GDPR races down the road: Getting up to speed

Filed under:

Strategy, Tech
Sweeping privacy protection legislation, the General Data Protection Regulation (GDPR), enacted by the EU, became enforceable May 25, 2018. Here are the basics.

Growth metrics. Accessibility requirements. Editorial calendars. Social media posts and tracking responses. As if that wasn’t enough, you’re now hearing about a new acronym that lies somewhere between not having any effect on your life and possibly costing you millions of dollars if you ignore it: GDPR.

If you haven’t been spending a ton of time preparing for the General Data Protection Regulation until now, it’s important that you take a minute and learn more about what it is and its impact.

While this post doesn’t cover every last detail, we hope you find it works as a helpful jumping off point. We also encourage you to reach out to us to talk about your specific needs and concerns.

What is GDPR?

Sweeping privacy protection legislation, the General Data Protection Regulation (GDPR), enacted by the EU, became enforceable May 25, 2018. And just because your business is headquartered in the USA doesn’t mean you aren’t affected. After all, your website can be seen everywhere there’s an internet connection; if you do interact or do business with people out of the country via your website, you may be liable for big damages if you don’t fully protect EU users’ privacy.1

ccpa will go into effect in 2020. Our Digital Strategist, Peter Barclay, discusses how to prepare in a follow-up post.

So, what do you have to do to comply?

We can’t get down to the nitty-gritty in this blog post, but here’s the biggest takeaway: you need to offer clear, easy steps that provide visitors with greater control over their own personal data. This includes the right to actively consent to every use of personal data, the right to limit that use, and the right to be forgotten. Simply put, you need to give people privacy and security options. Then, it’s up to them.

Who is covered?

The General Data Protection Regulation was created to strengthen the rights of EU data subjects (not just citizens2) when it comes to the collection and use of their personal data. As a result, with the GDPR, EU data subjects now have a much stronger say in keeping their privacy and data personal. The GDPR applies to:

  • Any business or organization that offers goods or services, paid or free, to data subjects in the EU
  • Any monitoring of the behavior of data subjects in the EU

These two applications of law are wide-reaching, and affect the use of internet tracking devices such as cookies used to collect analytics, conduct advertising, survey users and provide chat tools – all of which collect data now considered personal.

The regulations apply to data controllers (those who collect data from EU subjects) and data processors (those who process data on behalf of a data collector).3 The EU has a helpful FAQ available here.

How does it affect you?

According to the text of the regulations—and there are approximately 100 pages of the law to understand—simply having a website that’s accessible to EU data subjects doesn’t make you subject to the GDPR. However, the intention to provide services to EU data subjects or track their behavior (for example, for advertising) definitely does. Consequently, failure to comply could cost you (or your client) up to €20 million, or 4% of annual worldwide revenue.

You might be wondering how an EU data protection authority (DPA) could go after businesses outside the EU that don’t comply. The answer isn’t spelled out…yet. But experts say it’s plausible that the DPA could seek legal remedies and successfully shut down a non-EU service violating the law. Then, there’s the matter of those hefty fines. Ruh-roh. Why risk becoming a test case?

It is important to note that personal data includes information like IP addresses, cookie identifiers, and GPS locations that may be collected by tracking software like Google Analytics, your CRM tool or an email blast provider. Additionally, it is no longer good enough to simply inform users that tracking is occurring. Sites cannot rely on inactivity or pre-checked boxes to provided consent.

Users must provide explicit consent which needs to be recorded.

For many people, Google Analytics is a major source of GDPR concern. Most people believe that GA will be fully GDPR complaint by the deadline. We believe it’s less dangerous than the clamor would make you believe. You can read more direct from the source here, but our initial thoughts are below; we will continue monitoring this situation and provide an update about necessary remediation steps.

Anywhere else where you collect user data or use a tracking cookie are also areas of concern.

Do’s and dont’s

First, don’t panic! With a little guidance, meeting the GDPR’s data security requirements can lead not just to compliance but also to making you look like a champion. Being proactive makes you a guardian, a warrior for your customers’ interests and rights. Who doesn’t have a secret fantasy of being a superhero?4

Take These 4 Action Steps Now:

  1. Locate your Personal Data
    First of all, detect where personal data is stored, who can access it, how long you’ve kept it, how long you will keep it and why you collected it in the first place. 5
  2. Take Action and Manage Data
    All EU data subjects can now request access to their personal data6 and require it to be corrected7, moved8 or deleted.9 So, you’ll have to have audit and detailed reporting tools in place to prove your organization is GDPR compliant.
  3. Apply Policies and Secure Data
    Then, make sure your data protection and security processes leave nothing to chance. Make sure you know who has access to what, what they can do with it, and make sure you have a plan of action for each of your data subjects’ data rights under GDPR.
  4. Monitor Your Data
    Finally, monitor and audit data access and permission changes. Recognize data breaches on time and notify the authorities within 72 hours. It’s crucial to have established protocols that spot risky behaviors so you can avoid breaches – and big penalties.10

But what about Google Analytics?

Thankfully, the GA Terms of Service require that you, as an organization, do not store any personally identifiable information. The logic, according to Littledata, goes as follows:

Imagine a customer calls your company and using the right of access asks what web analytics you hold on them. If it is impossible for anyone at your company (or from your agencies) to identify that customer in GA, then the other right of rectification and right of erasure cannot apply.

From Littledata

At most, you’re on the hook for ensuring your site uses a custom event to log whether each user accepts the GA tracker cookie through an opt-in message, not an informational notice regarding your site’s use of cookies, nor an opt-out.

Cookieconsent by Insites has a great rundown of these different types of consent banners. Not sure which one is right for you? Keep reading.

A host of options.

We offer managed hosting and maintenance operations for every website we build. That means when it comes to complying with GDPR, our clients already have a valuable ally. We prefer to sit down and discuss what makes the most sense for our clients, taking into consideration all the areas of contention about this complex new law. But we’re available to anyone who wants to update their sites with opt-in processes that ensure compliance with GDPR.

Disclaimer: I’m not a lawyer – although I’d like to play one on TV. This post is how I read and interpret the General Data Protection Regulation (GDPR) and e-Privacy Regulation. I urge you to seek legal counsel from a privacy and data security specialist. GDPR is complex; interpretations vary. As always, your comments and suggestions are welcome.