211 34 Malmö
Sweden+46 735 124 firstname.lastname@example.org
How can your business implement GDPR in the daily work?
In the analog world we are used to locking our front door, and we remember applying SPF 30 sunscreen to protect us from the sun. However, in the digital world we are not as good at protecting ourselves.
That is why, the EU are focusing on data security in the upcoming General Data Protection Regulation (GDPR) which will be enforced 25 May 2018.
At Kruso, we have helped a lot of our private and public costumers prepare for the new General Data Protection Regulation, and now we offer you an insight into how you can make data about visitors on your website more safe. In this blogpost we will talk about third parties with a focus on GDPR from a technical perspective and not a legal perspective. Therefore, we recommend that you contact your lawyer regarding legal advice about GDPR.
In general, personal data can be divided into three categories: indirect personal data, direct personal data, and sensitive personal data.
Indirect data are data with a correlation to other data before it can be connected to a person. For instance, your IP address.
Direct data are data connected to your identity and thereby personally identifiable. For instance, your name.
Sensitive personal data are data of a certain personal level. For instance, your CPR, medical information etc.
At Kruso we are data processors meaning that we handle information on behalf of both private and public companies and institutions. As a company or institution, it is important not to delegate data processing without questioning the unit handling the data about visitors on your website. This includes sharing personal data with third parties like Google and Facebook, which, in general, is legal. However, you still need a Data Processing Agreement between your company and the chosen data processor – and of course you need to comply with the consent rules.
When we talk about sharing personal data with a third party, we refer to the sharing of personal data when your costumers for instance sign up for a newsletter through the sign-up function in Mailchimp, ‘like’ a post on Facebook or send a job application to the LinkedIn recruiting database. Sending out these data, they are exposed to sharing data with third parties who collect the data and use it to gain insight in the costumers’ user behaviour. These third parties include:
Web analytic tools like Google Analytics.
Embedded web content like videos from Youtube and Vimeo.
Iframes – from where you get your external content for your site.
Embedded maps like Google Maps.
Web fonts – is often gotten the same way as iframes. That is from an external supplier.
Therefore, it is crucial that you as a company explore the possibilities of good, ethical alternatives to data protection.
Our ideas for alternatives to the third parties above:
Alternative to Google Analytics: Instead of Google’s web analysis tool there are other analytic systems with a Data Processing Agreement like Siteimprove Analytics or local analytic systems like Piwik.
Alternative to embedded video content: Regarding embedded video content use video sharing platforms like 23Video that too has a Data Processing Agreement, or make a local streaming solution with your supplier.
Alternative to Iframes: You can rearrange iframes to API solutions (Application Programming Interface), which is a software interface making it possible to integrate software with other software.
Alternative to Google Maps: You can also find alternatives to Google Maps. For instance, you can choose Sweco or Open Street Maps with their own servers.
Alternative to Web font: Finally, as an alternative to web fonts, you can use local web safe fonts.
What should you do now?
Change your third party’s tracking solution with other solutions – e.g. the ones presented above.
Start with a risk analysis so you can present a plan at a possible GDPR-audit and make sure you complete the process in an optimal order
Go through the Data Processing Agreements your company has with your data processors.
Map all the personal data in your web application (Audit) by asking yourself:
Who is responsible for the concerned data?
Is this sensitive date?
Where and when is data collected?
What is the data used for? Are they necessary?
How long are they relevant? Do they need to be updated?
Go through and update the consent formulas.
Start the work with a risk analysis to estimate the potential consequences of GDPR and its influence on your company.
Start by minimizing the third parties’ role in tracking and select alternatives that can match the challenge.
Give your web editors tools that can help them handling data.
Any formula-tool should come with tools to tag and date the collected information
Make sure the web editors have easy access to the organization’s guidelines for personal data, especially when they are uploading a document with unknown content.
Develop simple data audit and data scrubbing tools.
If your site has a login function you could offer your users data tools:
Give the users the opportunity to ask for the data or user profile to be deleted right away.
If users close their accounts, make sure to delete the data regarding them right away.
Get logging, your analytic system and other data collections under control and remove data that do not provide direct value for the users.
What can Kruso help with?
Arranging Workshops and Data Audit: We will happily arrange a workshop for your company to help you solve your challenge, and help you in your data revision process through data audit.
Reporting: We can identify third party scripts in your solutions through reporting.
Mapping all the personal data: We can examine and generate a systematic and thorough description of all the personal data in you web application.
Implementing an improved consent system: We can help you implement a consent system making sure the users’ rights are met.
Build support tools: We can build support tools for the web editors in your CMS.