPR asks for, and it is something we are planning on implementing. You don’t have to do it though, it’s up to you.
So, what happens if users choose not to confirm that double opt-in? As I mentioned earlier, you should delete that data after some time. The good thing is, this time span is not one week or two weeks, but three years.
Then when you are importing a list into Kyvio, a member’s list or a customer list, there’s a checkbox. It says: I approve that I have permission to mail these leads.
There will be yet another checkbox that says I approve that if there are any EU customers in here they have given me consent to mail to them. So we record consent when you tell us I have consent. If you don’t have consent, just don’t import them in. If you choose to import them without the consent and a customer says, “Well, why did you mail me? I didn’t agree to that.” That’s completely on you. That’s not on us because we were merely following your directive. So that’s a responsibility that you have to take as well.
How Kyvio will comply: Checkbox to confirm that you have permission to mail these leads.
Next, it’s your responsibility to tell people you are going to track their cookies. Implement a pop-up message as a heads up. It could be something along these lines “According to EU regulations we are tracking your cookies. We just want your consent.” If they don’t give you their consent, you still track the cookies, and the pop-up is your way of warning them about this.
How Kyvio will comply: We will introduce a mandatory notification for ALL Kyvio end-users (from EU/Canada) regarding cookie consent.
The contract is the basis on which GDPR will apply to you and us. There are two parties in it, the processor and the controller and each party will get a copy. Since we are processing your data, we are the processor, and you are the controller. But for your customers, you are the processor, they are the controllers.
The processor has all the duties to be compliant, but the controller holds the responsibility. Let’s exemplify this. With Kyvio, we’ll do everything we need to do. However, if someone has a complaint, they will come to you. They won’t come to us directly as the end user. You can come to us and that’s fine because we are processors for you, but your audience will come to you mostly, for any issues, any GDPR-related questions they have.
How Kyvio will comply: We will have a GDPR compliance contract that every customer has to sign. We’ll add that before May 25th.
Create an opt-out and data retrieval/editing page
We’re going to have a page within our website where people will be able to see all the information we have about them on our accounts. That would be for you and for them as well. So let’s say it’s your customer, it’s ABC@yourwebsite.com. So they come to this special page and they request to see the details our website has on them. They put their details in and you bring up everything you have. If we have your name, your phone number, your address on file, we share that with you. Now, the thing is that regardless of where the information came from, regardless of the number of different lists the person appears in, we have to show all of them. It’s mandatory. That’s the data transparency part.
Users have the right to request their data at any time. They also have the right to edit or delete that information. The worst case scenario is you have a lead that someone else has as well and they come to that page and say, “Okay, delete me from your system entirely.” and you lose that lead. But that’s what GDPR says. And in a way, I agree with this. It’s the user’s information and you’re giving the rights for that information back to them. You’re giving the power back to them.
How Kyvio will comply: We will set up a central page where users can request details of current personally identifiable data held. And request for these details to be edited and deleted.
What if Someone Refuses to Comply to the GDPR?
You have to have agreements in place with your processors that certify their compliance. If they refuse to comply, then you should stop working with them, because according to GDPR regulations that makes the data vulnerable. If by any chance, you decide to still work with them even if they’re not compliant, you run the risk of getting fined. They might not get fined. It is very unclear where the buck stops. Does it stop with you? Does it stop with them? We don’t know. However, if you’re running a business you are responsible for data security. So, my advice to you is this. Compile a list of anyone who you think is not complaint. Talk to them, and if you can’t convince them to comply, stop the collaboration.
How Kyvio will comply: We will contact all of our service providers to make sure they are compliant. If they aren’t, we stop working with them.
The other new thing that GDPR makes necessary is invoicing. You, as a customer, have the right to know how much money you have spent on any given month. You should be able to download all your invoices if you want to, and we ought to make it possible.
How Kyvio will comply: Better invoicing data in the account (and when data retrieval is requested)
One last piece of advice: Don’t just outsource your responsibility to a third party. If you’re running a business, it is your responsibility as well.
There might be other factors at play, and more rules that apply – as the situation develops. We will continue to add more things to our GDPR compliance, though we might not update this article in its entirety (and simply create a new one!) Search our site to get more information, or get in touch if you need clarification.