GDPR, or the General Data Protection Regulation, is a massive data privacy law being introduced in the EU that will become a de facto privacy law in the United States as well. Ouch!
GDPR goes live May 25th 2018 and will affect most organizations*, regardless of where they are located.
Although the law concerns only the EU and its citizens, service providers in the US will be obligated to follow GDPR rules if they cater to EU visitors. To avoid fines, American companies offering services to EU customers online have two options:
- either restrict access and/or usage of their website for EU users, or
- comply with the regulation
That is why GDPR concerns countries outside Europe, although the regulation is local.
The goal of the law is simple: give control of personal data back to users. It sounds simple, but in reality GDPR is a complex law, centered on the idea of “accountability obligation”. Companies are now required to document and provide evidence of compliance with Article 5(2)**. They need to have a comprehensive understanding of all the data they collect, and how they use it.
The GDPR law is concerned with personal data divided into two categories: personal data and sensitive personal data. Every controller and processor of personal data should state why this information is collected, for how long, how is the data processed, with whom is the data shared. All of this is to ensure appropriate processing and clear security measures.
In more detail: who does the GDPR apply to?
- GDPR applies to ‘controllers’ and ‘processors’.
- A controller determines the purposes and means of processing personal data.
- A processor is responsible for processing personal data on behalf of a controller.
- If you are a processor, the GDPR places specific legal obligations on you; for example, you are required to maintain records of personal data and processing activities. You will have legal liability in case of a breach.
- Controllers are not relieved from their obligations whether a processor is involved or not. GDPR rules place further obligations on controllers to ensure their contracts with processors are GDPR compliant.
- The GDPR applies to processing carried out by organizations operating within the EU. It also applies to organizations outside the EU that offer goods or services to individuals in the EU.
- The GDPR does not apply to certain activities including processing covered by the Law Enforcement Directive, processing for national security purposes and processing carried out by individuals purely for personal/household activities.
US companies who collect, process, or store personal data of EU citizens need to reach GDPR compliance by the end of this month or risk incurring serious fines. According to the regulation, “organizations can be fined up to 4% of annual global turnover or €20 million, whichever is greater, for breaching GDPR”***
To help you determine your compliance, we’ve put together a quick checklist. For more detailed due diligence or advice, give us a call. We would be happy to examine your specific situation.
Key Changes with GDPR
Update Your Privacy Notice
GDPR requires sites to provide well-displayed information on your site, the purpose of collecting such information and time limits of keeping the information stored (ex: IP Address, email, physical address, phone, health data, financial or school records, demographics like racial, ethnic, or sexual identification, location information, age, etc.
Have a look at GDPR’s frequently asked questions for help.
Make sure to include a “positive opt-in” vs. an automatic one. Consent forms should be easy to understand and separate from other terms and conditions on your site. GDPR legislations says no to pre-selected opt-in checkboxes and set a high bar for opt-in consent (Article 4.11)
Encryption and Data Breach Procedures
You should consider encrypting all sensitive information and make it unreadable should it fall in the wrong hands.
If there has been a data breach, you must inform all individuals at risk within 72 hours of discovering the violation. In some cases, “unintelligible” data is not required to be disclosed following a data breach.
Do you have your third party access under control? Knowing where personal data lives on your website is a great way to find potential risks before issues arise. This will lower compliance risk and will help find potential issues before they arise.
Security and SSL Certificates
The GDPR legislation requires personal data stored after payment to be deleted within some days. The law doesn’t say the exact number of days, but you can consider 90 days a fair amount of time. Of course, your SSL certificate (Single Socket Layer) must keep payment information secured.
Privacy Rights Infrastructure
You need to provide users with the ability to view, edit, correct, or erase their personal information. Your controller has 30 days to respond to any queries concerning the individual’s rights. Users have also the right to object to profiling, this is akin to tracking. GDPR states that people must be able to send inquiries to someone within your team responsible for managing personal data or a designated data protection officer. Such persons should be clearly listed on your website.
Having a data protection officer, however, is not mandatory. Under the GDPR, you must appoint a DPO if:
- You are a public authority (except for courts acting in their judicial capacity);
- Your core activities require large scale, regular and systematic monitoring of individuals (for example, online behavior tracking); or
- Your core activities consist of large scale processing of special categories of data or data relating to criminal convictions and offenses.
This applies to both controllers and processors. You can appoint a DPO if you wish, even if you aren’t required to. If you decide to voluntarily appoint a DPO, be aware that the same position requirements and tasks apply had the appointment been mandatory.
GDPR requires you to be able to transfer personal information from one service to another fast and easy via a common format (I.e., JSON, CSV file). Do you have this capability?
Except for portability, the following is the full list of individual rights under the GDPR:
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
- Rights in relation to automated decision making and profiling.
After the privacy issues with Facebook and other networking sites, data protection standards are tightening. Is your website compliant? Our team would be happy to review your information and give you some advice. Just say firstname.lastname@example.org
*Will affect most organizations: Only organizations that provide services to EU citizens
** Article 5(2): the controller shall be responsible for, and be able to demonstrate, compliance with the principles (article 28)***.
***Fine for breaching GDPR:
1. a fine up to €10 million or up to 2% of the annual worldwide turnover of the preceding financial year in case of an enterprise, whichever is greater, if there has been an infringement of the following provisions: (Article 83, Paragraph 5 & 6)
2. a fine up to €20 million or up to 4% of the annual worldwide turnover of the preceding financial year in case of an enterprise, whichever is greater, if there has been an infringement of the following provisions: (Article 83, Paragraph 4)