Almost every day we are asked about GDPR. The questions range from whether they are required to comply, to how exactly they comply. We don’t often get into the legalities of GDPR compliance, but we do help our clients prepare their websites, web, and mobile apps. To address one of the more frequent questions we receive, we have prepared a simple, high-level list of steps you can take right now to achieve GDPR compliance. You will most likely need the help of your technical or development team to handle some of these.
- “Forget me”. Have a function that deletes all personal data collected for a specific user.
- Notify third parties for erasure. Inform all third parties with whom you have shared data to remove the data on a specific user.
- Restrict processing. Implement a feature that marks a profile as restricted, and prevents back-office staff or the public from viewing the profile.
- Export data. Provide an export button that allows users to download all data related to them.
- Allow users to edit their profile. Enable users to access and edit data you have collected on them, including data that you have collected from other sources.
- Consent checkboxes. Create a separate checkbox for each processing operation with clear yes/no buttons.
- Re-request consent. Re-obtain consent to perform an action if the consent users have given was not clear.
- “See all my data”. Give users a way to view their data in the regular UI of the application rather than as a downloadable file.
- Age checks. Ask users for their age request parental permission for children.
- Keeping data for no longer than necessary. Delete data after you have used it.
- Employ best technical practices. Technical best practices are not mandatory, but will greatly assist any GDPR compliance efforts. Ask your IT or development team if they have procedures in place.
The key takeaway from the GDPR is to only use data for the purposes the user has agreed to. Don’t log personal data unless required, and minimize the number of data points you collect on registration and profile forms. Unless you expect to handle tens of requests per month, it may not make sense to automate many of these functions. Instead, you can formalize manual procedures and have your technical service team on standby to execute when a request comes through.
Prospus has been helping organizations of all size make their websites and apps GDPR compliant since 2017. For more information on our services, please see our GDPR Compliance service. Or, you can reach out to us at solutions@prospus.com.