It’s been almost a quarter of a year since GDPR came into effect on 25 May. Amid the panic and the last minute rush to offer compliance, there’s been an increased focus on online platforms. Below, let’s consider the approach taken by the big companies, and what OFEC has done for smaller organisations.
The Big Companies
Apple has been seen largely as a privacy-respecting company compared to its peers- and this is largely due to the fact that Apple is not a free service or tool that largely relies on advertisements to make money. In addition to updating it’s privacy notice, Apple also introduced a new user page, which allows you to download all of your data held by Apple, broken down by the various services. Complying with more than one of the ‘rights’ that we discussed earlier, it also complies with the right to ‘data portability’ by providing us with the reusable files in CSV and JSON formats within zipped folder downloads.
A new feature that’s also being rolled out around the world is the deactivation of accounts temporarily. You can also temporarily deactivate your account, so that during those periods, Apple not only stop your services temporarily, but Apple’s machine learning and AI systems won’t use your data- thus achieving true account suspension (as best as one can achieve it anyway).
It’s no surprise that Facebook has come under scrutiny almost as the GDPR clock started ticking. Add to that its ongoing enquiries as part of Cambridge Analytica/Election campaign data use, and the fact that Facebook tracks followers and non-followers, it is almost as if GDPR was written with Facebook in mind. Over the course of May Facebook offered updated privacy settings with choices including the use of personal data for ‘targeted advertisement’. To avoid confusion, users of Facebook still receive the same amount of advertisements, but it’s about whether it’s targeted to you based on your last browsing session on online sites, or not.
Interestingly enough, Facebook has turned on facial recognition for people in Europe around the same time, as explained in their blog. It’s also moved the registration (processing) of its 1.5 billion users outside of the US, EU and Canada to the US (it used to be in Dublin). What it means, then, is that about ¾ of their non-EU customers are moved out of the ‘territorial scope’ of GDPR. Yikes! Even though they offer their ‘privacy tools’ to all of its customers, the level of privacy and autonomy given to those customers outside the GDPR scope is different around the world.
Amazon was seemingly ahead of the curve, having announced at the end of March that their Web Services (AWS) was ready for GDPR. Offering a variety of services including (but not limited to) cloud data storage, AWS allows one to, essentially, implement our own security measures to ensure compliance with GDPR. As most of its ‘customers’ are companies who outsource their data storage, database management and hosting to AWS, it is no surprise that they were ahead of the curve with their compliance. They’re also compliant with many international standards, so GDPR compliance may have been an easier transition for them (than a company with no accreditations).
..And the Small Companies
We saw more and more smaller organisations outsourcing their GDPR compliance to specialist companies. To comply with Article 28 of GDPR, OFEC rose to the challenge, developing solutions for a number of requirements for online platforms.
As the new guidelines dictate that visitors are not only given more information about what sort of data is stored and collected but also, they should have the ability to provide “active consent” for any type of data collection (as described above). As our IP addresses are personal data (as they identify who we are online), and therefore we need to have consent (or another processing reason agreed to by the users) for the non-essential processing of our data.
In order to achieve compliance with this, OFEC implemented a GDPR compliant cookie bar which clearly shows visitors the different types of data collected and their purposes (essential, google analytics, others). Visitors can then simply turn off non-essential cookies. We’ve done this not only on OFEC site, but also for our clients Dumpton , McGurk etc
Right to be forgotten
Again, mostly applicable for those of us in the service industry: as per the new guidelines customers and visitors of a website have a right to be asked for all their information to be removed. This includes but is not limited to their activities on the website as a visitor, member information (like name, email, address etc.), and purchasing history. For members and customers of OFEC designed websites, this was achieved by providing them with a simple to use “remove my details button” which notifies the site administrator that the member has asked for their details to be removed. The admin can then action it with a click of a button, removing all sensitive data from the system. EGSCT and Dumpton have successfully implemented this in their system.
Obtaining active consent is not limited to just the online data collection we have. In order to communicate with visitors and customers for marketing purposes, sites need to have active opt-in mechanism in place, because how else can we actively get details of potential customers in a lawful way? For our clients, especially EGSCT, we have added the ability for members (under their settings page) to hand pick the different marketing activities to which they can opt in, essentially choosing what they’d liked to be emailed about under the banner of ‘marketing’. These span all the traditional marketing types, such as events, news and updates, related events, sponsor messages, and so on. In addition, we have updated the system so that our back-end users, and administrators can easily generate a report to ensure any marketing emails are sent only to members who have “opted in” for that particular activity.
What can OFEC do?
From our Membership Management system to our Visitor Management Systems they are fully GDPR compliant, why not get in contact to see how we can help.