All the organisations have to adapt to this new regulation before the end of the month and all the new projects should be compliant. Let´s see its key points and how to start adapting to it.
The main point of GDPR is to ensure that organisations only use personal data in an appropriate way. As part of this they have to be transparent and tell in a clear way how they are going to use it, allow users to see which data they have about them and have an option to correct and delete it in an automated way.
Some actions to adapt to GDPR:
Organise the existing data: which user information you already have, how you got it, what are you using it for, …
Prepare the texts: include which data you are going to collect, who you are going to share it with, how can users delete it, who is the data protection officer… They have to be clear and easy to read so anyone including children can understand them.
Communicate them: new users will confirm them as part of their registration but you also have to inform your current users for example by email.
Allow to access, correct and delete data: for example a section in the user profile with all the details and edit and delete buttons.
Allow to add or remove consent in a granular way: for example have an option to unsubscribe from specific topics or from all of them.
Rethink some actions of your website: you can only use the data for what you have said you are going to, what changes what many websites have done until now. An example is the standard form that you have to fill to download a guide and whose main goal is to get your email address so sales can send you marketing emails. From now on you will have to differentiate the action of downloading the guide from the one of subscribing to the mailing list. You can get more information in pages like this one. Also provide separate consent for different types of processing (e.g. being contacted by phone, email, …), which organisations users allow to share the data with, etc.
Different consent depending on the age: if children can use the platform you will have to get parental or guardian consent.
Differentiate personal and platform data: the user data (name, address, …) is different to the one that relates to the usage of the platform. However consider that if users ask to delete their history of purchases from an online store, for example, the store has to be able to do that.
Individuals’ data in B2B businesses: if your platform is used by people that work for your customers you will have to think how and when to remove the individuals’ data as your customers may need it for different purposes such as payroll or reporting.
When to delete the data: it should only be stored while it is needed, what can be ambiguous on websites where users register and may not enter again in a few months. You have to prepare an automated way to delete it after certain time, for example a few months after the last time the user logged in.
Get ready for data breaches: even if you protect the data in a very secure way, prepare procedures to detect, report and investigate any data breach.
This is just a summary to help you get started with the technical changes. Read as much as you can about it and ask an auditor to verify that your organisation is compliant.