Are You Prepared for the GDPR?

The General Data Protection Regulation (GDPR) went into effect in May of 2018. While that seems like forever ago, you may just be starting to learn about the GDPR if you're a new business owner or looking to expand your existing business to the EU market.

The GDPR imposes strict rules determining how companies operating in the EU must manage and protect personal data they collect from people in the EU.

The goal of the GDPR is to protect privacy and prevent data breaches at a time of increasing cyber-security concerns. It imposes not only stricter rules for privacy protection, but also harsher penalties for non-compliance.

If your company operates in the EU, you need to know how GDPR affects you, how to comply with its requirements (by having a Privacy Policy), and the penalties for failure to comply.

This includes US-based and other companies operating from outside the EU in business transactions with EU citizens. This provision, known as "territorial scope," replaces the more ambiguous 1995 version which imposed very little regulation of non-EU entities.

Now, GDPR extends to all companies collecting personal data from any EU resident used to process financial transactions or monitor user activities that occur in the EU.

The GDPR clearly states that the rules for collecting and handling personal data apply to all entities operating in the EU, regardless of whether the processing of the information takes place in the EU or not.

The GDPR defines activities subject to rules as:

1. Offering goods or services to EU citizens, (irrespective of whether payment is required)
2. The monitoring of behaviour that takes place within the EU

The regulation further establishes that all non-EU businesses collecting or managing the personal data of EU residents must appoint a representative in the EU to ensure compliance.

What Does the GDPR Cover?

Some of the key privacy and data protection requirements of the GDPR include the following:

• Increased consent requirements from data subjects for data processing
• Using anonymization techniques to keep data private and secure
• Providing appropriate data breach notifications in a timely manner
• Ensuring safety of data when transferred across international borders
• Appointing a Data Protection Officer (in some circumstances) to oversee GDPR compliance

To better understand the GDPR, let's break down and briefly summarize some of the key requirements:

Consent

Rules for establishing user consent require companies to provide easily accessible and easily understood language, with additional considerations provided to children in their Privacy Policy.

You also must allow users to retract consent as easily as they provided it.

Penalties

The GDPR imposes a tiered penalty system ranging from two percent to up to four percent of "annual global turnover" or €20 Million, whichever is greater.

Breach Notification

Under the GDPR, a notifcation of breaches is required whenever a data breach is likely to "result in a risk for the rights and freedoms of individuals."

The notification must be made to customers and controllers within 72 hours of having first become aware of the breach.

8 Rights of Data Subjects

You'll need to become familiar with the 8 rights the GDPR extends to anyone under its jurisdiction. Note that most of these rights come with some exceptions and nuances that you'll also want to get familiar with to make sure they apply to your business.

You'll need to disclose these rights in your Privacy Policy as well as take steps to facilitate them. For example, when it comes to the right of access, there are specifics you'll need to know about how to handle privacy access requests.

Data Protection Officers

In certain cases, the GDPR requires subject entities to appoint a Data Protection Officer (DPO) to oversee internal compliance. The DPO must meet a strict set of criteria:

1. Must be appointed on the basis of professional qualities and, in particular, expert knowledge on data protection law and practices.
2. May be a staff member or an external service provider.
3. The controller's contact details must be provided to the authorities.
4. The controller must be provided with appropriate resources to carry out tasks and maintain expert knowledge with ongoing education.
5. Must report directly to the highest level of management.
6. Must not carry out any other duties that might create a conflict of interest.

Keys to Compliance with the GDPR

The GDPR requires that a Privacy Policy be provided that is understandable and easily accessible.

The GDPR also mandates that information you provide to people about how you process their personal data must be:

These requirements are intended to ensure that privacy information within a Privacy Policy is easily understood and that companies seek to achieve best practices when collecting and handling personal user information.

You should approach everything with an eye towards Privacy by Design.

Strategies for Compliance

The first step in complying with GDPR is to create a unique and comprehensive Privacy Policy for your company.

Compared to the old EU rules for privacy, the GDPR requires companies to include much more clear and specific information in privacy notices about the collection and handling of private user data.

There are many ways to incorporate GDPR guidelines into your Privacy Policy, such as by outlining preference management tools provided on your site, or by spelling out each individual requirement and your methods for compliance.

Whatever you do, do NOT simply copy-paste another company's Privacy Policy.

Every company is unique in structure and in how it conducts business, especially when it comes to collecting and managing private user information.

How you account for the many details must be spelled out in your unique Privacy Policy.

When creating your Privacy Policy, you must adequately and clearly address a minimum of the following:

• What information does your company collect from users or website visitors?
• Who is collecting it: is it your company or a third party?
• How is it collected: by active opt-in or by passive collection, such as with website cookies or crawlers?
• Why is it being collected? GDPR requires companies to explicitly identify why personal information is being collected.
• How will it be used: currently or possibly in the future?
• Who will it be shared with?
• What is the potential implication for the individual from whom you are collecting the information?
• Is your intended use likely to cause individuals to object or complain?
• How can individuals opt out of your data collection protocols?
• How can individuals get an electronic record of the information you have about them?
• How can individuals direct you to transfer the information to another entity?

Preference Management Tools

Preference management tools are considered to be the most user-friendly methods for explaining data collection policies.

A user-friendly privacy dashboard provides an excellent way to identify the types of data you are collecting and how a user may control opt-in or opt-out.

An effective dashboard also allows users to provide or revoke consent at any time, which is a key requirement of the GDPR.

Here is a good example of a user-friendly preference management dashboard:

The user can easily see the categories of data being collected, how that data is being used, and access those areas to control their preferences. With one click, the user is able to access each area, and easily make changes to preference settings.

Julie White, Corporate Vice President of Microsoft Azure & Security, announced the release of a dashboard tool kit to help its customers accelerate compliance:

"We continue to innovate in order to make GDPR compliance easier for you to achieve. For example, later this year we plan to release a new dashboard that provides a quantitative assessment to help identify where you are in your journey to GDPR compliance. This upcoming release builds on the foundation of Office 365 Secure Score, launched earlier this year, to provide you greater clarity on your path toward GDPR compliance," White said.

Another approach to incorporating user preferences into your website is to incorporate clauses within your Privacy Policy which spell out the data you collect and how you manage it.

Here's an example of a clause incorporated into an existing company Privacy Policy:

The headline, "How will we use the information about you" clearly identifies the topic at hand so the user can focus and understand the information presented. Clear and simple communication is another GDPR mandate.

Some security specialists believe a simple catch-all disclosure clause can provide adequate protection.

Here's one fill-in-the-blank example from eConsultancy.com:

This approach requires careful consideration. Remember, the GDPR mandates that if you require user consent, you must obtain a clear and undoubted opt-in.

This means you provide users with clear information allowing them to make an informed decision about whether to opt in, opt out, or change their minds.

Additionally, you must be crystal clear in identifying the exact information you collect, how you collect it, why you are collecting it and how you protect it.You must clearly define a host of specific details including:

• The personal information you collect
• What you do with that information or what you might do in the future with that information
• The data you actually need
• Whether you are collecting the information you need
• Whether you are creating new personal information with that data
• Whether there are multiple data controllers involved with your processes

Remember: You MUST allow consumers to opt-out at any time!

Communication Counts

One of the biggest challenges with Privacy Policies is to get users to actually read them.

Since the GDPR requires you to clearly and simply communicate your Privacy Policies (or "data collection policies"), it's important that you make every effort to ensure your audience will read and understand your policies.

The days of lengthy, legalese-style Privacy Policies are over. You now must use clear, easily understood language your audience can access and understand.

You also must clearly outline how you will communicate with your audience about their privacy protections.

The GDPR provides the following options for legally communicating with users about how you manage their data:

1. Orally - face-to-face or over the telephone
2. In Writing - in letters, print materials, advertisements, forms, applications, etc.
3. Signage - such as on posters
4. Electronically - such as on your website, emails, mobile apps, chat tools or SMS/text messages

Further, the methods you use to communicate with your audience must be spelled out.

It's recommended that you use the same method to communicate with your audience that they used when providing you with their private data. For example, if you collected a phone number for marketing text messages, communicate through text message as your main method.

However, it's increasingly popular to allow the user to request a "preferred method" of communication.

Here's a good example of a communication preferences form offering email and text options as well as specific types of communications to opt into or out of:

Good to Know

As you review your current Privacy Policy or create a new one, consider the full scope of the GDPR to ensure compliance.

Following is a helpful list of things you need to consider to fully understand your responsibilities in meeting GDPR requirements:

• If you process data about individuals in the context of selling goods or services to citizens in other EU countries, you are required to comply with GDPR.
• GDPR applies both to EU entities and non-EU entities offering goods and services to EU citizens, and/or managing personal data of EU citizens.
• Penalties including fines of two percent to up to four percent of annual global turnover may be imposed for failure to comply with GDPR. The rules and penalties apply to both controllers and processors.
• Any personally identifiable information that can be attributed to a person is subject to GDPR rules. This data might include a name, image or biometric identifiers such as fingerprint or iris scan, email address, bank account or other account numbers, social platform activities, health information, device IP address, etc.
• User consent must be clear and distinguishable. It must be communicated in an easy to understand format, using clear and plain language. It also must be as easy to revoke consent as it is to grant it.
• Parental consent is required to process personal data of children age 16 and younger.
• You may need to appoint a Data Protection Officer (DPO) if you are a public authority or an organization that engages in broad systematic monitoring or processing of sensitive personal information.
• Data breaches which could pose a risk to individuals must be notified to the DPA within 72 hours and to all affected individuals without undue delay.

Get Started with Your GDPR Privacy Policy

The larger or more complex your company, the more detail will be required in your data protection policies and procedures, including your Privacy Policy.

You must ensure you have adequate measures and controls in place, and that employees and outside entities have clear guidance on your policies and procedures.

The standard requirements of a strong Privacy Policy include topics such as the document purpose, scope, objectives, responsibilities and procedures. Less is not more when it comes to privacy protection requirements and efforts to limit your liability.

The following chart can act as a guide in structuring your GDPR policy statement:

GDPR Principles	Lawfulness of Processing	Obtaining Consent
Consent Withdrawal	Accountability & Governance	Privacy by Design
Encryptions	Pseudonymisation of Data	Data Minimization
User Rights	Data Request Procedures	GDPR Disclosures
Rectifications and Erasures	Handling Objections	Data Portability
Supervisory Authority	Lodging Complaints	Processing Activities
Security of Processing	Breaches & Notifications	Data Retention
Data Sharing	Data Transfers	Adequacy Decisions
Binding Corporate Rules	Safeguards & Measures	Codes of Conduct & Certification