Are You GDPR Compliant? What You Need to Know
Why is it important?
Organizations that do no comply with the regulations, even unintentionally, are subject to heavy fines – up to €20 million, or 4% of their worldwide annual revenue of the prior financial year, whichever is higher.
If you think that your company is exempt because it isn’t based in the EU, think again. All organizations which collect data on any EU residents are also expected to comply with the regulations. If you have customers or engage with potential customers in the EU or the UK and want to continue to engage them, you need to understand and abide by the regulations or risk being fined.
What’s considered “personal data”?
Personal data is defined as “any information that relates to an identified or identifiable living individual.” Data rendered anonymous so that individuals cannot be identified is not considered personal data; however, anonymity must be irreversible (i.e. if that data can be re-identified to individuals when combined with other data, it would then be considered personal data).
Examples of personal data include, but are not limited to:
- Home address
- Email address
- Identification card numbers
- Location data (for example, the location data function on a mobile phone)
- IP addresses
- Cookie IDs
- The advertising identifier on your phone
- Data held by a hospital or doctor, which could be a symbol that uniquely identifies a person
Also worth noting is that the regulations protect personal data regardless of the technology used to process the data (automated or manual) and the technology used to store that data (these regulations apply even if you store the information on paper!).
What do you need to do?
If you’re collecting any private information from EU-based users, then you’re considered a “data controller” and have obligations under the GDPR. Additionally, any 3rd parties you use to obtain the data are considered “data processors” and have obligations too. These obligations are based on the following nine principles:
- Lawful Basis for Processing – Users must provide informed consent for their data to be collected and processed, including being made aware of what kind of information is being gathered about them and what their rights are. There are certain exceptions to getting consent (such as B2B marketing for “legitimate interests”), but it’s best to get explicit consent. The most common way to obtain consent is by providing a notification that the user needs to accept to continue onto the site. The notification should also inform the user of their rights under GDPR.
- Pseudonymization – Personal data must be stored in secure way so that the data cannot be attributed to a specific person. Encryption is the most common way of protecting personal data, but there are specific guidelines on how it must be done. It’s best to ensure that any data you store directly is properly secured and make sure that any 3rd party companies you’re using to collect or process personal data are complying (most SAAS and cloud services have a GDPR policy).
- Right of Access – Upon request, data controllers are required to provide users with their data (a copy of their processed personal data), the purpose for processing, categories of data being processed, 3rd party recipients of their personal data, 3rd party sources of their personal data (if not gathered directly from the user), and how long the data will be stored.
- Right of Rectification – Data controllers must correct and update inaccurate personal data when notified.
- Right of Erasure – Data controllers must erase personal data when requested by a user and when there is no compelling reason for it to be present.
- Right to Restrict Processing – Data controllers must not process data when requested by a user. In this case the user is not requesting erasure of the data, but only that it is not processed for certain purposes.
- Right of Data Portability – Data controllers must make personal data available to users in a format where it can be re-used by other services (e.g. exporting your data from Facebook and using it in another service).
- Data Processing Offer – Some organizations (ones where the collection of personal data is significant) are required to appoint a Data Protection Officer who is responsible for ensuring compliance with the regulations.
- Data breaches – Data controllers are required to notify the supervisory authority of any data breaches without delay (within 72 hours). In addition, data processors must notify data controllers of any breaches without delay.
If you’re doing any business in the EU or targeting any potential customers located there, it’s time to get compliant. The first step is to appoint a Data Protection Officer and task them with understanding the regulation and putting together a plan for compliance. If you need help with this or have any specific questions, let us know as we’re happy to help!
Direct Marketing Association (UK) GDPR Checklist
GDPR self-assessment for data controllers
Sources: IAB Canada, GDPREU.org, European Commission, EUR-Lex, Information Commissioners Office, DMA (UK)