What the GDPR means for your business

With the General Data Protection Regulation (GDPR) clock winding down, companies are scrambling to decipher what it means for their business and how to become compliant. Columnist Josh Manion explains.

Chat with MarTechBot

Data Privacy Ss 1920 L9y3yn

By now, most companies who do any business in the EU are aware of the General Data Protection Regulation (GDPR), which was approved by the EU Parliament on April 14, 2016, and goes into effect on May 25, 2018.

The GDPR replaces the Data Protection Directive 95/46/EC. Organizations found in non-compliance will face heavy fines: €20 million or 4 percent of global revenue per infraction. This could mean millions, or even billions of dollars in fines for large companies.

The new regulation requires companies to implement entirely new processes and procedures around the collection and storage of personally identifiable information (PII) and goes on to define PII as any information that relates to an EU resident’s private, professional or public life (IP address, banking information, email addresses, social media posts and so on). Much of the new regulation goes into making sure that this PII is stored with a person’s permission, used for the specified purpose for which it was obtained and for a duration that makes sense, given the initial reason for obtaining the data.

Unlike previous privacy regulations, everyone fully expects that the GDPR will be enforced on day one with no grace period. Beyond that, the GDPR also allows for the creation of Supervisory Authority (SA) agencies to hear and investigate complaints, who also will have the authority to sanction administrative offenses. You can read the full text here, but I have broken it down to the four main components:

1. Data collection

The regulation will apply to all data, whether it was collected online or offline. You must provide notification about the data you intend to collect and how it will be used, and you must gain consent BEFORE any data is collected. This is a big challenge for your digital properties. There are very few solutions available that can block data collection on the first page visit, without requiring you to recode your website.

Consent must also be clear and concise and be provided in an easily accessible form that EU residents can also revoke at a later point in time. Worth noting is that the GDPR explicitly highlights that inaction cannot be considered consent. To maintain compliance, you’ll need to ensure customers have given consent before passing information about them with a service that places any identifying cookies on their machines.

2. Data storage

Data storage solutions must be designed to protect data and maintain data privacy (privacy by design). Security measures must be put in place to protect data, including unambiguous rules pertaining to access and appropriate authentication to access sensitive data. Authorizations must be kept up to date to ensure proper access rights, and all data must be audited. To meet these requirements, you will need infrastructure that:

  • recognizes sensitive data by routinely inspecting content.
  • automates data access processes, including those to grant, review and revoke access.
  • evaluates and monitors access to data.

Organizations must have the ability to easily delete personal data, complying with the right to be forgotten, and build solutions to manage the data subject’s right to access their data and take their data with them (data portability).

3. Data transfer

The GDPR imposes restrictions on the transfer of personal data outside the European Union, to other countries or international organizations. You may transfer personal data where the organization receiving the personal data has provided sufficient safeguards. Individuals’ rights must be enforceable, and legal remedies must be available following the transfer. Personal data may only be transferred outside of the EU in compliance with the stipulations specified in Chapter V of the GDPR.

4. Internal and external oversight

Companies with more than 250 employees will need to appoint a dedicated Data Protection Officer (DPO) whose roles and responsibilities must not cause a conflict of interest related to the protection of end user’s information.

In addition, companies must be able to prove compliance when audited by a Supervisory Authority, which includes the ability to prove that consent was received for collected information. As I mentioned earlier, you’ll need a solution that can provide an event-level audit log to prove compliance.

The clock is ticking

Companies will spend millions of dollars bringing their entire enterprise into GDPR compliance, and I suggest compartmentalizing compliance areas to make the task more manageable. Some of the most visible data collection points are our public websites, making these one of the easiest areas for a consumer (data subject) or Supervisory Authority to prove non-compliance.

Luckily, it can be simple to bring your website into compliance by using a solution that adds consent controls to hundreds of marketing tags through a single line of code and skipping the need to recode your tags/pages. Make sure that you select one that makes you compliant on the first page visit by blocking unauthorized data collection, allows you to configure rules about how and where PII data is sent, allows you to easily adjust data collection rules by region or type of data and doesn’t require you to recode every page on your site or set up separate sites for those who opt in vs. opt out. (Disclosure: I’m the CEO of a company that provides a GDPR website compliance solution.)

If you haven’t already, I’d strongly suggest beginning to plan for the GDPR today and give your company adequate time to review and begin implementing all the process and organizational changes required before the clock runs out next May.


Opinions expressed in this article are those of the guest author and not necessarily MarTech. Staff authors are listed here.


About the author

Josh Manion
Contributor
Josh Manion currently is the CEO of Vault JS, a company focused on securing 3rd party technologies for the enterprise. Prior to Vault JS, Josh was the Founder and CEO of Ensighten a tag management technology. Prior to Ensighten, he served for seven years as the CEO of Stratigent, a web analytics and marketing optimization consultancy. Josh has played chess professionally and is currently ranked among the top 60 players in the United States. He holds a degree in Management Science with a focus on Information Technology from the Massachusetts Institute of Technology (MIT).

Get the must-read newsletter for marketers.