Over the past few weeks you’ve probably received a couple (or a couple dozen) Privacy Policy Update Emails from various tech services you use. The emails sent by everyone from Spotify to Bob’s Discount Furniture all refer to something called GDPR.

What is GDPR?

GDPR stands for General Data Protection Regulation, a European Union law that goes into effect on May 25th. GDPR aims to strengthen online rights of individuals byallowing users to force companies to reveal or delete their personal data(among other things). That’s why your favorite companies have been contacting you and begging you to opt into their updated terms.

Does GDPR Affect My Company?

You should be concerned by GDPR if any ofyour users live in or are citizens of the European Union. If you’re a tech company, you’re most likely affected, even if you’re based outside of the EU and you don’t market to Europe.

Developing for GDPR?

If you fall into the above category (like most tech companies), don’t panic. Complying with GDPR isn’t going to take months. If you haven’t already done this, you can cover yourself by following these steps:

1. Be transparent with your Privacy Policy. An email or pop-up on your site should be sufficient.
2. Get explicit consent from users for your updated Terms of Service, Privacy Policy, and Cookie Usage.
3. Previously, you could opt users into marketing and advertising by default; a user could choose to opt-out if he/she wanted. Now, it’s the opposite; opt-out is the default, but you can give users the option of opting in.
4. Allow user to request what data is stored about them on your site.
5. Users must be able to remove their data. You can automate this or do it manually by removing or anonymizing the data.
6. You need to have a plan in case of a data breach. You’ll have to notify users about the impact and implications and inform them of which data of theirs was hacked.
7. If you use 3rd party services on your site, like payment processing or mailing lists, you need to make sure that they are GDPR compliant as well; otherwise the liability is yours.

Make sure you’re compliant; otherwise, you can be hit with a hefty fine. Even worse, you’ll have to talk to lawyers, and nobody wants that.

Disclaimer: RPS is not a legal adviser. We’ve just had to do this (among other things) to keep our clients compliant. Despite what we said above, you should consult with your legal team to fully understand the impact of GDPR on your business.

‍