GDPR: What your company should know and do, starting now

RESEARCH

By
Pedro

January 06, 2017


Coming May 2018, the European Union will enforce a set of regulations designed to protect European citizens’ personal data. It’ll affect all companies that deal with EU citizens’ personal data, meaning that, yes, even your non EU-based company will still need to comply.

Some countries, such as Germany, already have strict data protection regulations in place, though the GDPR brings a major boost for compliance: fines up to €20M or 4% of global turnover for more serious offenses. Significant changes are coming and some of them are not trivial to implement, particularly in more complex organizations.

We’ve rounded up some of the key things you need to know and be prepared for. First things first…

#1 —What is Personal Data?

This is how the OECD defines it:

any information relating to an identified or identifiable individual (data subject)

This includes (though not limited to):

  • Name, address and unique identifying numbers (e.g., your social-security number);
  • Demographics — such as age, gender, income or sexual preference;
  • Behavioral data — web searches, purchase history and more;
  • Social data —who your friends are, your emails, etc;
  • Sensor data —biometrics, health tracking devices;
  • User generated content — videos, photos, blogs or comments.

The GDPR is only concerned with personal data which means that anonymized data is out of its scope. There’s an important caveat though: if data, even if anonymized, can somehow be tied back to an individual (for example, by combining multiple data sources and inferring an identity from that analysis), then this information can be deemed personal.

#2 — The Data Subject, the Controller and the Processor

a who’s who for the new world of GDPR-compliance

There are three simple fundamental definitions at play.

  • The Data Subject: This is your customer. Or your employee. Or your user. Or any EU-citizen who has entrusted you with their personal data. This is who the law is designed to protect.
  • The Data Controller: This is (likely) your company. It’s who customers entrust the data with. And the responsible party in deciding what happens to the data, for what it’s used and how it’s handled.
  • The Data Processor: This is any entity that actually handles personal data and is mandated by the data controller. It’s a bit of a nuanced distinction but a very important one.

For instance, say you’re selling T-shirts on Shopify.

Your company, AmazingCoolTshirts.com, is making a killing and Shopify is coming in pretty handy. You’re also growing a loyal customer base and retargeting it using MailChimp as a preferred customer channel. Cool!

Shopify and MailChimp are storing and processing your customers’ personal data for the ends you expect them to, but you, the decider, are the one who controls what these services do.

A data love triangle

So in this case, your customers are obviously your data subjects; you are a data controller and Shopify and MailChimp are processors. We’ll delve a bit more on the implications of this later.

This is one example of the possible relationships between subjects, controllers and processors. Many more are possible — controllers can also handle the data themselves and processors are often also controllers when, for instance, they manage their own employees’ personal data.

#3 — Data protection & accountability

with data comes great responsibility

As a controller you’re responsible for the data you hold. This means that you need to take steps to protect it and be able to demonstrate them to Data Protection Authorities (DPAs).

In practice, you need to secure the data your organization holds. This can sometimes translate into military grade encryption but can also entail tutoring your employees on data handling best practices.

Additionally, you need to make sure that the processors you use to handle the personal information your company controls effectively protect your data (even if those processors are also accountable under the GDPR).

The European Data Protection Board and national DPAs are expected to develop certification mechanisms for controllers and processors so you might want to be on the lookout for certified organizations who ensure compliance.

ask for permission, not forgiveness

We know, we know, that’s not how you say that.

Consent is one of the fundamental aspects of the GDPR. Companies will now need to obtain consent from their customers for every usage of their personal data.

And no, 250 pages Terms & Conditions aren’t cool anymore. Neither are pre-ticked checkboxes — consent is only valid if actively given. Controllers are also required to state in plain language the purpose of the usage of the data.

Moreover, subjects have the right to object to each purpose and can’t really be denied service based on refusal unless that usage is critical for the provision of a service (e.g., you do need to use your customer’s address to ship T-shirts, but agreeing to receive newsletters isn’t really that important).

Data subjects must also be able to withdraw consent at any time, preferably utilizing the same interface they’ve used to give it in the first place.

What can you do? If you have a website, make sure your users agree to everything you do with their data and don’t forget to store that information. This might imply changing sign-up forms or checkout processes. There are already some tools that can help you do this, such as ConsentCheq.

#5 — Improved subject rights

GDPR’s bringing the power back to the people

The GDPR also grants a comprehensive & enhanced set of fundamental rights to data subjects. These include:

  • Right to be forgotten (or right to erasure) — subjects can request for their data to be erased when it’s no longer necessary for their original purpose.
  • Access & rectification — subjects must also be able to access their personal data and modify it.
  • Portability — controllers need to provide all personal data they have on a subject when requested, in a portable format. Interestingly, Google for example already offers this feature using its Takeout page.

Make sure your organization has the processes in place to enable these. Getting all the data from your users on a neatly packed .zip file might not be a trivial task.

#6 — Fines are a b**!

As mentioned, this is likely the biggest driver towards GDPR compliance. Fines are grouped in two categories:

  • Penalties up to €10M or 2% of global turnover or
  • Penalties up to €20M or 4% of global turnover.

That’s huge!

Article 83 states that fines should be “effective, proportionate and dissuasive”. It also says that fines are discretionary rather than mandatory and are applied on an individual basis.

If you’re curious, you can read more on what offenses fall into each category here.

Summing it all up (or TL;DR)

The GDPR is coming, and with less than a year and a half to go, most organizations will need to go through some changes — and that’s not a whole lot of time.

Ignoring the issue is not really an option, given the business killer fines companies may face.

Here are some final thoughts:

  • Check how your company is storing personal data and ensure that the methods being used are iron-clad.
  • Adapt your customer touchpoints to support subject’s rights, such as data portability.
  • Make sure everyone who handles personal data within your organization understands what these changes mean.
  • Choose the entities you share your users’ personal data very carefully, as a slip-up might dictate the end of your business.
  • If you already rely on 3rd parties to handle personal data, verify that these are already GDPR compliant or at the very least that they will be by May 2018.

The transition process should be fairly smooth for your online T-shirt business but can quickly get tricky in larger and more complex organizations that handle a lot of personal data in many different ways. Most of these will likely require a significant investment to ensure compliance. In a survey conducted with large companies (over 250 employees), over half had earmarked more than $100k towards compliance and 11% over $1M.

When in doubt, do seek professional counseling. The stakes are too high to risk penalties.

For more resources, check the awesome Bird&Bird Guide to the GDPR or the whole darn thing here or here.