Are You Prepared for the GDPR?
The General Data Protection Regulation (GDPR) went into effect in May of 2018. While that seems like forever ago, you may just be starting to learn about the GDPR if you're a new business owner or looking to expand your existing business to the EU market.
The GDPR imposes strict rules determining how companies operating in the EU must manage and protect personal data they collect from people in the EU.
The goal of the GDPR is to protect privacy and prevent data breaches at a time of increasing cyber-security concerns. It imposes not only stricter rules for privacy protection, but also harsher penalties for non-compliance.
This includes US-based and other companies operating from outside the EU in business transactions with EU citizens. This provision, known as "territorial scope," replaces the more ambiguous 1995 version which imposed very little regulation of non-EU entities.
Now, GDPR extends to all companies collecting personal data from any EU resident used to process financial transactions or monitor user activities that occur in the EU.
- 1. What Does the GDPR Cover?
- 1.1. Consent
- 1.2. Penalties
- 1.3. Breach Notification
- 1.4. 8 Rights of Data Subjects
- 1.5. Data Protection Officers
- 2. Keys to Compliance with the GDPR
- 2.1. Strategies for Compliance
- 3.1. Preference Management Tools
- 3.2. Communication Counts
- 3.3. Good to Know
- 5. Create Compliant Cookie Consent
The GDPR clearly states that the rules for collecting and handling personal data apply to all entities operating in the EU, regardless of whether the processing of the information takes place in the EU or not.
The GDPR defines activities subject to rules as:
- Offering goods or services to EU citizens, (irrespective of whether payment is required)
- The monitoring of behaviour that takes place within the EU
The regulation further establishes that all non-EU businesses collecting or managing the personal data of EU residents must appoint a representative in the EU to ensure compliance.
What Does the GDPR Cover?
Some of the key privacy and data protection requirements of the GDPR include the following:
- Increased consent requirements from data subjects for data processing
- Using anonymization techniques to keep data private and secure
- Providing appropriate data breach notifications in a timely manner
- Ensuring safety of data when transferred across international borders
- Appointing a Data Protection Officer (in some circumstances) to oversee GDPR compliance
To better understand the GDPR, let's break down and briefly summarize some of the key requirements:
You also must allow users to retract consent as easily as they provided it.
The GDPR imposes a tiered penalty system ranging from two percent to up to four percent of "annual global turnover" or €20 Million, whichever is greater.
Under the GDPR, a notifcation of breaches is required whenever a data breach is likely to "result in a risk for the rights and freedoms of individuals."
The notification must be made to customers and controllers within 72 hours of having first become aware of the breach.
8 Rights of Data Subjects
You'll need to become familiar with the 8 rights the GDPR extends to anyone under its jurisdiction. Note that most of these rights come with some exceptions and nuances that you'll also want to get familiar with to make sure they apply to your business.
Data Protection Officers
In certain cases, the GDPR requires subject entities to appoint a Data Protection Officer (DPO) to oversee internal compliance. The DPO must meet a strict set of criteria:
- Must be appointed on the basis of professional qualities and, in particular, expert knowledge on data protection law and practices.
- May be a staff member or an external service provider.
- The controller's contact details must be provided to the authorities.
- The controller must be provided with appropriate resources to carry out tasks and maintain expert knowledge with ongoing education.
- Must report directly to the highest level of management.
- Must not carry out any other duties that might create a conflict of interest.
Keys to Compliance with the GDPR
The GDPR also mandates that information you provide to people about how you process their personal data must be:
Strategies for Compliance
Compared to the old EU rules for privacy, the GDPR requires companies to include much more clear and specific information in privacy notices about the collection and handling of private user data.
Every company is unique in structure and in how it conducts business, especially when it comes to collecting and managing private user information.
- What information does your company collect from users or website visitors?
- Who is collecting it: is it your company or a third party?
- How is it collected: by active opt-in or by passive collection, such as with website cookies or crawlers?
- Why is it being collected? GDPR requires companies to explicitly identify why personal information is being collected.
- How will it be used: currently or possibly in the future?
- Who will it be shared with?
- What is the potential implication for the individual from whom you are collecting the information?
- Is your intended use likely to cause individuals to object or complain?
- How can individuals opt out of your data collection protocols?
- How can individuals get an electronic record of the information you have about them?
- How can individuals direct you to transfer the information to another entity?
- Answer the questions related to your entity type and location.
- Answer the questions relating to what type of information you collect from your users.
Preference Management Tools
Preference management tools are considered to be the most user-friendly methods for explaining data collection policies.
A user-friendly privacy dashboard provides an excellent way to identify the types of data you are collecting and how a user may control opt-in or opt-out.
An effective dashboard also allows users to provide or revoke consent at any time, which is a key requirement of the GDPR.
Here is a good example of a user-friendly preference management dashboard:
The user can easily see the categories of data being collected, how that data is being used, and access those areas to control their preferences. With one click, the user is able to access each area, and easily make changes to preference settings.
Julie White, Corporate Vice President of Microsoft Azure & Security, announced the release of a dashboard tool kit to help its customers accelerate compliance:
"We continue to innovate in order to make GDPR compliance easier for you to achieve. For example, later this year we plan to release a new dashboard that provides a quantitative assessment to help identify where you are in your journey to GDPR compliance. This upcoming release builds on the foundation of Office 365 Secure Score, launched earlier this year, to provide you greater clarity on your path toward GDPR compliance," White said.
The headline, "How will we use the information about you" clearly identifies the topic at hand so the user can focus and understand the information presented. Clear and simple communication is another GDPR mandate.
Some security specialists believe a simple catch-all disclosure clause can provide adequate protection.
Here's one fill-in-the-blank example from eConsultancy.com:
This approach requires careful consideration. Remember, the GDPR mandates that if you require user consent, you must obtain a clear and undoubted opt-in.
This means you provide users with clear information allowing them to make an informed decision about whether to opt in, opt out, or change their minds.
Additionally, you must be crystal clear in identifying the exact information you collect, how you collect it, why you are collecting it and how you protect it.You must clearly define a host of specific details including:
- The personal information you collect
- What you do with that information or what you might do in the future with that information
- The data you actually need
- Whether you are collecting the information you need
- Whether you are creating new personal information with that data
- Whether there are multiple data controllers involved with your processes
Remember: You MUST allow consumers to opt-out at any time!
One of the biggest challenges with Privacy Policies is to get users to actually read them.
Since the GDPR requires you to clearly and simply communicate your Privacy Policies (or "data collection policies"), it's important that you make every effort to ensure your audience will read and understand your policies.
The days of lengthy, legalese-style Privacy Policies are over. You now must use clear, easily understood language your audience can access and understand.
You also must clearly outline how you will communicate with your audience about their privacy protections.
The GDPR provides the following options for legally communicating with users about how you manage their data:
- Orally - face-to-face or over the telephone
- In Writing - in letters, print materials, advertisements, forms, applications, etc.
- Signage - such as on posters
- Electronically - such as on your website, emails, mobile apps, chat tools or SMS/text messages
Further, the methods you use to communicate with your audience must be spelled out.
It's recommended that you use the same method to communicate with your audience that they used when providing you with their private data. For example, if you collected a phone number for marketing text messages, communicate through text message as your main method.
However, it's increasingly popular to allow the user to request a "preferred method" of communication.
Here's a good example of a communication preferences form offering email and text options as well as specific types of communications to opt into or out of:
Good to Know
Following is a helpful list of things you need to consider to fully understand your responsibilities in meeting GDPR requirements:
- If you process data about individuals in the context of selling goods or services to citizens in other EU countries, you are required to comply with GDPR.
- GDPR applies both to EU entities and non-EU entities offering goods and services to EU citizens, and/or managing personal data of EU citizens.
- Penalties including fines of two percent to up to four percent of annual global turnover may be imposed for failure to comply with GDPR. The rules and penalties apply to both controllers and processors.
- Any personally identifiable information that can be attributed to a person is subject to GDPR rules. This data might include a name, image or biometric identifiers such as fingerprint or iris scan, email address, bank account or other account numbers, social platform activities, health information, device IP address, etc.
- User consent must be clear and distinguishable. It must be communicated in an easy to understand format, using clear and plain language. It also must be as easy to revoke consent as it is to grant it.
- Parental consent is required to process personal data of children age 16 and younger.
- You may need to appoint a Data Protection Officer (DPO) if you are a public authority or an organization that engages in broad systematic monitoring or processing of sensitive personal information.
- Data breaches which could pose a risk to individuals must be notified to the DPA within 72 hours and to all affected individuals without undue delay.
You must ensure you have adequate measures and controls in place, and that employees and outside entities have clear guidance on your policies and procedures.
The following chart can act as a guide in structuring your GDPR policy statement:
|GDPR Principles||Lawfulness of Processing||Obtaining Consent|
|Consent Withdrawal||Accountability & Governance||Privacy by Design|
|Encryptions||Pseudonymisation of Data||Data Minimization|
|User Rights||Data Request Procedures||GDPR Disclosures|
|Rectifications and Erasures||Handling Objections||Data Portability|
|Supervisory Authority||Lodging Complaints||Processing Activities|
|Security of Processing||Breaches & Notifications||Data Retention|
|Data Sharing||Data Transfers||Adequacy Decisions|
|Binding Corporate Rules||Safeguards & Measures||Codes of Conduct & Certification|