Table of Contents:
- How does GDPR work?
- What is your role in GDPR?
- Who does GDPR impact?
- What steps should be taken to be GDPR compliant?
- What are the exceptions?
- So what will actually happen if I don’t maintain GDPR compliance?
- Will the GDPR ever come to the United States?
If you are subscribed to any technology blogs, currently utilize third party marketing tools or have even logged on to your Facebook recently, you will have likely heard about GDPR. GDPR, or the General Data Protection Regulation (EU 2016/679), is a regulation passed by the European Parliament and the Council of the European Union that enforces data protection and privacy to all individuals within the European Union. The regulation also addresses the export of personal data outside of the European Union.
Adopted in April 14, 2016, the General Data Protection Regulation has had a two year transition period and will officially become enforceable on May 25, 2018.
The GDPR effectively replaces the 1995 Data Protection Directive (Directive 95/46/EC), which was passed on October 24, 1995, to protect individuals with regard to the processing of personal data and on the free movement of such data. An important component of European Union privacy and human rights law.
In January of 2012, the European Commission began the process of unifying data protection across a unified European Union via the then proposed General Data Protection Regulation. The objective with this transition was to harmonize the 27 national data protection regulations into one, improve corporate data transfer rules outside of the European Union and improve user control over personal data. The largest change in this shift from the 1995 Data Protection Directive and the General Data Protection Regulation is the application of the regulation “all non-E.U. companies without any establishment in the E.U., provided that the processing of data is directed at E.U. residents.”
How does GDPR work?
The General Data Protection Regulation essentially defines personal data as “any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Who is considered an “identifiable person”?
An identified person is anyone whose data is processed by an organization. For example, you are an identified person to data controllers like your employer, mortgage company or school if your identity has been established via your driver’s license, work authorization, criminal background check, credit score pull, etc. Any information data controllers have on you, such as your birth date, address, phone number, salary and rent/mortgage all constitute protected personal data under GDPR.
Where it gets a little hairy is regarding who is considered an identifiable person.
Let’s say you go to a juice bar every morning for a carrot juice. If you purchase your juice with a credit card, your card information makes you directly identifiable to the juice bar. That means information on your purchasing history (store location, date, time, amount paid, juice preference) is personal data, which would entitle you to certain rights and protections under GDPR ruling.
But, say you pay with cash at the juice bar. That should make you unidentifiable, right? Nope. You could still be indirectly identifiable.
If you pay with cash at the juice bar, you could still be indirectly identified if you make the purchase with a coupon you’ve redeemed from your email. That email can be traced back and, theoretically, connected with other platforms like a blog, social media, etc.
The more indirect identifiers (like where the personal information could be collected from), the more it may depend on surrounding circumstances to determine if the information qualifies as protected personal data. For example, some authorities are expected that, as time goes on, in-store wifi tracking may be deemed as identifiable under GDPR law. A wifi scanner could theoretically collect data on the device type, media control address (MAC) address, whether the device has been in the store before, in which section of the store does the person spend the most time and how many people come in after a major sales campaign. While, individually, none of that data explicitly identifies an individual, in combination it could qualify as personal data processing. Here’s why:
Recital 24 of the GDPR states:
The processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union should also be subject to this Regulation when it is related to the monitoring of the behavior of such data subjects in so far as their behavior takes place within the Union. In order to determine whether a processing activity can be considered to monitor the behavior of data subjects, it should be ascertained whether natural persons are tracked on the internet including potential subsequent use of personal data processing techniques which consist of profiling a natural person, particularly in order to take decisions concerning her or him or for analyzing or predicting her or his personal preferences, behaviors and attitudes.
What this means is that data collection or processing to understand buyer behaviors (something that we, as marketers, base our jobs off of sometimes), likely qualifies as personal data and therefore must be anonymized or confirm consent.
Online Identifier Definition
Recital 30 of the GDPR states:
Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol (IP) addresses, cookie identifiers or other identifiers such as radio frequency identification tags. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.
What this means is that MAC addresses, acting just like IP addresses, qualifies as personal data and therefore must be anonymized or confirm consent.
What is your role in GDPR?
If you maintain a web presence, you fall under one of two categories as viewed by GDPR: Data Controller or Data Processor. Both entities share similarities in that they can be a natural or legal person, public authority, agency or other body that is carrying out the processing of personal data belonging to an individual. To better understand which category your organization may fall under, ask yourself the following questions:
- Does my organization determine the purpose of data processing? (The Why)
- Does my organization determine the means of processing? (The How)
A simple answer is that, if you answer “yes” then your organization is a Data Controller. If you answer “no” then your organization is a Data Processor.
By definition, a controller is “the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purpose and means of the processing or personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.”
Where data controller versus data processor gets a little confusing is when a marketing agency (like us) or a third party vendor is introduced into the equation. Let’s say for example that Grizzlyhive Products* (*Not actually a real client) contracted us to develop their website and all of their data collection processes for said website. Grizzlyhive Products won’t give us any other means of collecting data other than the flow that we set, which gives us complete freedom to decide how to target individuals. In this instance, we, as an agency, would be the Data Controller, because we fall under “determining the means of processing.”
Controllers can be further categorized based on other factors. For example, when other controllers are involved in deciding the purpose and means of processing, they are known as joint controllers. Under GDPR, joint controllers should fulfill the following requirements:
- Each controller should be able to demonstrate each of their responsibilities, compliance and obligations to individuals and supervisory authorities in a clear, unambiguous and transparent manner.
- Arrangement among each controller should be in accordance with EU or member state laws.
- Each controller should be able to provide the arrangement among controllers to individuals and supervisory authorities.
By definition, a processor is “the entity (that can be natural or legal person, public authority, agency or other body), which processes personal data on behalf of the controller under the controller’s instructions.”
Let’s say the same organization, Grizzlyhive Products, contracted a payroll management company do handle their internal financials and payroll processing. The payroll management company does not give Grizzlyhive Products any direction as far as how the employee’s personal information is processed and relies solely on directive from Grizzlyhive regarding how to process the payments. The payroll management company also only receives personal data from Grizzlyhive, it doesn’t collect personal data on its own.
In this instance, the payroll management company would be a Data Processor under GDPR regulations.
The Governing Bodies
While the General Data Protection Regulation was established by the European Union and its member states, there are supervisory authorities, called Data Protection Authorities (DPAs) that assess compliance and penalty fines (more on the fines in a bit). The Data Protection Authorities are appointed to implement and enforce the European privacy laws in each member nation.
While this isn’t a new set-up under GDPR (it was established under the 1995 Data Protection Directive), they will all work together under the European Data Protection Board (EDPB) to provide cohesive supervision of the regulation.
Article 51 of the GDPR requires that “each Member State shall provide for one or more independent public authorities to be responsible for monitoring the application of this Regulation.”
The individual Data Protection Authorities are the ones with all of the power in regards to GDPR. They are authorized to hear claims brought by data subjects, investigate alleged violations of the GDPR and can institute legal proceedings against violators. They are required to keep records and publish reports of their activities and enforcement actions (wonder if anyone can “opt out” of that information being shared ¯\_(ツ)_/¯).
Because each member state has its own DPA, things can get a little complicated if your organization processes data across multiple EU countries. If your organization is reported for a serious violation of privacy law, your legal counsel should have extensive experience in dealing with EU privacy law, the GDPR and dealing with DPAs.
Who does GDPR impact?
A common misconception is that GDPR only affects businesses within the European Union. However, that was the standard under the 1995 Data Protection Directive. Under the new GDPR regulation, which will become enforceable on May 25, 2018, there is a new definition that organizations need to consider: Data Subjects.
Under GDPR’s definition, a data subject is “a natural person whose personal data is processed by a controller or a processor.” What this essentially means is that, anyone within the EU whose information is processed by another person, entity or organization.
Let’s go back to Grizzlyhive Products for a second. Say Grizzlyhive Products is offering a whitepaper via a form download. While most of their customers are within the United States, they may have a handful of European visitors. If someone within the EU visits Grizzlyhive’s website, fills out the form and downloads the whitepaper, they are considered a data subject because they have processed their personal data on Grizzlyhive’s website.
That is why GDPR is so impactful—even for small businesses—because it could theoretically only take one data subject from the EU to cause a huge fine and judgement on the organization.
What steps should be taken to be GDPR compliant?
GDPR seems like a lot, right? We’re not going to lie, it’s one of the more complex standards we’ve encountered in the industry and, considering it only impacts a small percentage of our clients’ customers, the easy answer would be to cross our fingers and hope for the best. However, we’re in the business of making sure our clients get the best possible product that works in the best possible way for them. That’s why we’ve spent hours on research, training, conversations with attorneys and more to understand exactly what this means for us as marketers and for our customers who could potentially be collecting data from EU data subjects.
Consult an attorney
First and foremost, consult an attorney. This article and the subsequent content that we will be rolling out regarding GDPR is hopefully incredibly helpful to you, but it does not constitute legal advice.
At attorney who is astute in EU laws and regulations and GDPR specifically can help you understand how your specific organization processes or collects data, and will help you craft revisions to your privacy policies, terms of service and so on.
Review privacy policies and terms of service
The discretion is still up to the data controller regarding where the policies should be displayed and what layers of notice are given at what times however, GDPR states that a data subject should be informed on how you process their personal data and that that communication must be:
- Concise, transparent, intelligible and easily accessible
- Written in clear and plain language, particularly if addressed to a child; and
- Free of charge
If you are processing a child’s data, the GDPR goes above and beyond what was originally mandated by the DPA. It requires that data controllers processing children’s information must take into account the level of comprehension of the age groups involved and tailor their notices accordingly.
The GDPR also includes a longer and more detailed list of information that must be provided in a privacy notice. The information you should provide includes:
- Who is collecting the data?
- What data is being collected?
- What is the legal basis for processing the data?
- Will the data be shared with any third parties?
- How will the information be used?
- How long will the data be stored?
- What rights does the data subject have?
- How can the data subject file a complaint or request what information is stored on them?
The personal data we collect will be used for the following purposes:
- Purpose 1
- Purpose 2
- Purpose 3
Our legal basis for processing the personal data includes:
- Purpose 1
- Purpose 2
- Purpose 3
Any legitimate interests pursued by us, or third parties we use, are as follows:
- Interest 1
- Interest 2
- Interest 3
The special categories of personal data concerned are:
- Category 1
- Category 2
- Category 3
You may withdraw consent at any time by [give information on how the user may withdraw consent in line with the Withdrawal of Consent Procedure as set by GDPR]
[Organization Name] will/will not pass your personal data to third parties without first obtaining your consent. The following parties will receive your personal data for the following purpose(s) as part of the processing activities:
- Third Party List
Regarding “special categories of personal data”, certain data is classified under the GDPR as special categories. They include:
- Ethnic origin
- Political opinion
- Religious beliefs
- Philosophical beliefs
- Trade union membership
- Genetic data
- Biometric data
- Health data
- Data concerning a person’s sex life
- Sexual orientation
Create a data flow chart
If you have a violation filed against you under GDPR, one of the first things your attorney will ask of you is a data flow chart. However, under GDPR compliance, it’s important that you map your data flow ahead of time to truly understand and assess your privacy risks. To begin mapping your data to create a data flow chart, there are a few key elements you must first understand:
Understand the information flow
An information flow is defined as a transfer of information from one location to another. For example, if information is inside the European Union and flowing out (or vice versa) and also if information is flowing from subcontractors or vendors through to customers.
Describe the information flow
You will need to walk through the information lifecycle to identify unforeseen or unintended uses of data. You will want to ensure that the people who will be using the data are consulted on the practical implications. You should also consider the potential future uses of the information collected, even if it’s not immediately necessary.
Identify its key elements
Key elements of the data flow chart will include:
- Data Items – What kind of data is being processed and what category does it fall into? This would include name, email, address, etc. and categories such as health data, criminal records, location data, etc.
- Formats – In what format will you store the data? This could include a hard copy, digital, database, your own device, mobile phone, etc.
- Transfer Method – How do you collect the data and how do you share it internally and externally? From a collection standpoint, this could include telephone, social email, contact forms, website.
- Location – What locations are involved within the data flow? This would include office locations, the Cloud, third party vendors, etc.
- Accountability – Who is accountable for the personal data? This may change as the data moves throughout your organization, but each step and process should be documented.
- Access – Who has access to the data? This would include internal positions as well as external resources or third party vendors.
Utilize a tool like LucidChart to help you map out your data flow chart clearly and effectively. They have preformatted templates available that may be helpful in this process.
Create a data processing agreement
A data processing or data controlling (depending upon which category you fall under) agreement is another step you should take with your attorney. Under GDPR ruling, data controllers may only work with data processors that provide “sufficient guarantees to implement appropriate technical and organizational measures in such a manner that processing will meet the requirements of [the GDPR] and ensure the protection of the rights of the data subjects.”
GDPR is incredibly strict on their regulations regarding how controllers view each processor’s capabilities, including its financial stability. A data processing agreement should include stipulations that a processor will:
- Process the personal data only further to documented instructions from the controller, including the transfer of personal data to third parties or international organizations, unless provided otherwise by EU or Member State law to which the processor is subject.
- Ensure that persons authorized to process the personal data are bound by a contractual duty of confidentiality
- Take all appropriate technical and organizational measures to maintain compliance
- Obtain the controllers written consent to engage sub-processors
- Impose on its sub-processors the data protection obligations set out in the agreement between the controller and the processor
- Assist the controller by taking appropriate technical and organizational measures to ensure fulfillment of the controllers obligation to reply to requests by data subjects exercising their rights
- Assist the controller in ensuring compliance with its security
- Delete or return all personal data to the controller upon completion of the processing services
- Make available to the controller all information necessary to demonstrate compliance with its obligations and allow and cooperate fully with audits
Again, talk with your attorney regarding this step. Depending upon the nature of your organization, this step may not be necessary, but a knowledgeable attorney will be able to help.
Consent is a huge part of the GDPR and is defined, in Article 4. The GDPR has much higher standards of consent when compared to its predecessor in 1995. Consent under GDPR needs to be both informed and explicit. A seamless and clear way to obtain that informed and explicit consent is via the contact forms on your website—the channels where you could potentially collect personal data from EU data subjects.
An individual must have the opportunity to make an actual choice to provide consent. What this means is that pre-ticked checkboxes to sign up for information will no longer cut it and will not qualify as consent under GDPR because it removes the affirmative action of giving consent. A data subject must check the box themselves to provide proper consent, or click on a confirmation link via a double opt-in auto response.
Furthermore, data subjects must be given the choice to provide consent. What this means is that consent cannot be a condition for receiving a resource, product or service.
A simple way to mitigate this is by using checkboxes in a form that a data subject must check in order to provide consent. The secondary option would be to create a form that requires a confirmation opt-in, or a double opt-in.
We recommend including two check boxes under your forms which state:
- By checking this box you confirm that you would like to receive more information about our products/services, events, news and offers.
Update or add tracking consent notifications for cookies
Finally, you should update or add tracking consent notifications for cookies. Cookie data is only mentioned once in the GDPR (in Recital 30), but the ramifications are stark if an organization uses them to track users’ browsing history. To summarize what Recital 30 states: When cookies can identify an individual via their device, it is considered personal data.
Not all cookies are used in a way that could identify users, but the majority are and will be subject to GDPR compliance. This includes cookies for analytics, advertising and functional services, such as survey and chat tools.
To become compliant, organizations will either need to stop collecting the offending cookies or find a legal basis to collect and process the data. Here are the next steps you should take:
- “By using this site, you accept cookies” messages are no longer sufficient. If there is no clear choice of consent, then there is no valid consent under GDPR. Add in a tracking consent notification for cookies to the top of your website.
- If you do not use that sort of notification, you will want to add a tracking consent notification immediately. Consult your attorney regarding the language for this, but below is an example of what it could include:
- Accept all tracking
- Accept only first party tracking
- Reject tracking unless strictly necessary for services I request
- Reject all tracking
By giving the user the option to manage how their data is collected and tracked, you can remain GDPR compliant. Recital 21 dictates that consent is not required for “technical storage or access which is strictly necessary and proportionate for the use of a specific service explicitly requested by the user.” In this instance, this could allow an eCommerce store to collect the data they need to process a purchase on a data subject, but all other data will not be tracked.
What are the exceptions?
The General Data Protection Regulation is an incredibly thorough and strict regulation that gives very few exceptions. In fact, there are only two.
Legal Basis Consent
There are six legal bases for consent as defined by the GDPR. What this means is that personal data processing without data subject consent is in fact lawful when it is permitted under applicable law. Those applicable laws include:
Compliance with a legal obligation
Recitals 39, 40, 41, and Article 6(1) states that, if a data controller has a legal obligation to perform processing, that is allowed under GDPR. For example, if you were to contract a bank to take out a mortgage for a new home, they have a legal obligation to carry out Know Your Customer (KYC) due diligence on you, and they must also share your information with the national credit register. That legal obligation can be relied upon as a legal basis for processing data information.
Recital 44 and Article 6(1)(b) permits processing of data in two scenarios. First, if it is necessary for entering into new a contract or working under an existing contract with a data subject, then data processing is permitted. Second, if the data subject initiates activities with the data controller, in which case the processing is permitted even before entering into a contract.
A great example of this would be processing credit card details for payment—that would qualify as “entering into a new contract”. An example of initiating activities with the data controller would be if the data subject requests information from a service provider about a particular service via email or social network. There is likely some form of data processing that occurs for the data controller to pull together a quote or supply the necessary information for the inquiry.
Recital 46 and Article 6(1)(d) covers situations not covered by specific law and when there is an absence of a contract. Vital interest legal basis occurs when processing activity is absolutely necessary (i.e. a life or death situation) and is used as a last resort. This will likely mostly be used by the health industry as a majority, but those data controllers must be warned that they can’t rely on Vital Interests as a condition for processing if the data subject is able to consent.
For example, if someone is in a tragic car accident and first responders find that individual unresponsive at the scene, those first responders have a duty to collect that data subjects information in order to execute treatment. However, if they were to arrive and the data subject was conscious but with a broken leg, under GDPR law they would still first have to obtain explicit consent.
Public interest or acting under official public authority
Recital 45 and Article 6(1)(e) covers legal bases where the task of data processing is carried out in the public interest, or in the exercise of an official authority. This legal basis gets a little tricky, as there are grey areas where data subjects could object. However, the “official authority” carrying out the data processing in public interest must have a clear basis in domestic or European law. Furthermore, they must be incredibly specific about what the activity is, why they are carrying out that processing and how.
Recital 47 and 48 and Article 6(1)(f) cover the most ambiguous form of legal basis under GDPR ruling. This is an area where many organizations, especially marketers, could claim legal interest as a means of processing data. This legal basis can apply to both a data controller and the third party to whom the data will be disclosed.
The only caveat to this is that rights and freedoms of the affected data subjects must not override the controller’s interests. In order to compare these potentially opposing sets of interests, data controllers must conduct a “balancing test”. To perform a balancing test, data controllers must look at:
- The nature of the interest
- The impact of processing
- The safeguards in place, which should include features like:
- Data minimisation
- Privacy by design
- Adding extra transparency
- Additional layers of encryption
- Multi-factor authentication
- Data retention limits
- Restricted access
- Opt-out options
- Anonymisation or pseudonymisation
An example of legitimate interest legal basis could be if a marketing organization wanted to perform a market research project. Assuming all safeguards are in place to anonymize the data, provide limits and opt-out options, that could qualify as a legal basis of legitimate interest without explicit need for consent.
Data subjects’ consent
Finally, the last legal basis, and the most important, is consent. If a data controller’s need for data does not fit into any of the above categories, the last resort is explicit and clear consent for processing personal data.
Consent must be exclusive, reflective of a data subject’s discretionary action, a positive and freely given response to a well-structured, unambiguous description of the processing activity.
So, what will actually happen if I don’t maintain GDPR compliance?
A slap on the hand isn’t going to cut it under the General Data Protection Regulation. If you fail to comply with the GDPR and you have a violation against you for unlawful data processing of EU data subjects, your organization could face penalties up to 4% of your global turnover.
[Pause for reaction.]
While the regulation has set maximum penalties, they have put an amount on those penalties that are meant to be “effective, proportional to the offense and dissuasive.”
The factors that they consider in imposing the fees include:
- The nature, gravity and duration of the violation
- The categories of personal data that are affected
- Previous violations
- Intent or negligence
- Actual harm done and efforts to mitigate the damage to data subjects
- Degree of responsibility of the controller or processor
- Certifications and adherence to codes of conduct
- Reporting of the violation
- Cooperation (or lack thereof) with authorities
A €20,000,000 cap exists on all organizations, but that maximum applies to the higher of two tiers of violations which include more serious offenses like those pertaining to the rules for obtaining consent, data subjects’ rights, rules governing data transfer, obligations of member states and violation of an order.
The lower tier of violations has a maximum fine limit that’s half that of the upper tier: €10,000,000, or 2% of annual turnover. Some violations that fall into this category include:
- Notification of a data breach to the data subject whose personal data was impacted
- Notification of a data breach to the supervisory authority
- Failure to properly designate a data protection officer (when required)
- Certain conditions surrounding obtaining a child’s consent
Will GDPR ever come to the United States?
While US based organizations must make allowances now for EU data subjects, it’s unclear as to whether or not GDPR-esque regulations will make their way into the United States over time. When asked whether Facebook would extend the privacy protections to users in the United States, Mark Zuckerberg commented:
“We intend to make all the same controls and settings available everywhere, not just in Europe. Is it going to be exactly the same format? Probably not. We need to figure out what makes sense in different markets with the different laws and different places. But—let me repeat this—we’ll make all controls and settings the same everywhere, not just in Europe.”
As we prepare for May 25, it’s important to consider the future of data processing moving forward. Take the steps now to ensure clear data flow and explicit consent so that, if something like the GDPR is adopted in the United States, your organization is ahead of the curve.
The information presented in this article is for educational purposes only, and is not intended to provide and should not be relied upon as legal advice. You should always consult your own legal advisors.