TUNE’s TL;DR On How To Approach GDPR

TUNE’s TL;DR on how to approach GDPR:

Transparent. Limited. Dependable. Respectful.

We’re in the homestretch toward GDPR’s enforcement date, and online data privacy is all the rage these days (thanks Facebook!).  For those late to the game, or simply trying to wrap your head around this  complicated regulation, here’s the TL;DR on how to approach GDPR.

Transparent with your communication.

Keep clear documentation about how you collect, use, and store personal data. Transparency leads to informed decision-making, so clearly communicating your data management practices builds trust and allows others to understand what it means to do business with you. Maintain updated external-facing documentation and privacy policies,  and invite an open dialogue with your partners and end users.

Limited with your data.

Collect only the data you need, only for as long as you need it, to fulfill the stated purpose of collecting that data in the first place. Without a lawful basis to process personal data, such as consent or a legitimate interest, promptly erase that data from your systems. Also, take reasonable steps to anonymize or pseudonymize identifying data points.  

Dependable with your security controls.

Invest in your internal controls. Start with a deep review of existing practices and a comprehensive data map. Working across people, process, policy, and technology, develop a cohesive strategy that addresses actual risks, rather than relying on clunky tools to check a box. Implement privacy by design and default, and test your adoption with compliance audits like SOC 2.  This is a cross-functional effort, so be sure to have a strong and diverse team dedicated to security and privacy protection. Teamwork makes the data protection dream work!

Respectful of end users and partners.

Use common sense and a privacy-centric lens when thinking about end user rights and how to respect their intent. With clearly communicated guidance and procedures on how to carry out end user rights, such as optoutmobile.com, you can go beyond bare compliance to actually move the industry forward. In operating as a data processor, make sure you’re acting only with explicit direction of data controllers. When in doubt, ask for permission rather than forgiveness – it’s the R-E-S-P-E-C-T-ful approach.

Of course, this grossly simplified overview ignores quite a bit of nuance, and should be taken with a grain (or barrel) of salt. And May 25, 2018, will not be the end of GDPR’s story. Through case law, regulatory guidance, additional legislative changes, and industry evolution, these next few months – and even years – will reveal best practices and illuminate those murky “is this good enough?” ambiguities. In the meantime, remember your GDPR TL;DRs, and get to work on building a more secure, privacy-centric internet.