Patrick Lid Monslaup
Technical manager & developer for Knowit Experience Bergen. Looking for a new job? Check out http://knowit.no/karriere
GDPR
Case study: compliance evaluation
Resources
- Slack #gdpr
- gdpr.knowit.tools
- Rådgivergruppe // Henning Dahl
- Arkitektgruppe // Krister Karto
- GDPR Hotline
Where do you even begin?
- Data
- Encryption
- Libraries/leverandører
User must consent to usage of data
Customer Journey
Visiting the site
Current consent: none
- Do you use cookies?
- Do you track the user in a non-anonymous manner?
What data do we collect on site visitors?
For Knowit og deres kunders del, innebærer dette at det må innføres rutiner for innhenting av samtykke til den konkrete markedsføringsaktiviteten som skal gjennomføres.
(..) De registrerte må informeres om at kunden overleverer opplysningene til sin samarbeidspartner Knowit, og at dere benytter verktøyene til Google og/eller Facebook til målrettet markedsføring
Sunniva Nising Sandvold
Senioradvokat i Kluge
Implementering av personvernforordningen i Knowit
The registered user must know and consent to
- Which data is collected,
- Why the data is collected (purpose/intent)
- How the data will be used, and
- Who has access to the data
Registering for a service
Current consent: none
Goal: Consent to use userdata for marketing and metrics
Newsletter signup
Which
Why
How
Who
Name, Email, Phone
To contact user
To contact user,
Customer center
Only consent given is to contact user through newsletters in this context
Random texts, unrelated mails, calls, or sharing the users information to other parties are all illegal actions.
Which data is collected,
Why the data is collected (purpose/intent)
How the data will be used, and
Who has access to the data
Contact us form
Which
Why
How
Who
Name, Email, Phone
To contact user
To contact user,
Customer center
Only consent given is to contact user in this context
Random texts, mails, or calls to the user are illegal.
Customer Club
Which
Why
How
Who
Name, Email, .., behaviour, ..
Marketing / offers
To contact user with offers
The firm & ASSOCIATES
Consent given to send marketing offers,
but you must still
- inform the user of who the data is shared to (if any), such as google, facebook, hubspot, knowit, ...
- which additional data is collected
The issues are..
- Marketing is blocked from doing a large amount work until consent is acquired
- Developers aren't good at designing
- Designers haven't included "do you consent to XYZ" in their design
Minimum viable consent
Etter vår oppfatning vil det også være akseptabelt å innhente samtykke via en ganske enkel samtykke-boks som dukker opp på nettsiden, så lenge det der er lagt inn en lenke til en personvernerklæring som gir tydelig og dekkende informasjon om hva samtykket innebærer
Sunniva Nising Sandvold
Senioradvokat i Kluge
Implementering av personvernforordningen i Knowit
Handling users and their data
Current consent: variable
Case: Several firms made an alliance, and wanted to join their user data to improve marketing
You need to store what the user has consented to, and be able to document this if someone claims they are being infringed
Case: Firm has several data sources and want to use them together
You need to store what the user has consented to, and be able to document this if someone claims they are being infringed
Things to remember when storing data
Data handling
- How do you store user data?
- What data do you store?
- Is the data stored securely?
- Is consent stored & logged?
Forms
Did you know that Umbraco..
- Saves data un-encrypted
- There is no way to turn of automatic saving of data
Umbraco
A fix will supposedly arrive Q1 2018
=> we either must upgrade all solutions,
or edit umbraco ourselves on older systems.
Questions?
patrick.monslaup@knowit.no
https://slides.com/patricklidmonslaup/gdpr
GDPR
By Patrick Lid Monslaup
GDPR
A quick case study of how you can evaluate the GDPR compliance of a site
