Recently a new European Union law came into effect called the General Data Protection Regulation (GDPR) which covers how you collect, use, and process personal data.
While the law only covers businesses and citizens in European Union member states, it will affect websites globally because typically businesses don’t know the physical location of web visitors in real-time. While it’s possible, it’s unlikely that your website is designed to segregate European and non-European visitors.
What changes under GDPR?
Generally speaking most businesses use industry standard practices when notifying individuals of their privacy policies etc. These new guidelines strengthen some of those industry practices to offer more protection to individuals.
- Standardized privacy policies
- Requiring explicit consent in more places
- Assigning specific individuals as responsible for data collection and storage
- Granting individuals the “right of access” and the “right to be forgotten”
- Significant fines or penalties for noncompliance
In this week’s issue of Keeping Pace we are examining the most important aspects that business leaders need to now regarding GDPR.
What is “Personal Data”?
Under GDPR personal data is defined rather broadly as anything that can identify an individual. Some are obvious, however less obvious identifiers are also covered. Generally even simple websites are collecting some of this information, therefore virtually none are exempt from GDPR.
Included in “Personal Data”
- First and/or last name
- Email address
- Computer IP address (almost all website analytics software collects this information)
- Location (either real-time or place of residence)
- Social media accounts, posts, or comments
- Cookie strings
- Device ID’s (primarily mobile devices)
- Banking or credit card details
- Shopping history or personal interests data
The above list is not exclusive. Any data that could potentially identify individuals is covered.
Privacy Policies are actually becoming simpler.
One of the most interesting aspects is that the GDPR requires that privacy policies be published in simple terms understandable to the layperson. Over the years privacy policies have come to resemble legal documents more so than a guide for users. The European Union wants the change that making them understandable accessible to everyone. Additionally, they provide guidance into exactly what should be included.
- What personal data to you collect?
- How do you collect it?
- What is the purpose of collecting data and how will you use it?
- How do you secure the data?
- What third parties have access to the data, why, and what will they do with it?
- What is the contact information for your data controller, GDPR representative, and/or your data protection controller?
- How can users see their data being stored? How can they correct errors? How do they request erasure of their data?
We will cover a few of these points in more depth.
What is “explicit consent”?
The first major piece of legislation was the CAN SPAM Act designed with email marketing in mind. This California-based legislation became the de facto standard for email marketing. Basically it said that you couldn’t email anyone without consent.
There are two types of consent:
- Explicit consent – Proof that an individual has given you permission to market to them directly. This could be the act of filling out a form, or checking a box upon registration.
- Implicit consent – Previously you were permitted to market to any clients or customers, and your definition of a customer was open for interpretation. For example, you could offer a free e-book, and by categorizing recipients as customers who “purchased” a free product, you could then market to these individuals forever. Under GDPR, this is no longer the case.
However, after they make a purchase in your store, and you fulfill that purpose you can no longer continue to market to them without explicit permission.
For example you can provide an unchecked checkbox inviting people to receive your email newsletter. If you would also like to text them special offers, you have to have a separate checkbox offering this marketing method.
What is a Data Controller?
Another important compliance issue is identifying a responsible party for controlling data. For most companies this is a matter of assigning an individual that has a good understanding of how data is being collected, processed, and stored. There are different levels of data controller depending on the sensitivity of your data.
Data Controller – Every company regardless of size and the quantity and type of data that’s collected has to have a data controller.
GDPR Representative – Companies that store personally identifying data need to have a GDPR Representative. This representative is the principal point of contact for Europeans who wish to access, amend, or remove their data. The GDPR Representative is also responsible for answering requests by law enforcement officials in the event a complaint is filed against the company.
Data Protection Officer – Some companies store data that is considered valuable beyond the scope of personal privacy. If your company, for example, has to protect data under HIPAA regulations or PC I compliance, you should assign a Data Protection Officer.
Each level of representation supersedes the previous. For example if you are required to assign a Data Protection Officer, that individual can serve all three tiers of responsibility.
There are several important issues when it comes to this responsibility.
For all three levels contact information must be provided. This can be a physical mailing address, a telephone number, or an email address. Additionally the responsible individual must respond quickly to any inquiries.
All three must have a detailed understanding of how all information is collected, processed and stored. They must also have the capability of accessing, amending or deleting this information upon the request of the person that the personal data represents.
What is required if a Personal Data Breach is discovered?
The last responsibility of the Data Controller is to notify affected individuals in the event of a data security breach. The guidelines are much stricter than in the past, where frankly, companies abused the lack of distinct regulation.
Notifications must be issued within 72 hours! In the past, some companies failed to report data security breaches to customers for six months. In one particular instance a major data breach was not disclosed for three years. GDPR, in one of his most controversial decisions, will only allow 72 hours except in extremely rare circumstances. Even in those circumstances the GDPR governing body is required to be informed within 72 hours.
What kinds of data breaches must be disclosed?
There are three levels of data breach.
- Data theft – When data is downloaded or otherwise taken beyond the control of the company whom collected it. This can be by authorized or unauthorized access. This can also include situations where under a contract a third-party company accesses the data legitimately, but then uses the data in a way not covered by the contract.
- Data misused with malicious intent – If you identify ways that company-owned data was used in a way that would be detrimental to the individuals, you are required to report it, even if the data was accessed legitimately and not removed from your control. An example of this would be when a properly authorized employee misuses customer credit cards, or sends marketing to individuals who did not consent.
In the event of data breach, the Data Controllers are responsible for disclosing the type of breach, the scope of the breach, and the known ramifications.
The breach must be reported to the GDPR governing body first.
The breach must be reported to any individuals directly affected by the breach (although, this only covers individuals residing or doing business in Europe).
The breach may require reporting publicly in some situations. These situations would include when the company is unsure of the scope of the breach, or situations where the breach has potentially serious consequences on a broad scale. It’s unknown, but likely, that publicly traded companies will be held to a higher standard when it comes to public reporting.
What are the consequences of failure to comply?
Briefly, the consequences are dire.
For companies that fail to protect, or fail to comply with GDPR disclosures and regulations, the fine is a formula that could equal $10 million or up to 2% of annual revenue, whichever is GREATER. The European Union isn’t messing around. With a minimum $10 million fine, many small companies could be out of business.
Additionally, finds double to $20 million or up to 4% of annual revenue if it’s discovered that actions to circumvent or cover up GDPR data breaches were taken by the company or the Data Controller.
Additionally, the Data Controller could be liable for criminal charges beyond the scope of GDPR.
Finally, there doesn’t appear to be any difference in the regulations for big businesses compared to small businesses. Basically, if you have a blog that collects personal data and features advertisements, you could be liable for $10 million minimum if your data is lost or stolen.
The only good news is that the GDPR is clearly seeking to punish the largest companies. It’s believed that for small businesses the GDPR governing body will only intervene in the event of a complaint against the business by an individual. The European residents are required to reach out to the company to have their request rectified first and the company is given reasonable time to fulfill the request or adapt their policies and procedures if necessary. It’s unlikely that the smalltime blogger is going to have a EU government agent knocking on their door unannounced.
You also are unlikely, even in the event of a major security breach, to face fines if you properly report the breaches and make good faith efforts to mitigate risk.
How is Mediastead going to assist?
As a company whose stock in trade relies on digital assets, Mediastead is dedicated to helping our clients as well as potential clients manage GDPR effectively.
We will do this in a few ways:
- For companies that don’t have website hosting, we will offer our GDPR Privacy Evaluation at a fair fee-for-service rate. Contact us for a quote.
- For companies that aren’t comfortable with the responsibilities required for Data Controller, we will be available to act as an agent for GDPR fulfillment.
- For companies that primarily serve US audiences, we will bill a flat annual fee. This fee will include an annual GDPR Privacy Evaluation. We will document your data policies and procedures, as well as respond to any GDPR inquiries on your behalf.
- Additionally, we will carry professional liability insurance to mitigate potential legal expenses.
For companies that serve international audiences, or European Union or Canadian companies specifically, we were create a specialized package depending on the size and scope of your business. Please contact us for a quote.
Mediastead would be honored to act as your GDPR advisor or GDPR Data Controller. Don’t hesitate to reach out if you have any further questions, or would like answers specific to your business or industry.