GDPR. Everyone’s talking about it, so we thought we’d chip in. Spoilers: It’s not worth staying up all night worrying over, you’re probably further ahead than you realize. Here’s how we’re looking at things…
GDPR isn’t a monster lurking under the bed. It’s an opportunity to show your website visitors that you take privacy and security seriously and that you value their trust.
Our Future Forum in October last year revealed that, unsurprisingly, we’re all in the same boat:
Where do we start?
What processes are required?
What do we document?
Is there any special technology we need to implement?
How should we communicate these changes with our customers?
First off, GDPR has different implications for each industry. It’s important to establish that upfront.
If you’re a small or large business operating in the EU and collect personal or sensitive data as part of a form or process on your website then read on.
I’m here to tell you how SessionCam is thinking about GDPR and answering these questions. But I’m not from the ICO (you can find their guidelines and a compliance questionnaire you should take if you haven’t already here).
Will GDPR affect you?
GDPR only applies to those visitor sessions where personal or sensitive information is entered. If you use SessionCam, we both have responsibilities to make sure that we comply.
As the data controller, you (your brand) are in control of the data SessionCam records and we keep you informed of how we use it.
As the data processor, SessionCam…
- has to maintain records of personal data and processing activities
- has a legal liability if we are responsible for a breach.
The first rule of GDPR — communication and documentation
Just like when you tell your prospects and returning customers about a new feature release or important change led by stakeholders, GDPR is something you’ll want to talk about too.
Communicate with your visitors and customers about what this change means for them. They need to hear it from you directly and not from sensationalist media. Not talking to your website visitors and customers is a risk you shouldn’t take. Write a blog, release a document — tell them what you’re doing.
Consent. It’s easy to get your head around…
There’s no need to monkey around as far as consent is concerned…and you’re probably doing something similar already. I’ve seen some extreme approaches to obtaining consent, like extra pop-up solutions that claim to be in compliance with GDPR. But it doesn’t need to be that complicated.
Genuine consent should put individuals in charge, build customer trust and engagement and enhance your reputation.
You, the data controller (the brand) are responsible for obtaining consent from your customers. Under GDPR, you have to tell them purposes of processing, storage period and their rights as a data subject.
We use SessionCam to identify areas of improvement on our website and make it a better experience for you. Session replay is the online equivalent of recording calls in a call center for training and quality purposes.
Similarly, you need to make it easy for your customers to withdraw consent. Tell them how they can do so when they consent in the first place — just don’t bundle the two together.
Keep evidence of your customer consent, specifically who, when, how and what you told them they’re consenting to.
Just like any other policy, it’s important to keep it up to date. Regularly review your consent policy in conjunction with the ICO’s guidelines, which you can find here.
Here’s a summary of what SessionCam is doing
Ethics and a focus on privacy and security is at the heart of SessionCam.
SessionCam has been recommended for ISO 27001 certification by the British Standards Institution (BSI). Holding an ISO 27001 certificate is considered adequate in protecting Personally Identifiable Information (PII) under GDPR.
We are doing an information audit for the data we have on employees as well as clients.
We are documenting everything, like how we store data and how we use data.
We are making sure we understand and have processes in place to comply with the eight rights for individuals.
SessionCam does not collect Payment Card Industry (PCI) data. It is designed to recognize fields containing PCI data and not record them. As SessionCam is built to show you customer behavior, it is not necessary to record this sensitive information, so we don’t.
Get the facts right and the rest will follow
As I said at the start of this post, always refer to the ICO for the facts on GDPR and not sensationalist media. That’s where we get our facts from. Document your processes. As long as you’re able to prove you’re taking the right steps to be compliant with GDPR then you’re in a great position.
GDPR applies across all member states of the EU, including the UK. It will apply to SessionCam as a data processor and our clients as data controllers. We’ll be applying these laws not just to clients in the EU but clients worldwide.