GDPR: preparing for the new personal data legislation

The European Data Protection Regulation (GDPR) will be applicable on May 25, 2018.
At the moment, all you have to do is breathe the word RGPD into a marketing department for there to be panic on board. Since the penalties for non-compliance can be up to 4% of your annual turnover, we have decided to share some useful tips with you to be compliant !

Google and its personal data management dashboard
Google and its personal data management dashboard

Collect only strictly necessary data

This is a real change from the old legislation which only talked about not collecting “excessive” data.
This provision will have significant impacts on the marketing strategies of digital players. For example, an account creation form for an e-commerce site can no longer include the collection of the physical address. It should only be requested in the event of purchase with shipment of the product.
Another example: If for marketing purposes, you want to send an email celebrating the birthday of your customers. You will no longer be able to ask them for the year of birth. Prohibition to ask them for information that is not justified for the purpose of the service.
In order to be compliant by the end of May 2018, it will be necessary to start optimizing all the data collection mechanisms in your interfaces.

Obtain explicit and affirmative consent

The user must give his direct consent via an affirmative action for any use of his personal data.
This provision notably requires websites and applications to clearly request acceptance of the deposit of cookie while detailing precisely its purpose.

It will no longer be possible to pre-check the acceptance box for cookies.

It is also over with the default acceptance and standard messages: “By continuing browsing, you accept the use of cookies. "
Another notable impact, it will now be necessary to obtain an agreement for each type of data (cookie advertising, social networks, statistical analysis).
Finished the generic banner of optin to the deposit of cookies, the process will become significantly more complicated.

Example of a compliant acceptance request - CNIL
Example of a compliant acceptance request – CNIL
  • Erase the personal data of a person who requests it : Anyone will be entitled to request the complete erasure of their personal data. It will then be necessary to proceed with the measurement within 30 days.
  • Allow the portability of personal data : Any person may request to receive personal data transmitted to an organization/company in a structured format. It is recommended to provide a functionality for downloading its data for Internet users. Otherwise, you will be obliged to carry out this export manually and as soon as possible!
    Example of data download functionality offered by Linkedln
    Example of data download functionality offered by Linkedln
  • Notify the CNIL within 72 hours in the event of a personal data leak : Any company victim of a data leak must very quickly notify the national protection authority. It must also inform the person concerned directly. This point is a real novelty that will force companies to communicate on the data hacking of which they are victims. We are obviously thinking of Uber, whose 57 million drivers and users were recently victims of a vast data hack that was otherwise concealed.
  • Do not transfer personal data outside the European Union : Be careful when you select your marketing partners such as retargeting tools, sending emails or push notifications. All their data storage servers must be located in the European Union.
  • Take into account the principle of co-responsibility : The partners who use your personal data must also comply with the GDPR: record keeping, notification in the event of a data leak, etc. Provide a subcontracting contract which stipulates in particular the data processed, the purpose of the processing and the legal requirements in terms of data protection.

By respecting a few basic rules and anticipating the subject, you should be ready for the fateful date in May. Waiting for, our digital analytics consultant support you on the subject and continue to deploy digital strategies.
helloquence-61189
 

Take Away to be GDPR compliant

  • Collect only the necessary data at the end
  • Obtain explicit and affirmative consent to the collection of data: No more the theory of “Who does not say a word consents” and the banners of acceptance of cookies with a yes by default
  • Allow erasure and portability of personal data to any customer requesting it: Provide automatic functionality from the design of your interfaces!
  • Notify the CNIL and your customers as soon as possible in the event of hacking of your data

UX-Republic
[actionbox color=”default” title=”” description=”UX-REPUBLIC is an agency specializing in data strategy and user-centric design. We are also an approved training center. Find all our training courses on our website training.ux-republic.com” btn_label=”Our training courses” btn_link=”http://training.ux-republic.com” btn_color=”primary” btn_size=”big” btn_icon=”star ” btn_external=”1″]