GDPR compliance is everywhere right now and affiliates are trying their best to make sure they’re on the right side of the law. The key is not to panic or leave it to the very last minute to make positive changes so we’re condensing this massive legal document into the five key things that you really have to know for ensuring your affiliate business is complaint by the deadline in May.
What is your role?
Within GDPR, you are either a processor or a controller, which will affect your responsibilities under the law. A controller has more responsibilities as they are the ones actively storing the data, whereas the processor uses the data.
Within the affiliate operator relationship, this can go either way depending on the task at hand. Affiliates will most likely be the controller in this regard, if you share user details with an operator then you are the one responsible for that data.
Is your site compliant?
Making your way through your sign up process and privacy policy on your site is essential. This means you have to actually sign up and look at the details that you are providing your user. You will want to make sure that they have enough information in order to make an active decision to allow you to use their data.
Watch out for any areas in which you are vague, like specifying who you will share the data with. While it may have been enough in the past to tell users their data will be handled by a third party, you now need to tell them who that third party is exactly.
Are you accountable?
Accountability will no doubt become important within this legislation, so you have to have a process. If you do fall foul of the legislation, then you want to be able to show that you have at least tried to follow that process. Take on legal advice if you want to ensure that you are completely covered.
It’s a good idea to appoint one person within the company to be responsible for this. If you make it more of a communal responsibility then you may find that not much work is done on this as there’s no one person that is accountable.
What will you do when a request is sent?
Under GDPR, users have a right to be forgotten and can ask you to get rid of their data. So how will you do this? If you have already passed their data onto a third party then this would be your responsibility too. While this is how it works in theory, it’s not likely that this will happen in practice as affiliates and operators will be overwhelmed with requests.
However, this doesn’t mean that you shouldn’t at least try to do so, as this ties in with that sense of accountability that shows that you have recourse.
How do you protect your data?
Within these guidelines, there is a lot about data breaches and the process that is followed if there is a breach. You now have a responsibility to report these breaches within a set period of time, to give your users the chance to take steps to protect their data.
If this happens and it could have been avoided, then you may potentially receive a fine for this. A data breach doesn’t always happen as a result of a cyber-attack, it could be as simple as an employee taking data that doesn’t belong to them.
This may mean that you come under investigation and have to change the way that you store data in future. This benefits your users and your affiliate portal too, so you want to be seen as taking this seriously.
GDPR will be enacted in May, but you have until next year to make sure that you are fully compliant. This process can take a lot of time, so don’t make the mistake of thinking you have more than enough to get your affairs in order. Get started now before it’s too late.