Last updated on 20 May 2022 by Robert Bateman (Privacy and Data Protection Research Writer at TermsFeed)
The EU General Data Protection Regulation (GDPR) is bringing about a lot of changes online. Cookie banners are going up, individuals are exercising their data rights, and subscribers are being asked to refresh their consent.
You've read about the GDPR. You know the implications for your business. You have a handle on how your company processes personal data, and why it's important to do this in a secure and transparent way.
Understanding the law is important. But complying with the GDPR isn't just an intellectual exercise. Let's take a look at the practical steps you can take to ensure that you're GDPR-prepared.
The GDPR has forced many companies in many countries to take a step back and examine the ways in which they process personal data.
The GDPR's broad geographic scope means that it applies to any company, European or not, that aims to offer goods and services in the EU. This means that companies in many countries are experiencing a truly rigorous data protection law for the first time.
Complying with the GDPR just makes good business sense. It will show privacy-savvy EU customers that you're treating their personal data with respect. And it will help you to avoid litigation, data breaches, and some potentially crippling GDPR fines.
Here are some basic terms that you should understand in order to get to grips with the GDPR:
Compliance with the GDPR consists of three stages:
If you're reading this article, we're assuming that you're at stage two - Preparation. If you've yet to complete stage one, take a look at our GDPR Readiness Checklist.
Now we'll look at the practical changes you should implement to bring your company in line with EU privacy law.
In the GDPR Readiness Checklist, we looked at how you should conduct a data audit, to map the personal data flows within your company. Once you have a handle on what personal data your business collects and processes, you can start documenting this.
Under Article 30 of the GDPR, you are required to keep records of your personal data processing activities. Companies with fewer than 250 employees are exempt from this requirement - unless they carry out high-risk data processing that:
To comply with Article 30, a data controller must create a document containing the following information:
A data processor has similar requirements, focused mainly on the data controllers on whose behalf it processes personal data. These are detailed at Article 30 (2).
All data processing under the GDPR must take place under one of six legal bases. First, you must identify which of these legal bases applies to each type of data processing you do. Then you need to take some practical steps to make sure you're compliant.
EU privacy law sets a very high standard for consent. Many companies find that they have been collecting their customers' consent in a way that is not valid under the GDPR.
"Implied" consent is not recognized under the GDPR - you must ask your users to consent via a "clear, affirmative act." If you're using tracking or advertising cookies, you need to ensure that they are not set on your users' computer until they have consented.
These two examples from Digital Route clearly show the difference between implied and affirmative consent. Here's a cookie banner from Digital Route that does not gain "clear, affirmative" consent:
There are two main problems with this cookie banner:
But take a look at this GDPR-compliant example, also from Digital Route:
There are three great things about Digital Route's second cookie banner:
There's another common bad habit around gaining consent - the pre-ticked box. Pre-ticked boxes have to go. If you're asking users to opt out rather than in, you aren't earning their "clear, affirmative" consent.
This is simple enough to implement. Don't try to "trick" your users into consenting - give them a free choice.
Here's an example from Auger:
There are five great things about Auger's marketing consent request:
Chances are that you will not be seeking consent for every act of personal data processing that you do. In some cases, it will be in your legitimate interests to process personal data in a particular way.
If you're hoping to rely on the legal basis of legitimate interests, you must conduct a Legitimate Interests Assessment. The UK's Data Protection Authority, the Information Commissioner's Office (ICO), suggests a three-part test that you can use to assess whether legitimate interests is an appropriate legal basis for a particular method of data processing.
Here's how the ICO explains the three stages of its three-part test:
The Legitimate Interests Assessment is essentially a way to determine whether your company will be infringing anyone's privacy rights by processing personal data in a particular way. You must demonstrate that you have conducted this assessment in your Data Protection Policy.
The GDPR requires that you build data protection methods into your systems "by design and by default." This means taking specific technical measures to render your systems safe.
Pseudonymization is a method of disguising the "personal" aspects of personal data. The data can still be linked back to its owner - but only by using additional information, which is kept separately.
There are many methods of pseudonymizing data including:
You may find that your company already applies such techniques to storing passwords or payment information. Where viable, you should roll out such practices to all the personal data you process.
The aim is to render personal data unintelligible in the result of a data breach, but intelligible in day-to-day operations. However, pseudonymization doesn't allow you to circumvent security obligations. Pseudonymized personal data should be treated as personal data because the process is reversible.
Anonymization ensures that the owner of the personal data cannot be identified at all. Once personal data has been fully anonymized, it is no longer personal data.
Ultimately, truly anonymized data no longer falls under the scope of the GDPR. It is a very secure way to treat personal data. However, it will also be impossible to work with this type of data in many circumstances.
The ICO provides some guidance on anonymization. Here's an example of how data might be anonymized.
The example below contains multiple pieces of personal data. In certain contexts it will not be necessary to retain this personal data.
In this example, all personal data has been "scrubbed."
If this data was compromised it would be inconsequential for the interviewee. This is not personal data, and there would not be a legal obligation to store it securely.
You need to take practical steps to ensure you're ready to facilitate your users' data subject rights. Failing to fulfill requests under these rights can lead to the involvement of your Data Protection Authority, fines or private legal action. Having a system whereby you can respond to requests within the one-month deadline is in your interests.
You can provide a form on your website that will allow your users to make data subject rights requests.
For example, Her Majesty's Passport Office provides a .doc form for this purpose.
Here's how Stripe facilitates the right to data portability:
Other requests might be facilitated in other ways. It almost goes without saying that you should have an unsubscribe link in your marketing emails. This is one way to partly facilitate the right to object.
If you're based in the EU and you want to transfer personal data overseas, you'll need to make sure the transfer meets certain conditions. You'll have considered this as part of your GDPR Readiness Checklist.
The European Commission has approved the following countries for international data transfers:
If your recipient is not within one of the European Commission's approved countries, or your company itself is not based in one of these countries, there are certain things you'll need to do in order to be allowed to transfer personal data out of the EU.
When transferring data from the EU to a non-approved third country, you'll need to have a contract in place. The European Commission has produced "model contracts" designed to facilitate such data transfers between data controllers, or between data controllers and data processors.
Here's a small sample of a model contract that can be used between two data controllers:
A contract and clause such as this will ensure that the parties are aware that all personal data must be transferred securely.
The United States is not one of the European Commission's approved countries. But there's still a way for US companies to ensure that they can easily transfer personal data out of the EU.
If you're based in the US, you will wish to consider joining the Privacy Shield. Privacy Shield certification requires you to demonstrate that your company's data protection practices are up to par. It's a long process, but it will save you a lot of trouble long term.
You'll need to upload the Policy to your website and ensure that a link to your Data Protection Policy is never far away whenever a user interacts with your company.
Ensure your Data Protection Policy is ever-present throughout your website by adding it to a header or footer that persists as users navigate your site. Here's an example from eBay, which splits its privacy information across several policies:
If users can make purchases on your website, you should display your Data Protection Policy at checkout.
Here's how Amazon does this:
If you ask users to create an account, present your Data Protection Policy before they do so.
Here's how LinkedIn does this:
Make sure your Data Protection Policy is accessible via other policies you might have, such as your Terms and Conditions.
You must remember to make your Data Protection Policy available on your mobile app if you have one. You can provide this in your app's settings or legal menu.
Here's an example from the BBC Weather app:
Link to your Data Protection Policy in the footer or signature of every automated email you send. This is particularly important in the case of marketing emails.
Here's an example from Capital One:
Once you've made these changes to your company's systems and website, you'll be prepared for the GDPR.
This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.
20 May 2022