Introduction to the GDPR and other privacy laws (part 5)
How to handle users' privacy in practice
Privacy laws are a joke. I elaborated on that on my previous four posts. But they do exist, and we need to take them into account. What should we do?
The obvious answer is “ask your lawyer”. But what if you are small and have no legal department? The GDPR is huge, and complying is costly.
Many people choose to ignore it or implement it badly. They may choose to ignore it because they know it’s a joke and they think they may be able to get away with it. They may choose to implement it badly in order to pretend they comply and lessen the probability of complaints.
Whether these are good strategies I can’t tell. I think it is always a good idea to ask a lawyer. E.g. “I know I have to comply with the GDPR but it would be costly and I think it’s a joke anyway. If I just ignore it, am I going to be in serious trouble?” Even five minutes of talking with a good lawyer can be extremely useful.
Regardless how you’ll steer yourself away from legal risks, I think you should respect your users’ privacy in practice:
Don’t use their personal data for purposes other than the reason they signed up.
Don’t email them without their consent, and when you do email them (with their consent) make it easy for them to unsubscribe.
Make sure you don’t keep backups of users’ personal data for more than a couple of years.
When you have a security breach and your users’ personal data are compromised, tell your users (you need to have an internal policy for that in place).
Use common sense.
Publish a short and to-the-point privacy policy and ensure your IT department is following it.
When users ask questions, try to understand their concerns and reply promptly.