Whether you’re running a business needing to be GDPR compliant or you’re just getting an annoyingly large number of emails about it; you’re sure to have questions.
I thought I’d share our experience with GDPR so it may help other companies feel a bit more comfortable. Or if we’re completely missing the point, one of you will let us know.
Let me start by saying, I am in no way an expert in GDPR compliance. I’m not an attorney and I don’t play one on television. What I am is a finance person at a dating app of less than 20 employees.
I work as CFO for a dating app that caters to open-minded couples and singles, wanting to explore curiosities in a safe environment.
This means our users share very personal information through our platform. They entrust us to act ethically and responsibly to maintain their safety and privacy. Which means for us GDPR is an even bigger deal.
For small companies, you don’t have a data or compliance team to pass work off to. You also have competing priorities like, making sure you don’t run out of money. So GDPR compliance becomes a group effort.
We’ve been working hard to make sure we’re compliant with the new standards. Here’s what we’ve learned through this process.
GDPR is a good thing
GDPR (General Data Protection Regulation ) is a great thing for consumers. It’s purpose is to protect individual’s information from being collected inappropriately, unlawfully or used without their consent.
With GDPR, companies need explicit and lawful reasons to collect or store your personal information. They also give you full control and access to personal information they have.
GDPR affects most companies
GDPR requirements from businesses depend on their stage, service type and types of data they collect.
The rules state: The GDPR applies to processing carried out by organisations operating within the EU. It also applies to organisations outside the EU that offer goods or services to individuals in the EU.
So essentially if you touch personal data of customers and operate in the EU it applies.
Ask for personal information when it improves your service
The rule is:
“You have a lawful basis for processing data where processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract”
If you’re not an attorney that sentence was probably painful to read. The above clause is also only just one of many on this topic.
Here’s my completely non-legal over simplification:
You’re allowed to ask for information if it’s used to provide your service.
Isn’t the way I said it so much nicer? Soak it in.
Our users provide information on their gender, sexual orientation, desires, interests and physical descriptions. We also facilitate the ability to share personal messages and photos.
For us, it’s perfectly reasonable to collect these different types of data. It’s essential to our business that people can share personal information to find that special someone… or someones.
When it’s probably not ok to ask for this type of information is if you’re say, completing a loan application. Just as it wouldn’t be ok for us to ask for your credit score. (Although a dating app that matches you based on credit score is a solid idea. Dibs!)
Ask for personal information when it protects you legally
A unique issue to dating apps is the large number of unrequested photos containing male genitalia. (I just went a long way around to not say ‘dick pics’)
If you’re wondering how often these types of photos are sent, think of a number, then double it. Then double it again. Now make a surprised face because it’s way higher.
For platforms like ours, companies will use tools to identify nude photos. These tools often use biometrics data for detection.
So essentially biometrics data is collected to determine if a picture looks like a hot dog. If the photo doesn’t pass muster we’ll delete it and block the user. (Get it? Hot dog. Mustard. You get it.)
Again the purpose of collecting this data is to improve our service. However, we also have a legal obligation to monitor for this type of activity. We have processes in place to identify minors on the app, illegal activity such as prostitution and illicit material such as nudity.
Make everything consensual
A lot of companies rely on newsletters and email campaigns for customer re-engagement. GDPR has specific rules as far as using personal information for marketing purposes. In-part it requires expressed consent.
In short, you need explicit consent whenever you’re using data and it’s not required legally or to deliver your service. Case in-point: Newsletters, e-mail campaigns and other marketing activities.
Even if you’re asking for consent you must have a lawful reason for wanting to use the data. There are specific rules on how you ask for consent. You also have to get consent if you’re making any major changes to your terms and conditions. You can find more details on this here.
Either way, this is a good opportunity to let users know you’re taking the right precaution with information they’ve entrusted you with.
Data deletion and data requests will happen
We’ve already had several requests for data and for data to be deleted. The biggest thing here is having a process in place that ensures you do this properly.
You’ll need to record all of your 3rd party services and map out everywhere personal information is stored. This is a big undertaking for small companies that maintain a lot of user information.
Here’s our checklist for data that helps us with data deletion requests and GDPR compliance in general:
· Document every piece of customer information you have
· Record where it’s stored and who has access to it
· Record why you need it
· Get consent if you don’t need it for legal reasons or to deliver your service
· Set a clear timeline of when data should be deleted (eg 12 months after an account is inactive, 30 days after an account is terminated, less than 30 days after data deletion is requested)
You’ll probably get warnings before being punished for non-compliance
The enforcement agency behind GDPR is the ICO (Information Commissioners Office).
Historically, The ICO has enforced violations in the form of a fine. Further, this is usually only after receiving complaints from consumers. You can see in the public record that many violations were from repeat offenders who were misusing contact information and at a massive scale. Most of these cases are for unsolicited marketing.
For example, a recent fine of £100,000 was given out to IAG for:
“Unsolicited calls for direct marketing purposes to subscribers who had registered with the Telephone Preference Service”
So a great example of a record of consumer data that was used inappropriately.
That said and I hate to be the bearer of bad news:
GDPR doesn’t mean you’ll stop receiving cold e-mails or phone calls.
However it should hinder businesses from marketing based on details consumers provided for other reasons.
What’s important for businesses to understand here is this.
If you’ve followed GDPR guidelines in good faith, the ICO isn’t likely to kick your door down come 26th May. You’d still have to be reported by a consumer and would likely receive warnings before a penalty were given out.
GDPR is an on-going part of your business now
GDPR is not a one and done compliance checklist. It’s a part of us all now. The ICO has even made this clear in one of their myth busting blog posts.
One of the largest undertakings will be building out processes and documentation for data. This will be an on-going process. We’re also likely to find out points of emphasis after the rules are in place.
If you have questions or concerns around whether or not you’re in compliance, there are a lot of online checklists and quizzes.
Problem with these quizzes, they usually end with “Oh no! You’re not compliant! Give us some money and we’ll fix it!”
Ironically, these quizzes for preventing unsolicited marketing materials are themselves unsolicited marketing materials.
Even after meeting with attorneys, we’ve found the best information has come direct from the source — The ICO website.
Again GDPR is a good thing. It may seem overwhelming for small companies but if you can demonstrate you’re not being negligent and if you’ve followed some of these steps, you should be in good shape. Time will tell how business will change and what additional measures will be needed.
I’ll also say once more, I’m not a compliance expert. This has merely been my experience with GDPR. If you think I’m missing anything or have other feedback let us know!
Or if you want to DM me to grab a coffee and chat about GDPR.
Let’s find something more interesting to talk about.