Understanding Software in a Post-GDPR Landscape
Aaron Rudman-Hawkins runs a digital marketing agency in Oxfordshire, UK. He has spent many months learning what the new GDPR legislations will mean for businesses, especially SAAS companies and in this article we have spoken to several companies for their opinions on how GDPR will affect the business landscape.
Having properly protected software has never been more important. Of course, the reason for this specific concern is due to GDPR; that will be enforceable from the 25th May and explicitly highlights “privacy by design.” However, the problem is that no one really understands GDPR and that it is quite possibly one of the most overused and little understood acronyms of the moment. Instead, it is the cause of great confusion, particularly because it mainly revolves not around the software that stores the data, but around how that data is used, not necessarily the most interesting of topics.
Taking Wetherspoon as an extreme reaction to GDPR: having deleted their entire mailing list—a rather disruptive and daring act; and one which if nothing else will do wonders for their PR and brand awareness—it is by no means necessary to follow suit. Frankly, GDPR is really just legalised common sense—making sure that no individual feels virtually harassed by an overenthusiastic marketing manager.
In terms of software GDPR means that all organisations must have data security built into their software and products from the very outset to prevent any hacks, something the team here at CS-Cart are actively doing right now to bring their eCommerce store builder inline with new GDPR regulations. Software must be encrypted and secured through a number of intricate measures to ensure confidence in the security of data. In a world that is constantly at risk from cybersecurity, this is the only way of being assured that data is completely secured and safe.
Speaking to the team at Nimbus Hosting, who have been advising their clients on what to do with their software in light of GDPR, they suggested that first and foremost companies verify that all their software is encrypted with the very highest level of security. Not only that, but business should also make sure that all their data is stored in the UK and that on cancellation of services, data will be destroyed within a maximum period of 180 days; in line with legal requirements and obligations.
Finally, if the worst should happen and you do have a data breach, they must have a seamless process in place to ensure the Information Commission is notified straight away.
When it comes to mailing lists, the most important thing is ensuring the active consent of a database. Rather than a pre-ticked box or opt out option, there must be a clear option for consumers to opt-in, something like “tick here if you would to subscribe to our newsletter.” This is particularly important when adding individuals to a mailing list – they will have had to explicitly agreed to join, so if a CRM and email account are linked it may be worth considering against this as the default protocol, and instead make a separate mailing list containing only those who have explicitly given consent. One way of doing this is by having gated content on a site, which encourages a user to input their email address in exchange for a valuable piece of content, although this is just one example and there are plenty of other marketing suggestions to deal with GDPR that are, perhaps, somewhat outside the parameter of this article.
According to the legislation, a number of companies will also need to appoint a data protection officer (DPO). Now, whilst this role may make the individual about as popular as a hall monitor in school, it is nonetheless extremely important that a business has a DPO if they are a public authority, or if requires the large scale processing of special categories of data relating to criminal convictions. There is also third category that specifically applies to digital marketing agencies: those businesses who regularly monitor human behaviour; which would include those companies employed to do online behaviour tracking.
If a business does fall into that category (and it is worthwhile speaking to a lawyer if there is any uncertainty) a DPO must be appointed to will make sure operations are spick, span and in line with the current law. The DPO will serve to advise on any obligations and monitor all activities. They will also be the first point of contact between a business and the supervisory authorities so it is advisable to steer clear of those creative, bearded folks and instead use those who are organised and efficient.
More seriously, GDPR could well have a significant impact upon the ability of businesses to capture data and the way in which you run marketing campaigns for your clients. So it is tremendously important that plans are amended accordingly and that legal advice is sought where appropriate, as the fines are serious with levies split into two strands—up to €10 million, or 2% of annual global turnover (which is higher) and for larger corporates up to €20 or 4% of annual global turnover (again whichever is higher.) This is make or break money so it is important that businesses really do look into their software and make sure it is compliant.
UPD: CS-Cart and Multi-Vendor 4.7.4 with GDPR support were released. Read the article to find out about how to make your online store compliant with the new regulation.
Hope now you have an idea of what GDPR is an why you should comply with this regulation. Stay tuned to our Facebook and Twitter to get news right after they are published on the blog.