What the GDPR means for your business
With the General Data Protection Regulation (GDPR) clock winding down, companies are scrambling to decipher what it means for their business and how to become compliant. Columnist Josh Manion explains.
By now, most companies who do any business in the EU are aware of the General Data Protection Regulation (GDPR), which was approved by the EU Parliament on April 14, 2016, and goes into effect on May 25, 2018.
The GDPR replaces the Data Protection Directive 95/46/EC. Organizations found in non-compliance will face heavy fines: €20 million or 4 percent of global revenue per infraction. This could mean millions, or even billions of dollars in fines for large companies.
The new regulation requires companies to implement entirely new processes and procedures around the collection and storage of personally identifiable information (PII) and goes on to define PII as any information that relates to an EU resident’s private, professional or public life (IP address, banking information, email addresses, social media posts and so on). Much of the new regulation goes into making sure that this PII is stored with a person’s permission, used for the specified purpose for which it was obtained and for a duration that makes sense, given the initial reason for obtaining the data.
Unlike previous privacy regulations, everyone fully expects that the GDPR will be enforced on day one with no grace period. Beyond that, the GDPR also allows for the creation of Supervisory Authority (SA) agencies to hear and investigate complaints, who also will have the authority to sanction administrative offenses. You can read the full text here, but I have broken it down to the four main components:
1. Data collection
The regulation will apply to all data, whether it was collected online or offline. You must provide notification about the data you intend to collect and how it will be used, and you must gain consent BEFORE any data is collected. This is a big challenge for your digital properties. There are very few solutions available that can block data collection on the first page visit, without requiring you to recode your website.
Consent must also be clear and concise and be provided in an easily accessible form that EU residents can also revoke at a later point in time. Worth noting is that the GDPR explicitly highlights that inaction cannot be considered consent. To maintain compliance, you’ll need to ensure customers have given consent before passing information about them with a service that places any identifying cookies on their machines.
2. Data storage
Data storage solutions must be designed to protect data and maintain data privacy (privacy by design). Security measures must be put in place to protect data, including unambiguous rules pertaining to access and appropriate authentication to access sensitive data. Authorizations must be kept up to date to ensure proper access rights, and all data must be audited. To meet these requirements, you will need infrastructure that:
- recognizes sensitive data by routinely inspecting content.
- automates data access processes, including those to grant, review and revoke access.
- evaluates and monitors access to data.
Organizations must have the ability to easily delete personal data, complying with the right to be forgotten, and build solutions to manage the data subject’s right to access their data and take their data with them (data portability).
3. Data transfer
The GDPR imposes restrictions on the transfer of personal data outside the European Union, to other countries or international organizations. You may transfer personal data where the organization receiving the personal data has provided sufficient safeguards. Individuals’ rights must be enforceable, and legal remedies must be available following the transfer. Personal data may only be transferred outside of the EU in compliance with the stipulations specified in Chapter V of the GDPR.
4. Internal and external oversight
Companies with more than 250 employees will need to appoint a dedicated Data Protection Officer (DPO) whose roles and responsibilities must not cause a conflict of interest related to the protection of end user’s information.
In addition, companies must be able to prove compliance when audited by a Supervisory Authority, which includes the ability to prove that consent was received for collected information. As I mentioned earlier, you’ll need a solution that can provide an event-level audit log to prove compliance.
The clock is ticking
Companies will spend millions of dollars bringing their entire enterprise into GDPR compliance, and I suggest compartmentalizing compliance areas to make the task more manageable. Some of the most visible data collection points are our public websites, making these one of the easiest areas for a consumer (data subject) or Supervisory Authority to prove non-compliance.
Luckily, it can be simple to bring your website into compliance by using a solution that adds consent controls to hundreds of marketing tags through a single line of code and skipping the need to recode your tags/pages. Make sure that you select one that makes you compliant on the first page visit by blocking unauthorized data collection, allows you to configure rules about how and where PII data is sent, allows you to easily adjust data collection rules by region or type of data and doesn’t require you to recode every page on your site or set up separate sites for those who opt in vs. opt out. (Disclosure: I’m the CEO of a company that provides a GDPR website compliance solution.)
If you haven’t already, I’d strongly suggest beginning to plan for the GDPR today and give your company adequate time to review and begin implementing all the process and organizational changes required before the clock runs out next May.