More than 3.5 billion people saw their personal data stolen in the top two of 14 biggest breaches of this century, while the smallest incident involved the data of a mere 134 million people. Adobe, Canva, eBay, LinkedIn, Marriott International, My Fitness Pal, MySpace, eBay - the all are on the list. The fresh Mariott International issue showed that data compliance is still a hot topic.
We collect, keep and use data of our customers independently from the product or business strategy. And for the customers, it’s precious to be sure that their data is secured and used only for their own benefit.
There are tons of information on what to do to make your business GDPR compliant, and we want to emphasize the essentials to consider in your digital solution.
Who is in charge?
If you are the company who deliver services and interacts with the customers your key responsibility is to take care of the data protection from A to Z. You are going to be Data Controller for legislative. Large and medium enterprises may have Data Protection Officer - the one who takes care of all GDPR criteria. And the smaller ones can either outrsource this role or combine it with other non-contradicting roles in the organization.
What is vital to remember for the organization of any kind, is that working over the GDPR is never-ending, and require routine activities, like keeping records of the processing activities, impact assessment, measurement and controls.
GDPR basics for online solutions
The digital channels and platforms are becoming major way of interaction with customers, especially in the circumstances of limited physical communication of nowadays. Digital channels can be the most helpful when they keep track of the customer preferences and offer personalized experiences.
Customer should agree that his data will be stored and used. Such agreement should be based on the action, like clicking the checkbox or button, acknowledging the decision.
One of the basic rules of the GDPR is having a specific purpose of the data tracking. Giving the peronlaized service is a common purpose, but only as soon as all the data you ask and store are directly implied for such a service.
In addition, all the personal data you keep shoud be tracked in the registry which describes the type of the information, purpose, the way and place the data is stored and processed, how long it would be stored and who are the people who can access these data.
GDPR declares that personal data stays the property of the person and company should offer the way to ‘forget’ all the personal data of the customer on his demand.
GDPR for Data Processing
In the digital world not so many companies uses only their own technical facilities to serve their customers. Everyone uses virtualization, cloud services, SaaS, online tools and other third-party solutions. The all can be involved in you customer relationship and services offering.
All these systems and tools which has an access to the personal data are Data Processors and has their obligations to keep and process the data in secure way. Usually most of the technical measures of the data processing is implemented in these solutions. It includes variety of criteria, starting from controlling access to the data by users, data encryption and prevention of data leakage. They should offer the way for your customer to see, amend and remove his personal data.
Any mistake in personal data processing made by your CRM or other service supplier may result in the fines and reputation losses of your business. That’s why the choice of the service provider should involve evaluation of on the quality of data processing.
GDPR for the custom-developed software
If you order the software to be tailored for you, you take solid responsibility of the proper way of the data processing. For the software created from scratch, it’s vital to enlist every technical measure of the data processing in the scope of your requirements, otherwise you can hardly expect that final service you will offer to customers can be GDPR compliant.
From the other hand a good vendor company can emphasise importance of the GDPR compliance and offer you the recommendations how these needs can be fulfilled in your project.
Even better way is to use the application or digital service platforms such as XM^ONLINE. They offer the components for your custom solution and will include all the major technical measures of GDPR-compliant data processing. You will save not only the time and resources to launch your custom application but also will eliminate the basic risks associated with GDPR compliance.
And please remember, GDPR, as a regulation, is not just a protection of the personal data by enforcing companies, but it’s a tool to make companies the trustful holder of the personal information. Obviously, we will share more secrets when we sure it will be kept well!