For any business with a web presence — that’s pretty much every business these days — the last few weeks have all been about four little letters: GDPR or the General Data Protection Regulation. As an EU law, it affects every business that has a digital presence in Europe.
Do you do any business in Europe? GDPR. Do you have a website that collects personal data from a consumer in the EU? GDPR. Do partners or other third parties share such consumer data with you? GDPR. As global law firm White & Case remarks: “It is difficult to overstate the importance of the GDPR … it is very wide-ranging, and will impact almost every organisation that is based in the EU, as well as every organisation that does business in the EU.”
As GDPR enters into force and application on May 25, there’s not much time left to ensure that all the proper steps are discussed, confirmed and implemented. In this post, we will give a high-level overview of GDPR and provide a few steps to help your business prepare for it.
How do you process, transmit, store, and destroy user data? The first step to having effective data protection procedures is to know exactly how you’re currently using data. While some processes are obvious, there are others that you might overlook if not for a thorough audit.
A good starting point is to look at your online forms as they often collect personal user info, such as a name and email. However, there are other collection points such as comments on a blog post or live chat function that also require consideration.
What do you do with that data? With today’s web, using third parties to collect, manage and analyze data is standard practice. If that’s the case with your company, how can trust those third parties, where are they located, and what are their data-handling procedures?
Just as important as collecting the data, how do you get rid of it? What are your procedures for data deletion and how can you ensure that all the information is properly disposed of?
Once you know your current data uses and your requirements under GDPR, you’re in a position to revise your data policy. Perhaps you don’t need to collect as much information as you currently are. Perhaps you might eliminate some data channels, change partners or revise your training, messaging and processes.
One key consideration is to evaluate whether your company is a data controller or data processor. In effect, are you a customer-facing organization that collects, manages and controls consent of consumer data or do you process data on behalf of other organizations? Or perhaps your business is both a data controller and data processor depending on the scenario.
Building on the requirements of previous data protection acts, data controllers have numerous GDPR obligations. They need to implement effective organizational and technical measures to protect against any data breaches. That means having contracts with data processors that specifically state how the processors will handle data and that the processors will comply with GDPR. While they may not own, store or process the data, they are responsible for how it’s used, stored and deleted. As the party with the direct relationship with the individual, they need to adopt accountability measures that deliver the necessary security and trust around processing.
Another GDPR obligation for data controllers is ensuring their data processors are in compliance. Article 28(1) states that:
“Where processing is to be carried out on behalf of a controller, the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject.”
Data processors also have distinct obligations under GDPR. Data processors must “only process personal data on instructions from the controller.” If the controller wants certain data deleted, the processor must delete the data. The processor can’t use personal data for any other purposes other than what is agreed in the contract with the data controller. The processor needs to implement reasonable data protection standards, including security practices, internal audits, restricting data transfers to third countries without legal safeguards, and be responsible for their third parties.
For data processors, such as Trulioo’s GlobalGateway service, these obligations are crucial for handling data in a secure, compliant manner. They must also protect contractual requirements to ensure that the proper agreements, technology, training, systems and procedures are in place to safely handle customers’ data. More so, it’s about building trust and privacy across the internet; consumers need to trust that the data they share with companies is respected and safeguarded, proper consent is acquired and maintained and that all parties of the data chain are accountable.
How do you communicate your data policies? One concept that weaves itself deeply throughout GDPR is transparency; the words “transparent” or “transparency” are mentioned 25 times throughout the legislation. It’s not only about having good policies and procedures, it’s about communicating those to the public in a way that is understandable.
With the implementation of GDPR, the days of having immensely long and complex privacy policies are hopefully coming to an end, as communicating policies should be through a “concise, transparent, intelligible and easily accessible form, using clear and plain language.”
· Who is collecting the data?
· What data is being collected?
· What is the legal basis for processing the data?
· Will the data be shared with any third parties?
· How will the information be used?
· How long will the data be stored for?
· What rights does the data subject have?
· How can the data subject raise a complaint?
“Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject's agreement to the processing of personal data relating to him or her.”
For example, when people fill in an online form they should know exactly what they are signing up for. Combining multiple offers under a single consent agreement doesn’t support transparency. Instead, displaying multiple consent options enables users to better understand each opt-in à la carte.
The same strategy applies to other channels that collect user data, such as chat. While the wording might be different, the same consent requirements apply.
While ensuring GDPR compliance can be a major task, requiring considerable amounts of time and effort, it’s helpful to keep in mind the overall goal of the legislation. The goal of GDPR is to protect personal data, while allowing for permitted processing of that data; protecting the individual’s rights over their data is a crucial step towards ensuring privacy, democracy and accessibility for all.
In that light, GDPR is not a burden, but rather an opportunity to create more transparent and accountable data relationships. Those companies that accept and propel that philosophy are the companies that will gain trust and prosper in the age of growing interconnectedness.