See if you are GDPR-ready and can spot some simple mistakes in this fictional example.
As GDPR legislation comes into force today, preparations are reaching fever pitch as companies double-check the requirements. If you’re in Europe, you’ve probably noticed that some big news sites such as the Los Angeles Times, USA Today, the Chicago Tribune, India Times, and others have either been blocked, had large portions of their content blocked or have been put on a blacklist.
Want to check how ready you are? Buried inside the hypothetical scenario below are 10 mistakes that some companies may need to fix as GDPR rules are put in place.
Read on and see if you can spot them. We’ve provided the answers below.
SPOT THE MISTAKES GAME
Startup company XYZ invites new users to sign up for its service from its website. On the front page it displays a consent form asking for customers’ contact and payment details and also their religious and ethnic backgrounds. There is a pre-ticked box they can untick if they don’t want the company to share their personal data with third party marketing firms.
XYZ’s US-based subsidiary doesn’t use the consent forms on its websites as it is based outside the EU and therefore isn’t ‘caught’ by the regulations.
In double-quick time, the company gathers a database of several thousand users. Unfortunately, there is a data breach. An intern luckily discovers the problem while browsing customer records from his iPad.
He alerts senior management, which meets to discuss a plan of action for the company.
After five days of working through the problem, they send the following statement to the regulator and a subset of the customers that might have been affected.
“XYZ has been the victim of a targeted security attack, which we were unable to deter. We suspect it might be the result of IP address spoofing. There is a possibility your data may have been breached.”
The team is relieved when its investigation reveals that the breach probably took place at another firm – a cloud company that processes that data on its behalf. They alert the regulator - and add that their own databases are encrypted and therefore GDPR-compliant.
A number of customers ask for their data so they can take it to another provider. XYZ regretfully declines, saying its database is based on proprietary technology.
Did you spot the 10 mistakes? Let’s run through them.
- You cannot process data on race, politics, religion, union status, health data or sexual orientation unless there is a requirement in the public interest to do so.
- You cannot use pre-ticked boxes. All consent must be explicit and informed. Also, you cannot bundle multiple consents.
- Beware US-based subsidiaries: GDPR applies to European citizens wherever they are in the world. So European data protection authorities can take action against organizations in the US and elsewhere.
- Only approved employees with a business-critical need should have access to customer data.
- Once you become aware of a data breach, you have just 72 hours to notify the authorities and any affected customers.
- You should not need to devise a response in the moment. You should have a privacy impact assessment (PIA) and plan in place already.
- All correspondence with users about data must be in plain English.
- Companies should encrypt data at rest and in transit. However, GDPR does not explicitly mandate the use of encryption. It advises ‘strong’ and ‘appropriate’ security ‘such as’ encryption.
- GDPR extends liability to all organizations that help process personal data. If a third party with access to your data is not compliant, the buck stops with you.
- Under GDPR, people have the right to data portability. Companies should make sure they can transmit personal data in ‘structured, commonly used and machine-readable formats’.
How did you do? And how well do you think your customers would score?
Obviously, there is much more to GDPR than these ten points. But they’re a good example of how most of the rules simply reflect sensible business practices.
If you suspect that your customers are not fully prepared, reassure them that they can achieve a lot with 12 simple and practical steps, as recommended by the UK ICO.