1. Update Your Privacy Policy
The GDPR is all about transparency and consumer choice. When was the last time you read your privacy policy? When was the last time you read any privacy policy? If you collect data from users of your app or visitors to your website, then there’s a good chance that you need to have a privacy policy. What’s more, you actually need to do the things that are stated in your privacy policy. Being out of compliance with your privacy policy can open you up to administrative action and lawsuits from more than just the EU. Make sure your privacy policy is up to date with the latest requirements of the GDPR, California, and other jurisdictions – if you collect data on residents from those jurisdictions, you need to follow their laws.
2. Implement or Update Internal Privacy Policies
The GDPR isn’t just about providing user choices, you need to also be able to demonstrate compliance when a regulator requests a demonstration. The logic of this makes sense when you think about what will happen when the EU moves to enforce – they’ll ask you to prove you’re complying, and they don’t have time to comb through your systems to find proof. Having internal policies that are protective of user information will provide a data point that the regulators can rely on to see that you’ve made an effort to comply – there’s failure to comply and then there’s failure to comply for lack of effort. There’s a chance the regulators would be willing to work with you if they see the failure as innocent and with a good faith effort.
3. Provide Users with Choices About How Their Data is Used
As mentioned above, one of the goals of the GDPR is to provide consumer choice when interacting with companies. Being able to offer consumers options with regard to data collection, use, distribution, decommissioning, and review will be necessary for GDPR compliance, so the more privacy is baked into the development process, the better.
4. Update Your Vendor Contracts to Be Privacy Conscious
Under the GDPR, you’re not just responsible for how you use and treat consumer data, but you’re also responsible for how consumer data is treated by those who you give the data to. If you, as a steward of consumer data, give that data to a payment processor, and that payment processor then uses that data in a way that’s out of compliance with your privacy policy or the GDPR, you can be held responsible for that. One defensive measure you can take is by including privacy and security provisions in each contract you enter with vendors.
5. Build Your Systems to Demonstrate How You Protect Consumer Data
Gone are the days of simply seeking to protect your data, you need to be able to prove that you’ve done it. If a European regulator comes knocking on your door asking whether you’re protecting consumer data, telling them you’ve done so is not enough. Instead, you’ll need to show them how the processes work. When a user opts out of marketing materials, can you show that choice has been memorialized somewhere? Can you show that you work to ensure that those choices are honored? Those are the types of things you should orient yourself towards.
As you might have gathered, the GDPR (and other privacy laws) is no joke. When the GDPR was first announced, they provided companies with three years of runway to get their systems compliant before enforcing the laws. At this point in time, the EU expects compliance. You really should talk to an attorney to make sure you’re in compliance, but hopefully taking these steps will get you part of the way there!