A Brief History of US Data Privacy

In the last few months, the United States has been made hyper-conscientious of data privacy and breaches. Facebook’s CEO Mark Zuckerberg took center stage earlier this month for a Senate hearing triggered by false news developed by a Russian group which was published on Facebook and ultimately led to the influence of voter decisions during the 2016 presidential election. Soon after, a BBC correspondent uncovered that Cambridge Analytica, a political data firm hired by President Trump’s 2016 election campaign, had been subsequently scraping of Facebook users’ personal data to influence the election.

Cambridge Analytica gained access to personal data on more than 50 million Facebook users including their friend networks and “likes” to map their personalities, target audiences with digital ads, and influence their behavior.

In 2017, Equifax was hacked; the data breach affected 143 million individuals and the count continues to climb. In 2016, Anthem—the second largest health insurer in the US—had a data breach which impacted 79 million consumers. In both cases individuals’ names, social security numbers and birth dates were exposed, according to International Data Group’s CSO, a security and risk management research and analysis company.

Europe’s Approach to Data Privacy & How It Impacts You

The Purpose of the General Data Protection Regulation

The primary objective of the General Data Protection Regulation (GDPR) is to safeguard European citizens against data breaches like we’ve seen in the US.

The regulation has existed since 1995, but in less than a month it begins affecting American companies that do business with European organizations. European data protection rules are extraterritorial. They apply to all personal data mined, processed, and kept about persons within the European Union (EU) regardless of citizenship or nationality. That means, any company that processes data from someone residing in the EU without adhering strictly to the GDPR can receive fines of up to 4 percent of a company’s gross or €20 million—whichever is greater, according to EUGDPR.org. The regulation takes effect May 25.

In regards to websites, it comes down to collecting lead and customer information of EU residents as well as data in transit such as cookies, telemetry, metadata, and consent for marketing. Furthermore, if that information is only stored in third-party software it does not exonerate you.

5 Ways to Protect Yourself & Your Clients

One of the biggest shifts is the rights for users to obtain the data you might have stored about them. Here are some simple rules you can implement right now.

1. Update Your Privacy Policy

First and foremost, amend your privacy policy. The regulation requires that you do not use legalese; thus, you must use plain, easily understood English. You will need to fully explain what data you are collecting (i.e. IP addresses, operating system, contact info, etc.) and how you use that information. Please consult a lawyer before enlisting our help.

2. Add a Cookie Disclosure

The majority of websites will need a “Cookie Disclosure,” showing users what cookies you are using and for what purpose. If you utilize Google Analytics, Hotjar, Pardot, Hubspot, SharpSpring, SalesForce be prepared. Essentially, you need to explain how third-party software interacts with their data, and at a bare minimum, list all your third-party data providers—and be sure to record (database entries) when you do share customer info with third parties.

3. Remove Predating Personal Data

A major hurdle that GDPR requires is the removal of previous personal data and/or be able to easily export the info on a whim! 30 days or less to be exact. Note: in your privacy policy you should provide reasons on why you keep it and for how long.

4. Prove Consent

You must prove consent on all data entry points through data collection systems such as contact forms, estimate requests, and statistics. Thus, a simple solution is providing a form for consent where users can select, “Yes, you can store my info,” or “No, you can’t store my info.”

5. Share Timely Hack Alerts

If you are unfortunately hacked you must tell all your customers within 72 hours.

A Quick Reference To-Do List

For the sake of brevity, here’s a recap of action items that should be addressed before May 25:

• Update your privacy policy in plain English
• Provide a way for consent
• Prove individual consent
• Establish and re-establish consent
• Provide a way for consent to be withdrawn as easily as it was given
• Check to see that all third-party services are compliant
• List the contact information of associated third-party data providers
• List all the data you collect inclusive of third-party services
• List how you process and use their info
• List how their info and third-party data interact
• Allow individuals to request that their data be permanently erased
• In your e-newsletters, create “unsubscribe” footers visible and accessible

Next Steps & Recommendations from Your Web Design Company

At Lform, we are still in the process of educating ourselves on best practices when protecting your company and customers. We will be sure to have a clear outline within the upcoming weeks.

An immediate first step you can take is an internal data audit. Not only with this help with complying with the GDPR, but it will also help you better understand your customers. Please be sure to reach out to your legal team to immediately update your privacy policy and potentially your terms of service. After having done so, be sure to reach out to us for necessary website enhancements.

Good luck and we hope you found this post helpful as the GDPR activation date approaches.