Countdown to the GDPR – Keep Calm, and Be Prepared
If you are involved with the collection and management of personal data in your organization, you may already have 25 May marked on your office calendar. That’s when the EU’s new General Data Protection Regulation (GDPR) enters into force. You may also be thinking to yourself that this would be a good time to get your head around it.
While 25 May is indeed just around the corner, please Keep Calm. Be Prepared by making sure your organization is fully compliant from Day 1. It’s with that in mind that we have put together a few overall pointers for you, along with four specific advisory guidelines.
But first things first. Compliant with what, exactly?
The GDPR is all about regulating the collection, storage, transfer and use of personal data on individuals in the European Union (EU). It also gives data subjects more rights and greater control over their data, by regulating how organizations handle and store the personal data they collect.
Does the GDPR apply to your company?
What matters is not necessarily where the data processing is taking place, but the location where the person whose data is being collected, namely inside the EU. So, if your organization is based outside the EU, but it collects or processes data – addresses, phone numbers, images, etc. – on individuals who are in any EU member state at the moment of data collection, the GDPR applies to you.
Don’t underestimate the implications of the GDPR; its enforcement provisions have been intensified compared to its predecessor. Violations can involve stiffer fines than before-up to 4% of a company’s global annual turnover.
How does the GDPR apply to customer feedback collection?
Now, you may be thinking: “If all we’re doing is gathering insights, the GDPR probably doesn’t apply.” In fact, however, gathering customer feedback sometimes includes technical user data (for example an IP address) as well as personal information a user might provide on his own initiative (for example a home address). Keep in mind: all data that can help identify an individual is considered personal. Thus, location-based data, IP addresses and personal contact details are all considered privacy-sensitive data and are covered by the GDPR.
To provide you with the right information and be transparent about how we are implementing the changes ahead, we refer you to our support article. Compliance scores high on our agenda and we want you to know what measures we take to keep you safe in the digital world.
Four practical pointers: what can you do?
Below are four clear guidelines that help you get data settings right and make clear to your customers that their privacy is of paramount importance.
1. Ask yourself, “What do I really need to know?”
Be smart about what data you collect, take the time to truly understand and define what you need. In a less tightly regulated environment, it might have been fine to collect data subjects’ IP addresses – but in this new environment, you must ensure that all the data you collect is data you actually need. Is that information truly business critical to meet your research and measurement objectives? If not, simply exclude it by unticking the right boxes. In fact, because Usabilla believes in privacy by design the default settings help you to make the right choices. Indeed, the default is that IP addresses are not collected – though of course, you can change that if you do need them.
2. Visual feedback: the Usabilla way
By capturing the customer experience visually, through a screenshot, you may inadvertently pick up personal data. That’s why Usabilla offers a simple way to mask the personal details that might otherwise be caught in an image. In fact, the software can detect sensitive information, and masks it as needed. You may also wish to take a look at this article to find out more about how to hide privacy-sensitive information.
3. Data retention, “How long do you really need it for?”
Is it really a few years, or could just 90 days be enough? If there is no real need to keep data forever, it is wiser to think ahead for how long you actually need to store user’s data. And it makes sense to set that limit from the start.
4. How to avoid personal data in responses
It can happen that a user – without even realizing it – leaves personal data within their comments or answers. This can, and should, be avoided. But how?
First, it’s important to be clear about which channels serve which purposes. For instance, a Facebook page or feedback survey might not be the right place to complain about a delivery – and mention a home address in the process. The best thing to do in a case like this would be to direct the customer to a support page or a customer-service department.
Second, it’s a good idea to gently remind your customers that the answers in feedback surveys should not include personal data: simply include a standard message in the answer text box.
We felt that these pointers were worth highlighting-though, of course, there is much more to be said on the GDPR. Once it goes into effect, you can be sure we’ll be coming back to you with further insights and updates-so watch this space.