The "Wild West" days of consumer data use are coming to an end.
You've probably heard of the four-letter acronym "GDPR." GDPR, short for General Data Protection Regulation, is a new set of EU-based policies about how companies can collect and use consumer data. GDPR passed in 2016, but that included a waiting period for companies to adjust.
Now, the deadline for implementing GDPR compliance has passed, but it's never too late to start making changes to ensure compliance.
Since May 25, 2018, companies are accountable for GDPR, with fines up to 4% of global annual revenue for major violators. Since GDPR applies to any company that deals with EU citizens' data, not just companies in the EU, there's a good chance that GDPR applies to you. Since about 13.5% of the world's population has EU citizenship, you'll want to take GDPR seriously.
*Note that this blog post is in the interest of providing helpful information and should not be considered legal advice. If you're unsure of your company's legal standing, consult a legal professional trained in GDPR compliance.
What's in GDPR?
GDPR is a far-reaching set of rules, meaning that there's a lot to consider when looking at your organization's data policies. Here's a summary of what's included in GDPR:
There is a set of universal principles about personal data that GDPR outlines. Here they are in brief. (See the full principles.)
"Lawfulness, fairness and transparency" - Data use must be lawful, fair, and transparent.
"Purpose Limitation" - Data use must be for specific and legitimate purposes.
"Data Minimisation" - As little data as possible should be collected - only what's required for your specific purposes.
"Accuracy" - In-use data must be accurate and up to date at all times.
"Storage Limitation" - Data must be stored for an appropriate amount of time; data should not be stored indefinitely.
"Integrity and Transparency" - Data must be stored and processed securely.
What Defines Personal Data?
GDPR sets a broad definition of what constitutes "personal data." Any information that is "owned" by an individual, or that could, in combination with other data points, identify a user, is now off-limits for most purposes without proper consent.
There are plenty of other areas where GDPR doesn't apply, including data that you are collecting for legal reasons, i.e. transactional data and anything that you're otherwise contractually or legally required to collect.
What do they mean by "Data Processing?"
In keeping with the theme of broadly-applicable definitions in GDPR, processing is defined in Article 4 as:
"any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;"
This covers just about any contact that you'll have with someone's personal data. Generally speaking, if you think GDPR might apply to what you're about to do, you're probably right.
GDPR outlines several roles around which the rules are built: data subjects, data controllers, and data processors.
Data Subjects are internet users and consumers, or the people whose data is being collected. In the case of GDPR, this means any EU citizen can be considered a data subject. This applies to EU citizens outside of EU countries as well. In the case of dual citizenship or total renunciation, the rules change depending on the individual.
Data Controllers are individuals or organizations that have the authority to make decisions about personal data that's been collected. For example, if you represent a company that has decided to start collecting email addresses for a marketing campaign, your company is a data controller.
Data Processors are individuals or organizations who have been given permission to process data by a data controller. If your company does any of the actual collection or processing of user data, your company is considered a processor.
Often, the same organization can be both a controller and a processor. It's important to know where you stand because there are different responsibilities and liabilities associated with each role.
Data Subjects' Rights
GDPR outlines some new rights that consumers have regarding data that companies have collected from them. This is a key measure to the enforcement of GDPR compliance, as the legislature gives consumers, or data subjects, most of the "teeth" in the enforcement of GDPR. There are too many to list all of them here, but here are a few of the important ones:
Right to Access - Data subjects should be able to easily access all of their data, as well as full information about how and why it is being processed.
Right to Rectification - Data subjects can correct and append any data that a company has about them.
Right to Erasure - The data subject has the right to request the erasure of personal data related to them.
(View the full list of user rights)
Legal Use of Data
This is probably the section with the biggest impact for marketers, software developers and website designers. Under GDPR, you'll need consent in order to collect or use just about any personal information, unless you've got some other "legitimate interest." This means actual, informed consent, not a pre-checked box on top of a mountain of fine print.
Consent is defined as "freely given, specific, informed and unambiguous" consent given by "affirmative action." This means you'll need to explain clearly what you plan on doing with the data that's collected, how it will be stored, who will have access, and so forth.
If you want to use personal data for purposes that weren't covered in the original agreement, you'll need to ask for consent again, as long as you have consent to do so! All of this seems like a huge inconvenience to users, and for many, it probably will be.
But instead of seeing this as a hindrance, look at it as an opportunity.
Let your UX and UI designers have a field day coming up with the most attractive and user-pleasing ways to comply with GDPR compliance. Now that consent is the norm, this could be a chance for your company to stand out.
This is a definite grey area under GDPR. Legitimate interest is meant to cover things like scientific and academic research, government research, or data that is collected "in the public good."
Marketers may be lured by the line in Recital 47 that states "The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest."
This means that if someone is your customer, you can contact them with information directly related to the product or service with which you originally entered into an agreement. This does not, however, apply to non-consensual data.
Again, if you're unsure, you'll probably want to have a legal team take a look at whatever you plan to do.
Deletion and Breach Notification
Under GDPR, you may be asked to delete user data under an "erasure" request. If this happens, you'll also need to inform any "downstream" partners, or anyone you've shared that data with. The opposite applies as well, if any third-party has shared data with you, they may ask that you delete said records, and you'll be obligated to comply.
There are also new requirements about breaches of user data. If personal data is exposed for any reason, you'll need to inform the EU's supervisory authority within 72 hours of the breach discovery. You'll also need to inform the data subject whose data was exposed "without undue delay."
How to Prepare
Now that the enforcement date for GDPR is fast-approaching, there are actions you should be taking, if you haven't already, to make sure that you don't end up in violation of GDPR.
We spoke with Kickbox's Compliance Analyst Lance Stone to clarify what U.S. companies need to do to make sure that they're in the clear.
Here's an overview of some of the steps you can take to ensure GDPR compliance.
GDPR applies retroactively to any data that you've already collected.
Sort through your existing data to find out how it was obtained, and how it's being used. If you find that you've got a lot of European user data, and you can't prove that you obtained informed consent, it may be time for a purge. If you didn't get consent in the first place to collect that data, you technically can't hold on to it anymore.
Some companies have made the mistake of trying to get consent after the fact. This is a very bad idea, according to Lance, because you can't ask for permission to send someone emails... via email.
If you're unsure, Lance's advice is to play it safe and delete anything you're unsure about, as well as inform downstream partners.
Much of GDPR compliance relies on your ability to prove that you've been compliant. This means keeping detailed records of every interaction your company has with a user's data. If you're keeping logs already, see if they could be more accurate. Also, take time to put in writing your company's "specific and legitimate use" for processing data.
This is a great time to review your existing security measures. Is your website using HTTPS, with a valid SSL certificate? Get with your security team to make sure that data is being stored and transferred securely, and that you've done everything in your power to prevent a breach.
Rethink Collection Policies
Go over every source of data that your company has - website analytics, email subscriptions, user onboarding, even physical signups, and make sure that they're GDPR-compliant. Also make sure that the rest of your team is on board. Meet with your marketing team to see what data they're collecting and how. Either the whole company is GDPR compliant, or none of it is.
GDPR is bigger than one blog post. Hopefully, we've given you a lot to think about here, or at least convinced you that GDPR compliance is something to have on your radar for 2018. We can't stress enough that if you think you're in violation of GDPR policies and aren't sure how to move forward, your best course of action is to consult a legal expert as soon as possible.
These new regulations represent a big step forward in the protection of consumer data. In the wake of 2017's numerous breach scandals, and Facebook's recent personal data reckoning, we think it's high time for tech companies to start rethinking their policies around consent and personal data use.
If you need help implementing the changes required by GDPR or are looking for further advice about how to make your websites and applications GDPR-compliant, feel free to reach out to Cuttlesoft.