EU companies as well as companies entering the EU market must be compliant with GDPR requirements since the regulation came into force 2 years ago.
It may be complicated for non-lawyers to understand what the company needs to do in order to make their digital product compliant.
To help you better understand GDPR requirements for digital products out specialists prepared the top 10 practical recommendations.
1.Data minimization principle
Before you start building any product, define what personal data you need to collect and the scope of it. GDPR requires you to collected and processed only data that required to provide your service. Data collection needs to be linked to fulfilling a specific purpose. In other words, avoid collection information if it’s not necessary for your service.
This means no more pre-ticked boxes. Remember, you need a legal basis to collect and process personal data of users. As for software and app provider in the majority of it will be consent. Make sure that you informed users and received explicit consent, where the user makes certain actions (e.g tick the box) in order to agree, not just agree by default.
3.Opt-in for marketing
If you collect users’ consent for different purposes, you must have separate consent for services as marketing and newsletter. Also, if the user signed for the newsletter, the unsubscribe button must be implemented.
5.Cybersecurity is important
You need to implement proper security measures for data transition and storage. To ensure protection data from loss, it’s a good idea to make periodic back-ups. If you collect personal data, in particular, the special category of personal data such as health data, biomedical data, racial or ethnic origin, political opinions, religious or philosophical beliefs, or other information that belong to sensitive data you need to make sure that measures are sufficient. This includes but not limited by implementing encryption, secure authorization methods, strong password policy, and implementing two-factor authentication, if applicable also data pseudonymization and other relevant methods.
6.Implement data subject rights
GDPR provides users with different rights related to their personal data. One of those rights is the right to data portability ( art.17 of GDPR ) that allows users to receive their data upon request in structured, commonly used and machine-readable format. Examples of those formats can be CSV, XML and JSON. If you use the proprietor-specific format it may be a good idea to change it.
7.Right to erasure
According to the art.17 of GDPR data subjects (users) have the right to erasure also known as “Right to be Forgotten”. It is your responsibility to provide your user with the possibility to execute this right and withdraw given consent. It’s also important to notice that procedure of withdrawing consent should not be more complicated compared to giving consent. For example, if for giving consent you ask a user to tick a box, you can not implement a procedure where in order to withdraw consent user must coming to your office in person. Also, if your user signed for the newsletter, these must be implemented unsubscribe button.
9.Do not use security questions that disclose personal data
Some time ago those security questions were widely spread. However, times change and you need to implement new security measures. For instance, a question like “what is your mother’s maiden surname?” to restore your password is not only a bad practice but a privacy violation.
10.Manage the full cycle of data
After you finish your relationships with the client (e.g. end of subscription), you are obliged to delete personal data, unless there is a legal basis to process them. If the user deletes the account in your app or website you are also required to delete all their data from backups. Make sure you also delete unsubscribed user data and stopped sending the newsletter after they unsubscribed.
Thank you for reading our recommendations for GDPR implementation. We hope that our recommendations help you build compliant and secure digital product.