In the off-chance that you haven't heard about this impending harbinger of global privacy compliance, here are a few of the basic facts:
The GDPR is a set of regulations that addresses the protection and management of consumer personal information. This includes both identifying data like names and addresses as well as anonymous data like computer IP addresses.
In the broadest sense, the GDPR requires that companies commit to vigorous protection protocols for user data and promote a transparent and accessible atmosphere for the consumer.
The GDPR applies to any business that collects personal information from an EU resident, even if it's only an IP address.
The answer is a resounding yes. As proven by the Privacy Shield that passed in 2016, the United States government is fully prepared to cooperate in the enforcement of privacy laws enacted by the EU.
Any business that collects even anonymous information from EU residents will be subject to GDPR compliance and, in the event of noncompliance, hefty fines.
Those fines may be as high as €20 million or 4% of yearly revenue for the most severe cases.
Unless you can be absolutely sure that no EU resident will ever wander onto your website or mobile application, it would be prudent to comply.
How to Comply
With a sweeping set of regulations distributed over multiple articles and documents, the GDPR requirements can be a bit confusing, to say the least. We'll take you through it, step by step.
Clearly state who you are, the legal name of your business, and if it is owned or controlled by another company, this will need to be stated as well.
Inform users of the physical location of your business.
Those are a few things to remember as you get started. Below you will find a detailed list of the minimum requirements that apply to the average business:
1. Internal Privacy Analysis
In order to ensure compliance, it may be necessary to perform an internal analysis on the personal information you currently hold. If ever a customer reports a problem with your privacy measures, you may be asked the following questions by the Information Commissioner's Office (ICO):
What kind of data do you collect from customers, in minute detail?
Do you have good reason to collect this data? Why do you need it?
How was the data obtained, exactly? Did users consent to the collection of their information?
How long will you retain it?
How secure is the data in your possession?
Do you ever share the personal information of users with third parties? Do you have good reason to do so?
2. User Rights and Access
Under the GDPR, user rights are outlined explicitly. Your customers have the right to:
Access, view, and edit their own information in a timely manner.
Be erased from your records upon request, unless you have a legal reason to hold their information.
Object to direct marketing messages and ads.
According to the above provisions, your website or mobile application must provide a clear, easily-accessible method for customers to view and make changes their personal information.
They also must be provided with a way to request their information in writing, free of charge.
IAPP provides multiple avenues for users to access and make changes to their information:
Description of a user's rights regarding their own personal information
Instructions and links that give users access to their information and an easy method with which to change it
How long your company will retain the data of an individual after it has been deleted, and why you need to retain it
Clear instructions on how to opt-out of marketing messages and/or targeted advertising from your business.
3. Legal Basis for Processing Data
In order to collect or process the personal data of any individual, you must have a "legal basis" to do so. If you cannot prove a legal basis for obtaining or processing data, it will be deemed unlawful by the ICO.
The first and most common legal basis for collecting personal data is user consent. If you have the express consent of your users to collect and record their data and have the means to document and prove that consent, then all is well.
Here is a comprehensive consent form provided as an example by the ICO:
Sky Telecommunications employs a much simpler yet still sufficient method. Note the checkboxes at the bottom that require user consent:
As demonstrated by this list from the ICO website, you can see that the other legal bases for processing personal data are:
4. User Consent
In other words, you must request active user consent before collecting even so much as an IP address.
Consent must be actively given, usually by means of a checkbox or clicked agreement. Websites are approaching this in a variety of ways. The most common is a floating dialogue box that lets visitors know why data is being collected via cookies, includes a link to the Privacy and/or Cookies Policy, and features a button or checkbox that confirms agreement.
Evidon is an excellent example with this pop-up cookie notice on the homepage that requires active consent via an "Accept" button or a link to easily change cookie settings:
5. Transparency and Accountability
In the case of a data breach, several actions must take place:
The data breach must be detected and reported to the appropriate authorities within 72 hours.
If the security of user data is put at risk, then the affected or potentially affected users must be informed within 72 hours as well.
One important note regarding data breaches: If the breach occurred due to security negligence on the part of the business, then that business may be the subject of penalties and fines.
6. Staff and Data Management
Whether your business has 2 employees or 550, you will be expected to educate them on the new privacy protocols under the GDPR.
Any individual that has access to the personal information of users must be made aware of the following:
What are the current applicable laws for the handling of personal information
How to process, record, and maintain security for personal data
One of the statutes of the GDPR states that: "You must implement appropriate technical and organisational measures that ensure and demonstrate that you comply. This may include internal data protection policies such as staff training, internal audits of processing activities, and reviews of internal HR policies."
Data Protection Officers
Although this does not apply to every business, it is a good idea to check if you need a Data Protection Officer (DPO). This is a position hired within your organization or on a consulting basis to monitor the handling of personal data and ensure compliance with the GDPR.
This requirement will apply to public authorities, data processing firms, health organizations, and the like. To find out more about who this applies to, go to the ICO website.
Here's how Thunderhead includes information about its DPO in its Data Protection and Security Policy:
While your DPO clause doesn't have to be so extensive and can simply include contact information, this clause does a really great job of going above and beyond requirements to really help users understand the DPO role and how it affects them.
7. Final Checks
The last two statutes required by the GDPR may or may not apply to your business. See below and click through to research further if you think one of these may apply to you:
Privacy by Design - Privacy by Design should be an approach your business takes from the outset, but especially when spearheading new projects or initiatives. If a project or initiative may put consumer data at risk, a Data Protection Impact Assessment (DPIA) may be required before beginning the new project. Read more about that here.
The wealth of information and preparatory measures listed above may seem daunting. Here are a few examples of GDPR-compliant businesses and their Privacy Policies to use as guidance:
The Data Protection Network (DPN) is a shining example of compliance, as would be expected by the nature of their business. Here are few things to take note of:
Note that they mention the phrase "with your permission" several times. This is to reiterate the legal basis of user consent for collecting user information:
DPN meets marketing opt-out requirements by explaining clearly how to opt-out of unwanted communications, as well as how to access a copy of user personal information.
Although not as squeaky-clean as the DPN, Waitrose has made visible and methodical efforts to comply with GDPR regulations.
As soon as you access the site, Waitrose sends a cookie notification at the header of the page. The only thing missing here is an active consent button, but it does include a link to learn more about cookies:
Here, Waitrose lays out instances in which they may need to share user data with third-parties, along with their reasons for doing so. They then go on to a brief description of their cookie usage, along with a link to their Cookies Policy and instructions on how to change cookie preferences:
Aldo Shoes is another impeccable example of GDPR compliance. Navigation to their website reveals a prominent cookies notice with active consent at the header:
They go on to describe the types of information they collect and what it is used for:
Aldo describes how they share personal data with third-parties and why:
They provide clear opt-out instructions for marketing communications:
And finally, they give the user complete direction on how to access or make changes to their personal information:
If you'd like to investigate the GDPR further and how it applies to you, visit EUGDPR.org for a complete guide.