What you need to know about the General Data Protection Regulation (GDPR)
The General Data Protection Regulation (GDPR) is a regulation in EU law that handles the protection of use data, and privacy for all individuals living within the European Union. It comes into effect May 25, 2018. Although it is coming into effect this month, it is actually not new, or as any kind of response to the recent Facebook data breach. The GDPR was actually adopted in 2016, as a replacement for the outdated 1995 Data Protection Directive. May 2018 marks the end of the two-year transitional period set for the regulation. Unlike the regulation it replaced, it is not a ‘directive’. A directive, enforces the achievement of a result, and leaves it up to the individual states within the EU to achieve that result. The GDPR is a regulation, meaning it is directly binding and applicable.
What the GDPR encapsulates:
According to the European Commission, personal data is defined as: “any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a home address, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address.” (Europa.eu)
Data may not be processed unless there is at least one lawful basis to do so, such as:
- The data subject has given consent to the processing of personal data for one or more specific purposes.
- Processing is necessary for the performance of a contract to which the data subject is party or to take steps at the request of the data subject prior to entering into a contract.
- Processing is necessary for compliance with a legal obligation to which the controller is subject.
- Processing is necessary to protect the vital interests of the data subject or of another natural person.
- Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
- Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third-party, unless such interests are overridden by the interests or fundamental rights and freedoms of the data subject, which require protection of personal data, in particular if the data subject is a child.
The full regulation is vastly more detailed and complex. The above is merely one section and an overview. DCW Media recommends that all advertisers pursuing online marketing review the full regulation document here with legal counsel in order to ensure their website and online policies are in compliance by the deadline.
Who does this affect?
The regulation will affect two entities:
- Data Controller
- An organization that collects data from EU residents
- Data Processor
- An organization that processes data on behalf of a data controller, such as cloud service providers.
Additionally, the regulation applies to all organizations that collect or process the personal data of individuals located inside the EU, regardless of where that organization is based.
What does this mean for you?
How can your entity become GDPR Compliant?
All entities have 365 days starting May 25, 2018 to comply with the regulations listed in the GDPR. Non-compliance entails potential sanctions of up to €20,000,000 Euros or 4% of your annual worldwide revenue (based on figures from the preceding financial year), whichever is greater.
If you are using a third-party data processor (Google Apps, Mailchimp, Sendgrid, Salesforce…etc.) it would still be ideal to check what they are doing to comply with the GDPR, but because these are large US-based companies, they should already be on top of becoming compliant.
There are three simple questions you should ask and answer to give you an idea and get you started on becoming GDPR-compliant.
- What are you using the data for?
- You must communicate to your users on how, why, and for what use you are collecting their data for,
- Be clear and concise in describing your entity’s processes.
- How is the data stored?
- Entities must disclose how data is being stored.
- Entities must also disclose how long data is being stored for.
- Do you still need the data?
- If you find that you are collecting data that isn’t being used, it may be best practice to delete it.
- Data is a liability and if your entity has no use for it, storing it is an unnecessary risk.
The full guidelines and regulations of GDPR are far more complex and detailed than the ones stated here. More information can and should be gathered from the European Commission’s website here.
A GDPR-Compliance Examples:
Most organizations have a website and use Google Analytics to track online users who visit their site. Below are important and quick tips for ensuring your website is compliant with GDPR, particularly, if you have Google Analytics setup.
- Audit your data for Personally Identifiable Information (PII)
- If you are using Google Analytics, it should be known that collected PII is already against the Terms of Service but it still may be useful to double-check your entity.
- Turn on IP Anonymization
- According to the GDPR, an IP address is considered PII.
- One can easily combat this by turning on the IP Anonymization feature in Google Analytics.
- Audit your collection of Pseudonymous Identifiers (hashed Emails, User IDs)
- User IDs should be in alphanumeric database identifier form, not as usernames or emails.
- Data such as email addresses should be encrypted or hashed.
- Transaction IDs similarly to User IDs should be in alphanumeric database identifier form.
- What information is being collected?
- Who is collecting it?
- How is it collected?
- Why is it being collected?
- How will it be used?
- Who will it be shared with?
- What will be the effect of this on the individuals concerned?
- Is the intended use likely to cause individuals to object or complain?
- Build an Opt In/Out Capability
- It is best practice always to allow the user to choose.
- Consider building an opt in/out option for your users or perhaps even get consent from users before they initiate services on your entity.
This article is provided as a suggestive resource, and should not be taken as legal advice. DCW Media encourages clients to speak to legal counsel to learn how the GDPR may affect your organization and the appropriate updates required for compliance.