Managing GDPR for digital experiencesMorten Eriksen on
From privacy policies to content management, here’s everything you need to know about GDPR and digital experiences.
In this blog post, we’re explaining it all. From privacy policies to content management, here’s everything you need to know about GDPR and digital experiences.
What is GDPR?
In a digital world, more data is available than ever before. In order to help protect customers from having theirs used improperly, the EU put new sanctions and regulations in place from 25 May 2018. Known as GDPR, or “General Data Protection Regulation”, this new regulation is aimed at reducing the severity and frequency of security breaches, and curbing the mishandling of personal data online.
The GDPR regulation is made up of lots of articles, but it’s main objective is to give people power over the data, including:
- The right to be forgotten
- The right of access
- The right to object
- The right to restrict processing
- The right to rectification
- The right to data portability
- The right to consent in an understandable manner
- The right to purpose limitation and data minimisation
How should you manage GDPR for your digital experiences?
There are a few steps you can take to ensure your digital experience is GDPR-compliant.
1. Appoint a data controller
Ensure your data is processed correctly with the help of a dedicated data controller, i.e. an individual or legal person who controls and is responsible for the keeping and use of personal information in your systems. The data controller will also be the contact person if someone would like to delete or get insight into the data a company has connected to that person.
Pro tip: Use a solution like iubenda to simplify the process of making sure your apps and sites are compliant.
3. Ensure your digital experience is secure
Using HTTPS is a good start, but to make sure your digital experience is really secure test it using the OWASP framework or similar. And don’t forget about your CMS. Not only should you ensure the CMS hosting is GDPR compliant, but it’s important to have a system in place to actively manage privacy.
You’ll need to think about your data processor terms too. As part of GDPR, you have to ensure your data processor terms are in place and readily available, with additional reporting on data processing activities.
4. Stay on top of content and data management
Your organisation needs to be in complete control of where it stores data. That’s because under GDPR regulation, customers have the right to view, update, export, download and delete any of the data they’ve shared with you. To make this possible, you’ll need the infrastructure required to allow customers access to their data, as well as a system that keeps data controllers in the loop.
5. Manage consent
6. Cookie tracking
When cookies can identify an individual person via their device, it is considered personal data. The majority of cookies are used in that way and will be a subject to GDPR.
To be compliant one can use soft opt-in consent. According to Cookie Law this means giving an opportunity to act before the cookies start tracking actions. If there is a fair notice, continuing to browse can in most circumstances be valid consent via affirmative action.
Want to go even further?
Focus on all of the above, and your digital experience should be GDPR compliant. But there’s always room to go further. For extra security, consider:
- Ensuring compliance with Privacy Shield
- Deploying IP anonymisation
- Implementing a limited cookie expiration time
GDPR boils down to one thing: control. These regulations gives customers control over the type of data they share, where it’s stored, and for how long. And importantly, it gives them the right to be forgotten. As long as your digital experience infrastructure allows for all of this, you’re well on your way to being GDPR compliant.