GDPR Compliance Roadmap
The General Data Protection Regulation (GDPR) gives EU natural citizens rights to control what personal data is collected and how it is stored and/or used. The GDPR covers any “natural person” located in the EU. This means non-EU citizens while they are located in the EU are protected under the GDPR.
This recent EU law has caused quite a bit of concern for U.S. based businesses on whether or not they must comply, and how to comply. I discussed whether or not U.S. based small businesses are exempt from the GDPR in a prior blog post. For those businesses that are not exempt and have an EU presence or collect data from EU visitors more than just occasionally, they must understand how to comply with the GDPR or risk facing having to pay serious fines.
So, how can businesses, marketers and data collectors in general comply with the GDPR?
1. Understand and identify what “personal data” is being collected.
The GDPR includes a comprehensive definition of what constitutes personal data and sets forth numerous rights of individuals to know how their personal data is being used. Under the old EU Directive on Data Protection (and the existing UK Data Protection Act), personal data was broadly defined as “any information relating to a living, identified or identifiable natural person. The term ‘personal data’ still applies to indirect data that requires the use of information elsewhere to identify an individual, such as a user ID number is personal data when it can be matched to the name of a user on a database.
Here is the definition of personal data under the GDPR:
‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
First and last names are personal data. Email addresses that contain a full name and/or that clearly identifies that person is personal data. Generic or anonymous email addresses are not personal data. Location data and online identifiers that can identify an individual by linking with or bundling it with other identifying information are personal data under the GDPR. Location data is not specifically defined but is associated with data that has any kind of geographic position attached to it. Online identifiers refer to digital information such as IP addresses, cookie strings or mobile device IDs.
Basically, the GDPR keeps the same broad definition of personal data under the previous EU Directive, but clarifies that data includes online identifiers and location data. This means that IP addresses, mobile device IDs and unique identifiers are all GDPR personal data.
Sensitive Data
Under Article 9, as a sub-category of personal data, sensitive data refers to a more specific type of personal data that should be treated with extra protection and care. The current definition of this includes information such as:
-
Racial or ethnic origin
-
Political opinions
-
Religious or philosophical beliefs
-
Trade-union membership
-
Health information
-
Sex life information (sexual orientation)
-
Genetic data (refers to gene sequences, which are used for medical and research purposed)
-
Biometric data (includes fingerprints, retinal and facial recognition data)
The data subject must give express permission to use sensitive data for a specific purpose that is disclosed to he or she before collecting such data.
What about an IP address?
My opinion is that an IP address by itself is not personal data under the GDPR. Consider that an IP address shows the region, city and town a user/visitor is located when he or she is on the Internet. An IP address doesn’t identify who is using a certain IP address-it basically only provides location information.
The GDPR and Pseudonymization
Quoting from Recital 26: “Personal data which have undergone pseudonymisation, which could be attributed to a natural person by the use of additional information should be considered to be information on an identifiable natural person”. In other words, pseudonymous data is regulated by the GDPR. There is no more potential identification of the data subject with anonymous information.
There are two key aspects to remember here:
1. Pseudonymization is recommended where feasible in the GDPR. Along with encryption of personal data, pseudonymization is explicitly mentioned as one of the “appropriate technical and organisational measures to ensure a level of security appropriate to the risk”. In other words; it is recommended, where appropriate and feasible as Article 32(1,a) of the GDPR states. (Research has found that 54% of multinationals in the US plan to use such methods of de-identification to reduce GDPR risk exposure.)
2. Pseudonymization falls under the GDPR because of the potential of “unauthorised reversal of pseudonymisation.” The key role of the data subject’s perspective. Pseudonymization is the result of uncoupling certain aspects of data from a data subject (often as part of security precautions and analytics) whereby the data fields which are the most identifying and/or sensitive in a data record are replaced by pseudonyms. Yet, it can be reversed as well.
The GDPR defines pseudonymisation as follows in Article 4(5) as: the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person;
Recital 26 of the GDPR says: “the principles of data protection should not apply to anonymous information, namely information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable. This Regulation does not therefore concern the processing of such anonymous information, including for statistical or research purposes”.
As an example, selling patterns of mobile use data is in fact statistics and is entirely rendered anonymous where the data subject can’t be identified.
2. Obtain informed consent before automatically collecting data.
Website visitors can only have personal data collected or used under the GDPR if he or she has given their consent by a recordable affirmative action. The exception is where a legitimate legal basis (‘legitimate interest’) for the data collection exists, such as in connection with a transaction or entering into a contract. However, when website visitors are tracked automatically using cookies or other tools and when this information can uniquely identify a data subject, it must be disclosed and consent must be obtained prior to such collection.
Data subjects must take some affirmative action to signify their informed consent. The use of pre-checked boxes are not acceptable under the GDPR. Demonstrating when and how consent was granted, as well as who acquired it, is paramount for GDPR compliance. This means website operators must create records of this information.
Probably the best way to obtain consent from website visitors is to use a full pop-up disclosure and a checkbox prior to collecting any data. The disclosure of how any personal data will be used must be consented to on a use-by-use basis and cannot be buried in other terms and conditions. In other words, website operators shouldn’t rely on including this information in separate terms and conditions or even in their privacy policy. Disclosure should be made separately, fully and done prior to any automatic data collection. Consent must be provided by a data subject for their personal data to be used for the specific purpose disclosed. This consent can only be applied to that purpose. If a business or organization needs to process data for a different reason, they are required to request explicit consent to do so.
The GDPR stipulates that It is also important to note that Article 29 Working Party guidance states that more than one base should not be used for a single processing activity. Once the basis has been identified it must be communicated to the data subject, as per GDPR Article 13.
Withdrawing Consent
Data subjects must be able to withdraw consent at any time. Once a data subject opts out, their data should no longer continue to be held or processed, unless the business has another legitimate reason for doing so.
Website GDPR Consent Mechanism
The display of consent and disclosure information to visitors may need to be redesigned. Data collectors will need to obtain consent for every single use-case that is in play for your collected data. Data subjects will need to be able to select those use-cases that they agree with and decline those they do not like. Those preferences must be stored in appropriate databases. The best way to obtain consent is to use a full pop-up disclosure and a checkbox. Data subjects can also complete an online form, or send an email, to provide consent.
Is Prior Consent always necessary?
There are five instances under Article 6 of the GDPR which authorize the collection (and use) of personal data of an individual without prior consent:
-
Personal data is collected upon the request of the data subject before a contract is signed, or the data is necessary for the performance of the contract.
-
Personal data is processed in order for the data controller to comply with legal obligations.
-
Personal data is used in order to protect the vital interests of an individual.
-
Personal data is processed/used in accordance with the official authority of a data controller or in relation to actions taken in the public interest.
-
Personal data is used for the legitimate interests of the data controller or a third party except when the rights and freedoms of an individual override these interests.
3. Implement a mechanism/system for data management, security & compliance reporting.
Every business and website operator must understand the personal data it has collected and uses, where such data is stored, how it was obtained, whether the data needs to be retained and who is responsible for managing the data. These are the basic questions each business and organization must ask in order to truly become GDPR compliant. For GDPR best practices, data should only be keep for the purpose for which it was originally collected. If the purpose no longer exists, the data should be deleted (unless there is another legally valid reason for continuing to process it).
While the GDPR does not stipulate that encryption must be used, it is recommended that data is encrypted.
Article 30 requires businesses with 250 or more employees processing personal data to keep records of their processing activities. Businesses that have less than 250 employees do not have to create these records unless there could be a risk to the ‘rights and freedoms of data subjects (including trade secrets or intellectual property rights), the processing is not occasional, or the business processes any ‘special categories’ of data (sensitive data) as referred to in Article 9(1), or personal data relating to criminal convictions and offenses referred to in Article 10. Businesses with more than 250 employees must keep more detailed records, including the name and details of the business, the data protection officer, why personal data is being processed, a description of the types of individual and categories of their personal data, as well as categories of recipients of this data, details of any foreign transfers of that data outside the EU including documentation proving that data will be safeguarded abroad, retention schedules, and a description of technical and security measures being used.
Most small U.S. businesses will be exempt from these extra record keeping duties if they only process personal data of EU residents occasionally.
Finally, all data collectors/processors must be able to provide sufficient documentation to the Data Protection Authority (DPA) upon request.
4. Conduct a Data Risk Assessment.
Each business and website operator should assess the risk of the personal data being stored and the way it manages such data. Businesses should use Data Protection Impact Assessments (DPIAs), to help them gauge the level of risk, and the potential liability, associated with all the personal data collected and stored. Data collectors must understand high-risk data collection and use. Article 35 of the GDPR stipulates that a DPIA should be carried out if the processing of data is high risk. When the type of data which is being processed, or the processing itself, presents a high risk to the rights and freedoms of the data subjects involved, DPIAs should be used to help establish the level of risk and the impact involved. When high levels of risk are identified, it’s necessary for the business or organization to mitigate the risk. If there does not seem to be any possible mitigation, the business or organization must seek advice from the DPA before the data is processed.
Under the GDPR, the following items must be included in a DPIA:
-
full and systematic description of data processing activities and why this is done.
-
full assessment of whether the data processing is necessary and proportionate given the purpose of the data subject interaction.
-
full assessment of the data processing risks involved.
-
mitigation efforts with respect to the identified risks.
The bottom line is that data collectors will be expected to implement procedures to address any risks of unauthorized access to personal data and put comprehensive controls in place.
5. Report Data Breaches Within 72 Hours.
Under the GDPR, data breaches must be reported within 72 hours except where there is no risk to the rights or freedoms of any data subjects (Breach Notification Rule). The prior EU Directive only allowed complaints to be lodged against data controllers. If a data breach would pose a high privacy risk for any visitors or customers, then those individuals must be notified about the breach. Data processors are now obligated to inform their customers/clients (who are mainly the controllers) of any data breaches upon realizing it without any undue delay. Most businesses operating websites are data controllers (although a data controller can also be a data processor) and will be required to make data breach notifications within 24 hours, but not later than 72 hours, to the relevant authorities.
6. Appoint a Data Protection Officer (DPO).
If your business’s central purpose requires “regular and systematic monitoring of data subjects on a large scale” then you must appoint a DPO. The role of the DPO is to act as an advisor and monitor GDPR compliance. There is no definitive information (yet) about what is considered to be large-scale processing or systematic monitoring. The DPO will be responsible for managing internal data protection activities, advising on GDPR data protection impact assessments, training staff and conducting internal audits. The DPO also serves as the first point of contact for Data Protection Authorities and individuals wishing to exercise their GDPR rights.
Data collectors must also appoint a DPO if records of criminal convictions, or ethnicity, religious or philosophical beliefs, political opinions, trade union membership details, health, sex life, or sexual orientation data are collected on a large scale.
7. Draft a Clear and Complete Privacy Policy.
Businesses must comply with the “accountancy principle”, which means they will provide clear and transparent privacy policies. GDPR guidance emphasizes the need to use clear language. Broad, vague statements such as “’We may use your personal data to develop new services,” “We may use your personal data for research purposes” and/or “We may use your personal data to offer personalized services” do nothing to inform site visitors how their data will actually be used or with whom it may be shared. The GDPR rules require far more disclosure specificity.