Posted on

Your Sales Team is Impacted by GDPR. Here’s How –

Your Sales Team is Impacted by GDPR. Here’s How –

It’s still difficult to process all the ways in which the General Data Protection Regulation(GDPR) is affecting the work of businesses. From database creation to maintaining an online presence, companies have had to introduce an array of procedural changes for the purpose of ensuring GDPR compliance.

The work of sales teams isn’t spared from such changes. If you’re managing sales teams or you’re member of this department, you’ll need to acquaint yourself with the important new provisions that will affect your work.

Is There a Data Protection Agreement in Place?

One of the important documents that will be needed by the sales team is a data protection agreement (DPA).

The DPA is a legal document that outlines the procedural and administrative ways in which the organization is going to protect the personal information it processes. Such a document should be readily available for customers that ask for it.

Even if a client doesn’t ask for a DPA, it will still have to be introduced in the sales cycle at a certain point in time. Selecting the right moment is of paramount importance because the ill-timed introduction of DPAs can contribute to significant slowdowns.

Most US companies may not need to have a DPA in place but in the event of such a document being required, it will have to be prepared and available in advance. Otherwise, chaos will ensue.

Evaluation of Data Being Gathered

GDPR has forced many companies to reevaluate their data collection policies. A general rule of thumb is to gather only the information needed to continue providing customers with a high quality, tailored service.

Individuals managing sales teams will need to carry out a personal data collection audit. According to GDPR provisions, there is a limited list of acceptable reasons for the collection of personal information from clients. The fact that such information could potentially be utilized for company growth in the future isn’t a sufficient reason for the collection of personal information.

A new process should be developed by the sales team that will enable the collection of the least possible amount of data for successful interactions with clients. While the audit itself could require time and resources to complete, a new process that’s based on minimum data collection could make the life of sales professionals easier in the future.

Changes in Sales Prospecting

Apart from having to be informed about their personal information being collected, individuals are also entitled to being made aware of what purposes the information is going to be used for. The amount of time during which personal information is going to be stored will also have to be shared with leads and clients. More information about these provisions is available in Article 13 and Article 14 of the EU GDPR.

If consent has not been obtained at the time when information was collected, the sales team will have to revisit the process.

As per GDPR regulations, sales professionals and other company representatives have to inform individuals that their data has been obtained (and why) within 30 days of the process being completed. If such a message is sent and an individual responds by saying they do not want their information to be stored and used for sales purposes, the entry will have to be removed from the database.

For most companies, GDPR will indicate a change in which the sales team is doing its job. To ensure compliance, these professionals will have to stop sending automatically-generated prospecting emails, they will need to get consent for data processing and storage and they will need to get consent for the purpose of sending sales materials to clients. Once these issues are cleared, chances are that the work process will become much more streamlined and effective.

 

Posted on

4 Tips for Legal Online Consumer Data Collection

4 Tips for Legal Online Consumer Data Collection

People’s attitudes towards the collection of online data has been changing over the past few years. A 2017 survey suggests that 75 percent of individuals will sometimes or always read a privacy policy on a website.

According to 53 percent of people, it’s extremely important to know whether an app or a service is using their personal data. At the same time, several massive online data collection scandals have rocked the world in recent years.

Providing a quality online service or content will often be dependent on consumer data collection. To do so legally, however, you’ll have to learn how to collect data and what documents to feature on your website or online platform.

Determine What Types of Personal Data Collection You’ll Be Doing

To craft the right online data collection procedures, you will first need to determine what types of sensitive information you’re going to be having access to.

Most often, online service providers work with the following:

  • IP address
  • Internet domain
  • Type of browser or OS
  • Location of the website visitor
  • Demographic profiles
  • Number of pages visited, length of stay on website

If you have online opt-in forms, chances are that you will be collecting additional sensitive information. When you know what you’re dealing with, you will get to determine which regulatory framework(s) you’ll have to adhere to.

Understand Personal Information Law and Compliance

Online data collection could be subjected to multiple regulatory frameworks due to the international nature of website visits. The EU GDPR is one of these frameworks. The US has more limited regulatory efforts as far as data privacy goes but a few statutes may apply to the work of different online companies.

If you’re based in the US, EU, and many other Western countries, you will have to comply with at least one type of data collection law. A privacy policy, terms and conditions, and thorough explanations as to why you have to collect sensitive data are the absolute minimum.

Carry Out a Privacy Audit

A website that’s already functional will have to be audited to determine whether it meets all regulatory requirements. It’s best to have an experienced legal professional carrying out such an audit.

Some of the items that will be examined include your privacy policy, whether opt-on forms allow for explicit consent and whether people are given the chance to opt out effortlessly. Based on the audit information, you’ll get to determine how data collection is to be modified in the future to ensure compliance.

Minimize Personal Data Collection and Retention as Much as Possible

Online consumer data collection should occur for the provision of better products and services. It’s possible that you’re currently accessing sensitive information that isn’t adding anything to the experience of people visiting your website or using your app.

There are things you can do to minimize the collection of sensitive information online. Based on the audit you’ve carried out, it’s possible to identify certain positive changes in this field.

Very often, online businesses gather a lot of extra information that could potentially be used in the future. If you’re doing this right now, you’re only making your life and work more challenging. Data breaches and hack attacks do occur. The more information you have, the bigger the problem is going to be in the case of an information leak.

A final thing to do is to ensure the security of data collection efforts. To minimize the risk of hack attacks, invest in quality servers, encryption, and access control. While there are numerous additional things you could be doing, this is the absolute minimum when it comes to meeting laws and giving your customers access to a quality service.

 

Posted on

4 Tips for Legal Online Consumer Data Collection

4 Tips for Legal Online Consumer Data Collection

People’s attitudes towards the collection of online data has been changing over the past few years. A 2017 survey suggests that 75 percent of individuals will sometimes or always read a privacy policy on a website.

According to 53 percent of people, it’s extremely important to know whether an app or a service is using their personal data. At the same time, several massive online data collection scandals have rocked the world in recent years.

Providing a quality online service or content will often be dependent on consumer data collection. To do so legally, however, you’ll have to learn how to collect data and what documents to feature on your website or online platform.

Determine What Types of Personal Data Collection You’ll Be Doing

To craft the right online data collection procedures, you will first need to determine what types of sensitive information you’re going to be having access to.

Most often, online service providers work with the following:

  • IP address
  • Internet domain
  • Type of browser or OS
  • Location of the website visitor
  • Demographic profiles
  • Number of pages visited, length of stay on the website

If you have online opt-in forms, chances are that you will be collecting additional sensitive information. When you know what you’re dealing with, you will get to determine which regulatory framework(s) you’ll have to adhere to.

Understand Personal Information Law and Compliance

Online data collection could be subjected to multiple regulatory frameworks due to the international nature of website visits. The EU GDPR is one of these frameworks. The US has more limited regulatory efforts as far as data privacy goes but a few statutes may apply to the work of different online companies.

If you’re based in the US, EU, and many other Western countries, you will have to comply with at least one type of data collection law. A privacy policy, terms and conditions and thorough explanations as to why you have to collect sensitive data are the absolute minimum.

Carry Out a Privacy Audit

A website that’s already functional will have to be audited to determine whether it meets all regulatory requirements. It’s best to have an experienced legal professional carrying out such an audit.

Some of the items that will be examined include your privacy policy, whether opt-on forms allow for explicit consent and whether people are given the chance to opt out effortlessly. Based on the audit information, you’ll get to determine how data collection is to be modified in the future to ensure compliance.

Minimize Personal Data Collection and Retention as Much as Possible

Online consumer data collection should occur for the provision of better products and services. It’s possible that you’re currently accessing sensitive information that isn’t adding anything to the experience of people visiting your website or using your app.

There are things you can do to minimize the collection of sensitive information online. Based on the audit you’ve carried out, it’s possible to identify certain positive changes in this field.

Very often, online businesses gather a lot of extra information that could potentially be used in the future. If you’re doing this right now, you’re only making your life and work more challenging. Data breaches and hack attacks do occur. The more information you have, the bigger the problem is going to be in the case of an information leak.

A final thing to do is to ensure the security of data collection efforts. To minimize the risk of hack attacks, invest in quality servers, encryption, and access control. While there are numerous additional things you could be doing, this is the absolute minimum when it comes to meeting laws and giving your customers access to a quality service.

 

Posted on

The Effect GDPR Has on Cookie Policies

The Effect GDPR Has on Cookie Policies

If you have visited any website after the enactment of the GDPR, you have probably seen a message about the fact that the website uses cookies. This message is a part of GDPR compliance and if you have a website, you should also consider the enactment of a new website cookie policy.

To understand the specifics, it’s first important to examine what cookies are and how they could affect the collection of personal data.

What Is a Website Cookie?

A website cookie is a text file put on your computer whenever you visit a website. The aim of the cookie is to store data so that the next time you visit the respective website, some of the information will be loaded immediately. Cookies ensure fast loading time and a degree of service personalization.

In some instances, cookies can be used in a way that makes the website visitor identifiable. When this happens, GDPR compliance is going to be on the table.

Cookies could be used for analytics, the delivery of marketing messages, as well as functional website services. For the collection of information to be lawful, websites will have to ask for the consent of visitors. Otherwise, the use of such cookies will have to be discontinued.

GDPR Compliance and the Website Cookie Policy

When you go through the lengthy GDPR text, you will see cookies being mentioned only once. This happens in Recital 30 of the GDPR.

According to the text, online identifiers like cookies could be associated to natural persons. Thus, whenever cookies are utilized in a way that can potentially get someone identified, they are subjected to GDPR regulations.

To become compliant, websites should either stop collecting information via cookies or they should rely on explicit consent to continue operating in the same way. This means asking for consent to be given as soon as a person enters the website and also outlining the use of cookies in the terms and conditions.

One of the simplest things is to have a note that allows the person to either accept or reject the cookie policy. It’s not ok to feature solely a button for agreement. Under GDPR, this is a violation of an individual’s right to prevent businesses from using their personal data.

It’s also important for the people who have already given their consent to be provided with an option to withdraw it.

To sum it up, here’s how compliance can be ensured as far as cookie policies go:

  • Inform website visitors immediately that cookies may be used to collect their personal information
  • Give them a chance to either accept or decline the collection of such personal data
  • Have terms and conditions that outline what cookies are and how they’re going to be used by the website
  • Give website visitors a chance to withdraw their cookie usage consent, even if they’ve agreed to it beforehand

Things may seem a bit confusing but consent management is one of the most important parts of the GDPR. Cookie usage is just a tiny fraction of it. to run an online business or a content-based website, you should rely on a template or plugins that simplify the process of getting explicit consent/allowing people to opt out. Take it one step at a time. Enhance your terms and conditions and work on the creation of a consent form that could be modified for different purposes – it will come in handy as far as ensuring GDPR compliance goes.

 

Posted on

WordPress GDPR Compliance Guide

WordPress GDPR Compliance Guide

WordPress provides a simple and affordable opportunity for putting together a corporate website. With the new EU GDPR regulations in place, however, many WordPress website owners wonder whether they’re meeting the compliance criteria.

The primary aim of the GDPR is to protect the privacy and personal information of people interacting with businesses. Whether you’re just creating a WordPress website or you’re thinking about modifying your existing online presence, there are several key steps to undertake to ensure GDPR compliance.

Learn about the Ways in Which Your Website is Collecting Data

GDPR regulates the manner in which websites collect data from their visitors. To ensure compliance, try to pinpoint all of the ways in which your audience could be sharing personal information with you. Some of the possibilities include:

  • User registrations
  • Writing comments
  • Signing up for an email newsletter
  • Sending an inquiry via a contact form
  • Log in requirements for individual tools or plugins
  • The collection of analytical data about the website audience

Once you have this information, you can move on to ensuring the GDPR compliance of WordPress website hosting.

Choose the Right Plugins

Luckily, WordPress and WordPress plugin developers have taken it to heart to help website owners ensure compliance with the new privacy regulations.

An array of plugins and other tools can be used for this purpose. This means you’ll be free from having to hire a web developer to modify the data collection aspects of the website. WordPress has created a page featuring all of the currently available GDPR-related plugins. It will be up to you to decide which ones you’ll have to install and run.

Update Your WordPress Version

Updating the WordPress version regularly is important from a security perspective, hence it plays a role in your GDPR compliance efforts.

WordPress 4.9.6 has a number of the GDPR characteristics already built into the platform. If you’re creating a WordPress website right now, you will have the latest version installed and there will be nothing to worry about.

The update takes place from your WordPress dashboard and only a few minutes are needed to get it done with.

Update Your Privacy Policy

Now that you have handled the software side of things, it’s time to work on the documents that highlight the data policies and security measures your website visitors are entitled to.

A good privacy policy should provide information about:

  • Who you are and why you need to collect personal data (the only permissible option is for the provision of content and services on the website)
  • What’s the legal basis for personal data collection
  • How information is going to be shared with third parties (in the case, WordPress plugin developers), why and what your commitment to protecting the privacy of website visitors is
  • The timeframe for the storage of collected data
  • The rights of individuals to opt out from data collection efforts and the right to be forgotten
  • A specific clause for filing a personal data-related complaint

Needless to say, there could be certain specific clauses pertaining to the type of website you’re running and the content featured on it. You cannot rely on a generic privacy agreement, which is why consulting an experienced attorney in the field and having the privacy policy drafted professionally is going to make the most sense as far as GDPR compliance efforts go.

 

Posted on

How to Grow Your Email Marketing List and Still be GDPR-Compliant

Email Marketing Strategy

How to Grow Your Email Marketing List and Still be GDPR-Compliant

The implications of the EU GDPR are much more pervasive and widespread than businesses initially thought them to be. Database creation, information collection, archive maintenance, and multiple other activities are affected. Email marketing is one of these activities.

Maintaining an email list that is GDPR-compliant can be a challenge. If you don’t know how to handle the process, the following email marketing tips will shed some light on the essentials.

Email Opt-in Tactics Matter

At the end of 2017, Forrester predicted that 80 percent of companies will fail with their GDPR compliance efforts. While the number may seem shocking, it probably isn’t that far off from the truth.

Ensuring compliance in the field of your email marketing strategy can be particularly tricky, especially when it comes to opt-in strategies.

Pre-checked opt-in boxes (for example, when a person is attempting to order a product or create a log-in account) have become a big no-no in terms of GDPR compliance. You can no longer do that to collect email information and send newsletters in the future.

You have to collect explicit opt-in permissions from the people who visit your website. Consent should be freely given, otherwise, you cannot send newsletters or other forms of promotional emails. Let your audience decide whether they’d like to opt-in and start receiving emails from you. Relying on pre-ticked boxes is deceiving and ineffective anyway!

Provide Clear Explanation of What People Are Signing Up for

Apart from getting affirmative consent, you will also have to make sure people are informed about what they’re signing up for in order to ensure EU GDPR compliance.

You can accomplish the goal by featuring a few sentences next to each checkbox. The explanation should tell potential subscribers how their personal information is going to be utilized, what type of newsletter they’d be getting, and what’s the frequency of communication.

Get Consent from Existing Email Subscribers (If Necessary!)

In a survey carried out by Compose, 70 percent of small business owners said that email marketing was their biggest concern as far as GDPR compliance goes. Things are most challenging when it comes to the existing database and the management of data collected before the enforcement of GDPR.

You have to account for the date on which a person subscribed to your newsletter. If you don’t know what the date is, you will have to obtain explicit opt-in consent from the person who’s already on record in your existing newsletter database.

A simple campaign carried out via email will be sufficient to notify your existing subscribers of the changes and the need for consent renewal.

The Opt-Out Process

Under GDPR, you also have to make it effortless for subscribers to opt out of your mailing list.

The good news is that if you’re following the CAN-SPAM guidelines, you have already provided your subscribers with such an option. Nothing will have to change and you will still be GDPR-compliant.

If not, you will have to put an effective opt-out mechanism in place. Include a button in the bottom of each email that will transfer subscribers to the opt-out page. There, you can request some information about the need for an opt-out. You will be GDPR-compliant and you will get essential information that could improve the effectiveness of your marketing efforts in the future.

Posted on

The Seven Most Important Legal Protections For Your Online Business

The Seven Most Important Legal Protections For Your Online Business

As an entrepreneur, you have a particularly big role to play in the success of your online business. You are the sales person, the developer, and the customer representative – all at the same time. While outsourcing some of these roles or hiring others to fill these positions is a good idea, scarce resources may not enable you to work with a consultant or freelancer.

No matter what roles you end up serving, it’s important to remember that being an online business owner does not give you immunity from the law. Your business is very much regulated by the same laws guarding big businesses – sometimes even more – so you have to know how to handle legal issues. While not all of your legal needs may require hiring a lawyer, all of it does require your knowledge of the law. A little bit of preparation will go a long way. This article is a good place to start.

ONE: Your Pre-Business Contracts:

The most common mistake startup founders make during early growth is not establishing a strong legal structure at conception. While it’s tempting to dig into the vision for your company and start making your idea a reality, it’s important that founders pause and cover their legal bases. The core legal documents that founders need to put into place will help avoid costly legal battles in the future. Three are listed below.

Articles of Incorporation.  A common mistake startup founders make is failing to put the proper business structure in place. Setting up only a sole proprietorship can result in huge income tax bills and legal liabilities for which founders are personally responsible. By not filing with the Internal Revenue Service to form a distinct legal entity for their business, founders risk losing their personal savings and, in some extreme cases, their homes.

Nondisclosure Agreements.  Having a non-disclosure agreement (NDA) readily available, is imperative before any business conversations take place between you and an outside party. From the moment a prospective employee or investor initiates contact with you, you need to have an NDA agreement waiting for them to sign. NDAs protect your online business by safeguarding your founder and employees’ ideas, and your intellectual property. An NDA should specify the following:

  • What constitutes confidential information
  • How confidential information should be handled
  • Who owns that information (the company)
  • The time period that the information will be disclosed
  • The time period confidentiality will be maintained

Independent Contractor Agreements. For many small or online businesses, outsourcing to independent contractors is a great way to get some added help, fill a specific needs, or bring in specific expertise. It’s a flexible arrangement, and you don’t have to pay workers’ compensation, payroll taxes or employee benefits for contractors and freelancers. However, be aware that the IRS is now on the lookout for employers who misclassify their workers as independent contractors to avoid paying payroll taxes.

For this reason, it’s smart to make a contract. Consider an independent contractor agreement that explicitly defines the relationship between you and the worker. Make it clear that you intend the worker to be an independent contractor who is responsible for his or her own taxes. In addition, the agreement should not exert much control over how work will get done. Be careful not to set specific hours for when they need to work or where.

TWO: Your Business Structure:

While less exciting than building a website and marketing your product, careful evaluation of which business structure is right for you is crucial because it will have implications for how the IRS taxes your profits. It’ll also determine whether your personal property is protected when others demand money from your business. Other considerations, including the management of the new business and your long-term plans for it, come into play as well.  

Business structures are largely creations of state law, and there are minor variations on the details from state to state. But here are five common models:

  • Sole Proprietorship.  An unincorporated business that is owned by one person who reports business profits on his or her individual tax return. A sole proprietorship is the simplest business structure and is straightforward to start.
  • Partnership. An unincorporated business is owned by multiple owners, and these can be either people or other businesses. Profits are divided among its owners and reported on their tax returns. Common partnership types include General Partnerships, Limited Partnerships, Limited Liability Partnerships (LLPs) and Limited Liability Limited Partnerships (LLLPs).
  • A Limited Liability Company. An LLC is a hybrid business structure that limits the personal liability of its owners — called members — like a corporation but allows the profits to be taxed on either a member level or the corporate level.
  • An S Corporation. An S corporation has one class of stock and no more than 100 shareholders, none of whom can be another for-profit business, or a person without a green card who doesn’t meet IRS residency requirements. Profits are taxed on shareholders’ tax returns, and shareholders have limited liability.
  • A C Corporation. A corporation whose profit is taxed once on the business level, and a second time on an individual basis when earnings are distributed to shareholders who have limited liability for the business’s debts. C Corporations can have multiple classes of stock and an unlimited number of shareholders.

THREE: Intellectual Property

Intellectual property (IP) is the bread and butter of most online businesses. Be prepared to invest in the time and talents of an IP attorney early on because there’s sometimes a very thin line between creativity and theft. Intellectual property owners need to put in efforts to ensure their rights are protected. As an online business, securing a trademark for your IP is the only way to guarantee no one will steal your idea from you.

Trademark and Copyright Protection:

There tends to be some common misconceptions about what these words actually mean, with must-know legalities and laws around each one. The United States Patent and Trademark Office defines them as the following:

  • Trademark: A word, phrase, symbol, and/or design that identifies and distinguishes the source of the goods of one party from those of others.
  • Patent: A limited duration property right relating to an invention, granted by the United States Patent and Trademark Office in exchange for public disclosure of the invention.
  • Copyright: Protects works of authorship, such as writings, music, and works of art that have been tangibly expressed.

FOUR: Terms of Use Agreement:

Essential to your website is the Terms of Use Agreement, which is intended to be a contract between the Web site owner and the users of the site, and any purchasers of goods or services from the site. A well-drafted agreement includes: limitations on how the site can be used, copyright protection warnings, disclaimers, liability limitations, disclosure on the site’s privacy policy in dealing with customer information, jurisdiction where any disputes must be brought (ideally, the hometown of the site owner), and much more.

FIVE: Privacy Policies:

This is one of the most important areas of launching your online business, and you should plan on devoting time to getting this right.  Remember that regulations around privacy policies don’t just end at your website: any tool that collects information from your site — such as website analytics, online forms, or chat widgets — will require a policy too. Google Analytics, the most popular web analytics tool out there, even has a privacy policy requirement in its terms of use.  Equally important, if you’re planning on running any online ad campaigns, both Google and Facebook require privacy policies in place if you’re collecting any user information. This is especially important for Facebook Lead Ads, which requires a privacy policy URL link within each ad you create.

A privacy policy usually lets your customers know what type of data you’re collecting, and what you’re doing with that data. It also generally provides information about how you’re collecting data, whether it’s through a form or cookies on your website.

Privacy policies may also include information on who has access to the customer’s data. This can mean giving customers the right to request data if they want, and a process to do so. And it usually involves providing contact info if they have a question about the privacy policy. You may also want to provide an opt-out notice for users that don’t agree with the policy.

Speaking of privacy policies, have you heard about the GDPR (aka the new General Data Protection Regulation put into place by the EU?). If you’re unsure of what you need to know for this new privacy law and how to get yourself compliant, click here to watch my free masterclass on the GDPR, OR click here to download a totally free GDPR compliant plug-and-play privacy policy.

SIX: Client Contracts

Drafting up contracts for your clients doesn’t need to be complicated, nor does there need to be a lot of legalese. The goal is to clearly define all expectations of a project from both you and your client. On a very basic level, a contract should clearly spell out who’s doing what and for how much. Clumsy legal language often confuses people and should be kept out of agreements if possible. Generally, if you don’t understand it yourself, then you should leave it out of your contract.

Service agreements for your clients. A client service agreement focuses on your relationship with your clients or customers. If you are a consultant, coach, or other service professional, then it’s imperative that your clients know what to expect when working with you and what their responsibilities are in the transaction.

A well-drafted client service agreement memorializes the basic terms of your relationship with your client. It also provides the next steps in the event something unexpected happens. It can prevent disagreements and confusion with your customers, which in turn can prevent any need for litigation.

Your client service agreement should include the client’s name and contact information, a place for them to sign, the amount the client will pay you, and what exactly you will provide in exchange for that payment.

Other important items you should include:

  • What happens when a client fails to show up for their appointment?
  • How many calls/emails/meetings with you can the client expect?
  • How and when will the client pay you?
  • What happens if payment is late?
  • How can you, or the client, terminate the coaching relationship?

Coaching agreements/freelancer agreements. When you’re mentoring others online or offline on how to improve their businesses or personal lives, you will want to put into place a written coaching agreement that clearly states what you have agreed to do, when you will perform such coaching services, and your coaching fee(s).

Equally important, your coaching contract should specifically exclude key areas that your services do not cover.

When having an experienced business lawyer prepare the coaching agreement you will use with clients, here are some key factors to consider:

  • What is the term of your coaching agreement?
  • What deliverables are you promising and, equally significant, what are you excluding from the scope of your professional coaching services?
  • What media will be used to deliver your coaching services?
  • How and when will you get compensated for your professional coaching advice?

SEVEN: Liability Protection

Clear communications will solve many customer complaint problems for your online communications, but may also protect you from claims of false advertising and investigation by the U.S. Federal Trade Commission. Disclosing basic information is required by law, but must be done accurately. Therefore, you should monitor the information you are placing on your website to make sure it accurately depicts your business practices, prices, products, or whatever else you are describing to potential customers to entice them to buy your products or services.

Clear communication also includes “adequate” communication. Leaving out key details about what you are describing on your website can be considered misleading. The FTC provides guidelines on its website regarding advertising and marketing on the Internet and gives good examples of what types of statements might be misleading to customers. 

Cyberattacks.  Protecting against cyber-attacks isn’t that difficult. Hackers are intelligent and ambitious, but statistics show that entrepreneurs and business owners generally do not employ the best defense mechanisms against cybercrime either. Most victims are “targets of opportunity.” In other words, they had extremely poor security, if any. Here are a few things you should do to protect your business against cyber-attacks:

  • Purchase malware and anti-virus software. Malware is used in most data breaches. It can be planted onto a computer through spammy websites, suspicious emails, or unsecure Wi-Fi connections. If the infiltration is successful, malware can capture login information and keystrokes. Other threats include email phishing, pop-ups requesting personal information, or social media account access. The good news is that it’s surprisingly easy to protect your business against malware and viruses. Simply install appropriate protection software. You should also update it regularly because worms and other viruses thrive on out-of-date software.
  • Encrypt important data. Sensitive data such as bank accounts or client information should be encrypted because this is exactly the kind of information that hackers are looking for. Full-disk encryption tools, which are standard features for most operating systems, should be utilized at all times. Data encryption can also be used for cloud-based services or email platforms.
  • Educate Employees. Most cyber-attacks occur through compromised Wi-Fi networks If you use wireless networks, you should make sure that they have strong passwords. You should also disable the SSID broadcasting function on your router in order to hide your network. Avoid using WEP networks. At the moment, WPA2 is the standard because it offers better protection.

Disclaimer You should avoid making announcements, slanderous statements, or engaging in any business that might be considered suspicious. Partnering up with companies that end up being sued might also harm you in the fallout. In addition to this, you should also limit any possible conflicts of interest. To that end, you should definitely think of obtaining liability insurance to protect yourself against unfortunate events. Errors and omissions coverage should also be considered, especially if you’re working with people. Another option besides purchasing insurance is to build protection through your contracts.

Here are a couple of things that a website legal disclaimer can do:

  • Inform people you may change your content at any time with or without notice
  • Disclaim responsibility for the content provided on any websites that you link to your website.
  • Advise people, under no uncertain terms, if they take any action based on the information provided on your website that they do so “at their own risk.”

Data Protection. There is probably no quicker way to lose customers than to allow their personal information to be unsecured. Laws and customers are placing more and more emphasis on personal security, and protection of their financial information is required. Accurate and adequate disclosure of security practices to consumers is a vital aspect of good online business practices. State and federal laws require protection of financial information and social security numbers. Also, several state laws require notification to consumers if there is a security breach that puts their personal information at risk for identity theft or other fraud. Constant monitoring of your security practices is essential.

 

Conclusion: Relationship with a good attorney!

 

Finally, and perhaps most importantly, securing a good attorney at the beginning of your business will save you time and trouble in the future. If you’re unsure which corporate structure is right for you, talk to an attorney. If you’re not clear on the terms of a new contract you’re about to enter into, have a lawyer read and interpret the document to you. While you might be very eager to append your signature to the agreement, taking a little caution will keep you from entering a long and painful business relationship. An investment in a good counsel now, will pay big dividends in the future.

 

Posted on

How is Personal Data Defined Under the New GDPR Provisions?

Personal Data

How is Personal Data Defined Under the New GDPR Provisions?

The General Data Protection Regulation (GDPR) is already here and hopefully, you’ve managed to implement all of the required changes. To ensure consistent compliance, however, you need to have a thorough understanding of the term personal data and its specific definition under GDPR.

The general definition of personal data is easy to understand – this is data pertaining to a certain person (financial, medical, personal, etc.) that should be protected. Does GDPR change the definition of the term, however?

The Definition of Personal Data

More information about the definition of personal data is available in GDPR Article 4.

The document states that personal data is any information that relates to an identifiable individual. An identifiable individual is someone who can be identified by their name, ID number, an online identifier (like IP address, for example) or any other source of information that can be utilized for either direct or indirect identification.

As you can see, the GDPR definition is quite vague and it could relate to just about anything. The scope of information expands in an attempt to give people more control over the privacy of their data.

New Categories of Sensitive Data

Personal data has an important sub-category under GDPR and this sub-category is sensitive data. Sensitive data is more specific and it should be handled more carefully by website administrators and web service providers.

A few common types of sensitive data under GDPR include:

  • Information about a person’s race or their ethnicity
  • Political opinion
  • Health details
  • Sexual orientation
  • Religious affiliation

In order to process sensitive data, online service and content providers have to get explicit consent under the GDPR.

There are two more types of data that fall under the same category and necessitate similar processing – biometric and genetic data. Genetic data is specifically used for medical research purposes. Biometric data includes fingerprints, retinal scans, etc.

Processing Terms and Conditions for Personal Data Handling

Now that you have a better idea of what personal data is, it’s time to understand how such information should be processed and handled under GDPR.

The conditions for personal data processing under GDPR are somewhat similar to those under the Data Protection Act of 1998. Processing is going to be lawful whenever:

  • Consent is obtained from the individual that the data pertains to
  • The processing of such data is absolutely necessary for the performance of a contract, for legal compliance, the performance of a task or to meet a legal obligation
  • Explicit consent is obtained for sensitive personal data

To meet these requirements, website owners have to review existing data collection policies, as well as the terms and conditions presented on the website itself. If a consent mechanism is already in place, it should be reviewed to make sure it meets the much more stringent GDPR requirements (especially for sensitive data).

Whenever personal and biometric data is being processed, both GDPR and local national regulations will have to be taken into consideration. Individual EU member countries could impose additional restrictions that will come on top of the standard GDPR provisions.

Ensuring GDPR compliance has been a lengthy process for many businesses and for some, the process has not been finalized yet. If you’re one of these businesses and you’re still struggling, you should seek legal assistance right now. Having an experienced professional reviewing your personal data collection and processing policies will make it easier to identify gaps, shortcomings and potential GDPR violations.

Posted on

GDPR: 10 Steps That Will Help Guide You Through The New E.U. Data Protection Framework

GDPR-Ten-Thins-To-Know-About-EU-
The new European data protection law, the General Data Protection Regulation ( GDPR ) comes into force on the 25th of May, 2018. The new framework poses considerable pressure on online and offline businesses of all sizes because it will strengthen the rules under which the personal data of European residents can be collected, stored, and disclosed. Despite its territorial scope, the GDPR will apply to organizations that do not have a physical presence in the European Union.

To guide you through the new E.U. data protection framework, we’ve provided you with a 10-step guideline that will allow you to better understand the formal requirements of the GDPR and the new personal data security standards.

1. Scope of the GDPR

Although the GDPR is a European legislation, it may apply to businesses located in other jurisdictions as well. More specifically, the GDPR applies to natural and legal persons that collect personal data and:

  • Are established in the E.U.;
  • Are not established in the E.U. but cooperate with data processors that are established in the E.U.; or
  • Are not established in the E.U. but collect personal data of E.U. residents or target them (e.g., offer them goods and services or monitor their behavior).
  • The GDPR will not be applicable if you are a natural person who accesses personal data in the course of a purely personal or household activity (e.g., browsing social media websites).

 2. Tracking personal data

The GDPR defines personal data as any information that allows you to identify a natural person. For instance, personal data may include personal names, physical addresses, email addresses, social security numbers, location data, genetic information, biometric data, health care data, and IP addresses.

The GDPR requires applying the principle of data minimization, meaning that you can collect and process only the amount of personal data that is required to provide the requested service.

In order to keep track of all of the personal data that you collect, store, access, share, and process online and offline, it is important to document such transactions for your own records. Also, in certain cases (e.g., if you employ more than 250 persons, collect personal data regularly, or target special categories of personal data) you may be obliged to maintain data processing records.  

It is important to note that the GDPR imposes stricter requirements (e.g., obtaining explicit consent) for special categories of personal data, such as a person’s racial or ethnic origin, political, religious, and philosophical opinions, trade union membership, genetic data, biometric data, healthcare data, and data concerning a natural person’s sex life or sexual orientation.

3. Collaboration with third parties

Under the GDPR, all third parties that have access to personal data collected by you, such as cloud storage providers, hosting providers, and newsletter providers, are considered to be data processors. The law stipulates that the relationship between you and data processors should be governed by data processing agreements, which should reflect (1) the types of personal data you provide access to, (2) the purposes of processing, (3) the duration of processing, (4) the applicable security measures, and (5) the mutual assistance in fulfilling your obligations under the GDPR.

If the third parties are located outside the EEA, you can disclose or transfer personal data only if certain conditions are met, including, but not limited to:

  • If the third party is established in the country that is “white-listed” by the E.U.;
  • If you conclude a contract with the third party on the basis of pre-approved contractual clauses or binding corporate rules;
  • If the data subject provides you with explicit consent to the disclosure or transfer of personal data; or
  • If the transfer is explicitly necessary for conclusion or performance of a contract.

 4. Consent

Consent for the collection and processing of personal data is one of the legal grounds for lawful data processing under the GDPR. To be valid, the consent should be prior, explicit, informed, and freely given (pre-ticked boxes are not allowed). The deviation from obtaining consent is permitted if the personal data is necessary for performing a contract with the data subject (e.g., booking an appointment, providing the requested service, or delivering a product), pursuing legitimate business interests, and in some other exceptional circumstances.

5. Data protection and storage

Under the GDPR, personal data can be retained only as long as its storage is necessary for the purpose for which the personal data was collected. Afterwards, the personal data should be deleted. Only in certain cases, when the storage of personal data is required by the applicable law (e.g., for accountancy purposes), businesses are allowed to retain personal data in order to comply with their legal obligations.

To protect personal data, appropriate organizational and technical security measures have to be taken (e.g., limited access to personal data by employees, anonymization, secured networks, and encryption) and you have to ensure that the data processors with whom you cooperate have also put equivalent security measures in place.

6. Data subjects’ rights

The GDPR provides data subjects with a number of rights with regard to their personal data. Indicate in your privacy policy those rights, and give instructions on how data subjects can exercise them. Such rights include:

  • The right to access personal data (e.g., getting a list of personal data you store about the data subject);
  • The right to correct personal data (e.g., change of contact details);
  • The right to erase personal data and object to profiling (i.e., “right to be forgotten”);
  • The right to restrict the processing of personal data;
  • The right to ask a data controller to provide another data controller with a list of personal data related to the data subject; and]
  • The right to launch a complaint about the handling of personal data.

7. Identification and transparency

Give your privacy policy the highest level of transparency. List clearly the types of personal data you collect, the purposes of collection, the grounds for processing, third parties that have access to personal data, and all your policies and procedures governing collection, storage, and the processing of personal data.  

Also, indicate your contact details clearly in your privacy policy, including the email and post addresses that can be used by data subjects to contact you with regard to personal data. Also, mention the timeframe in which you will respond to the data subject’s inquiries.

8. Children

The GDPR prohibits the collection and processing of children’s personal data without obtaining a parental or guardian consent in advance. In order to comply with this requirement, consider putting systems in place to verify individuals’ ages and to obtain the requested consent. Also, provide parents or guardians with the opportunity to request the erasure of children’s personal data that has been obtained without their consent.

9. Data breaches

The GDPR puts in place strict guidelines for reporting security breaches that affect personal data. In a nutshell, you have to inform the supervisory authority within 72 hours from the moment you become aware of a breach, and then provide details about the affected personal data. Should a data breach occur in data processors’ systems, the data processors have to immediately notify you. Make sure that you have the right procedures in place to detect, report, and investigate a data breach.

10. Data Protection Officer (DPO)

You can voluntarily appoint a DPO as a person who will assist you in complying with the GDPR, as well as tracking and documenting the transactions involving personal data within your organization. The GDPR explicitly requires appointing a DPO if:

  • Your business relies mainly on processing of personal data on a large scale;
  • You process special categories of personal data on a large scale.
  • The processing of personal data may cause a threat to rights and freedoms of data subjects; or
  • You are a public body or authority.
Posted on

Is Encryption a Mandatory Part of GDPR Compliance?

Is Encryption a Mandatory Part of GDPR Compliance?

Website encryption guarantees a high level of security for visitors, which is why the number of websites featuring security certificates is on the rise. According to a Mozilla report, the volume of encrypted traffic already surpasses unencrypted traffic. Other reports predict that approximately 75 percent of web traffic will be encrypted by 2019.

While the benefits of data encryption are easy to understand, is there a legal requirement for websites to feature a security certificate? Does the new General Data Protection Regulation (GDPR) mandate such a change?  The use of a security certificate is definitely beneficial, but there’s currently no encryption law that necessitates the change.

Is SSL Certification Needed to Be GDPR-Compliant?

The SSL certificate adds a layer of protection to a website, increasing privacy and giving visitors peace of mind. The padlock symbol in the address bar shows whether a website is encrypted.

Under GDPR, data encryption is recommended, but not mandatory. In fact, the term encryption is not featured in the lengthy document much.

GDPR suggests the introduction of safety measures like encryption and various others (the words used are “may be introduced” and “optional”). Encryption is only one suggestion, and while it is presented as a good choice, there are no statements that make it mandatory

The Lack of Encryption and Data Breaches

While there are currently no encryption laws that mandate the purchase of a certificate, website owners are expected to do everything in their power to prevent eventual data leaks, website hacking, and breaches.

If a data breach occurs and the data of EU citizens get affected, the website owner will have to answer questions about the security safeguards in place. Questions about the encryption of personal and sensitive information may also arise.

Would the lack of encryption be perceived as a negative thing? Most likely! Are there any requirements under the new GDPR policies for the purchase and the integration of the SSL certificate? Such provisions do not exist at the time being.

The General Data Protection Regulation is concerned with ensuring the safety of personal data. Thus, you should work hard towards guaranteeing eprivacy in every possible way. While data breaches are often inevitable, there are things to do for the purpose of minimizing the risk.

A few of the best options (other than website encryption) include the following:

  • Make sure that the system and all software will get upgrades on a regular basis
  • Refrain from using default passwords and usernames
  • Keep track of devices to make sure none are lost or stolen
  • Limit the number of people who have admin rights and access to sensitive information (human error is still one of the most profound contributing factors to data breaches)
  • Reduce data transfers
  • Make sure that all employees who do website work undergo data security training

Getting Your Website Encrypted Is a Good Idea

While GDPR does not make website encryption mandatory, this is a good option you should consider for your online platform.

There are different kinds of security certificates, and their features will determine the cost. Many hosting companies will also provide a free SSL certificate as a part of the service package their clients receive. This is a possibility to consider but for the purpose, talk to a developer or a data security specialist. Encryption certificates are not created equal, and some may not be worth getting.

The things that you do to guarantee the security of your website’s visitors will have an impact on your reputation. Do a bit of research and consider all possibilities carefully before turning down one option or the other.