A Brief History of US Data Privacy
In the last few months, the United States has been made hyper-conscientious of data privacy and breaches. Facebook’s CEO Mark Zuckerberg took center stage earlier this month for a Senate hearing triggered by false news developed by a Russian group which was published on Facebook and ultimately led to the influence of voter decisions during the 2016 presidential election. Soon after, a BBC correspondent uncovered that Cambridge Analytica, a political data firm hired by President Trump’s 2016 election campaign, had been subsequently scraping of Facebook users’ personal data to influence the election.
Cambridge Analytica gained access to personal data on more than 50 million Facebook users including their friend networks and “likes” to map their personalities, target audiences with digital ads, and influence their behavior.
In 2017, Equifax was hacked; the data breach affected 143 million individuals and the count continues to climb. In 2016, Anthem—the second largest health insurer in the US—had a data breach which impacted 79 million consumers. In both cases individuals’ names, social security numbers and birth dates were exposed, according to International Data Group’s CSO, a security and risk management research and analysis company.
Europe’s Approach to Data Privacy & How It Impacts You
The Purpose of the General Data Protection Regulation
The primary objective of the General Data Protection Regulation (GDPR) is to safeguard European citizens against data breaches like we’ve seen in the US.
The regulation has existed since 1995, but in less than a month it begins affecting American companies that do business with European organizations. European data protection rules are extraterritorial. They apply to all personal data mined, processed, and kept about persons within the European Union (EU) regardless of citizenship or nationality. That means, any company that processes data from someone residing in the EU without adhering strictly to the GDPR can receive fines of up to 4 percent of a company’s gross or €20 million—whichever is greater, according to EUGDPR.org. The regulation takes effect May 25.
In regards to websites, it comes down to collecting lead and customer information of EU residents as well as data in transit such as cookies, telemetry, metadata, and consent for marketing. Furthermore, if that information is only stored in third-party software it does not exonerate you.
5 Ways to Protect Yourself & Your Clients
One of the biggest shifts is the rights for users to obtain the data you might have stored about them. Here are some simple rules you can implement right now.
2. Add a Cookie Disclosure
The majority of websites will need a “Cookie Disclosure,” showing users what cookies you are using and for what purpose. If you utilize Google Analytics, Hotjar, Pardot, Hubspot, SharpSpring, SalesForce be prepared. Essentially, you need to explain how third-party software interacts with their data, and at a bare minimum, list all your third-party data providers—and be sure to record (database entries) when you do share customer info with third parties.
3. Remove Predating Personal Data
4. Prove Consent
You must prove consent on all data entry points through data collection systems such as contact forms, estimate requests, and statistics. Thus, a simple solution is providing a form for consent where users can select, “Yes, you can store my info,” or “No, you can’t store my info.”
5. Share Timely Hack Alerts
If you are unfortunately hacked you must tell all your customers within 72 hours.
A Quick Reference To-Do List
For the sake of brevity, here’s a recap of action items that should be addressed before May 25:
- Provide a way for consent
- Prove individual consent
- Establish and re-establish consent
- Provide a way for consent to be withdrawn as easily as it was given
- Check to see that all third-party services are compliant
- List the contact information of associated third-party data providers
- List all the data you collect inclusive of third-party services
- List how you process and use their info
- List how their info and third-party data interact
- Allow individuals to request that their data be permanently erased
- In your e-newsletters, create “unsubscribe” footers visible and accessible
Next Steps & Recommendations from Your Web Design Company
At Lform, we are still in the process of educating ourselves on best practices when protecting your company and customers. We will be sure to have a clear outline within the upcoming weeks.
Good luck and we hope you found this post helpful as the GDPR activation date approaches.