General Data Protection Regulation (GDPR)
What is the GDPR?
The General Data Protection Regulation, enacted by the European Union, is the most comprehensive privacy law in the world. The 2 year enactment period ends and the GDPR becomes enforceable on May 25th 2018 - The regulation applies to the collection of data from people located in the EU, regardless of nationality or citizenship.
How does it affect you?
GDPR updated existing Data Protection laws from the 1990’s to regulate the exorbitant amount of data being collected, through existing technology. The changes to data protection and privacy laws will change the way companies operate, collect data, design their websites, market to and communicate with their customers.
The expansion of the definition of "data" to include not just personal data such as name, e-mail address, phone number and sensitive data like health, religious, political and philosophical beliefs, etc. but also location and pseudonymized data such as, IP addresses, cookies, telemetry, MAC addresses, mobile device ID's, RFID tags means your website is likely to collect data from people located within the EU that would require your compliance with the GDPR to avoid a fine which may be up to 20 million Euros or 4 percent of annual global (global) turnover, whichever of both is highest.
User/Data Subject Rights
- Be Informed: Article 13 and Article 14 lay out what information Users are entitled to, depending on whether the data was collected from the User or an alternative source.
- Access: The User has the right to know who is collecting data, what data is being collected, the purpose for processing data, who the data will be shared with, whether there will be an international transfer of data, the length of time the data will be stored or if not discernible, the criteria for the determining duration, (such as, data was will be stored until you delete your account). The Controller must notify the User of their right to amend, restrict or erase data processing, as wells as their right to file a complaint with a supervisory authority. The User has the right to request and receive one free copy of all their data being processed. An administrative fee may be charged for additional copies requested by User. If the request is made electronically or unless otherwise requested, the records of processing by Controller, may be made electronically.
- Rectification (Accuracy): The right to restrict processing where data is inaccurate and to amend and update incomplete or inaccurate information.
- Erasure (Right to be forgotten): The subject has the right to withdraw consent and ask for personal data to be “erased and no longer processed where the personal data are no longer necessary in relation to the purposes for which they are collected or otherwise processed, where a data subject has withdrawn his or her consent or objects to the processing of personal data concerning him or her…” (paragraph 65 of the preamble)
- Right to Restriction of Processing: The User has the right to restrict the processing of their data where it is inaccurate, unlawful, they have objected to the processing and are awaiting a decision regarding Controller's basis of processing, or the Controller is merely maintaining data for legal compliance, the establishment, exercise, or defense of legal claims.
- Notification Obligation: The controller must update user information that has been amended, erased or restricted with those they provided the User's data, such as a third-party processor, payment processors, CRMs and they must provide this information to the User, if requested.
- Data Portability: The User has the right to request and receive their personal data from a controller in a format which allows it easily to be transferred to another data controller.
- Right to Object: The User has the right to object to profiling or automated decision making, processing of data for direct marketing, scientific or historical research purposes.
- Automated Decision-Making: The default is that controllers are not allowed to make automated decisions or profile users unless their processing falls under one of the exceptions outlined in Article 22 of the GDPR.
Under GDPR, “processing of the personal data of a child” is only permissible when the child is at least 16 years old. If the child is under 16 years of age, companies must obtain consent from the child’s parent or legal guardian to collect and process the child's data. Collection of data from children under the age of 13 is strictly prohibited.
The U.S.'s Federal Children’s Online Privacy Protection Act (COPPA) allows for companies to collect data from children 13 years of age or older, without the consent of a guardian. Companies need to audit the data their collecting and may need to expand their current parental consent obligations and data protection safeguards to include children up to age 16.
An additional concern for companies advertising and marketing to children relates the drafting of their corporate privacy notice. “Given that children merit specific protection, any information and communication, where processing is addressed to a child, should be in such a clear and plain language that the child can easily understand.” (Recital 58 EU GDPR)
What should you do now?
Conduct a Data Protection Impact Assessment
Audit and map current data collection, storage, plug-ins, cookies and telemetry to see what data you're collecting, how and where it is stored.
Audit current consent collection - make sure you are obtaining the right type of consent for the data and purpose you are collecting. Make sure your consent collection is time-stamped and logged. If there is a complaint or dispute, you need to be able to prove how and when you collected consent.
Audit who has access to data; internally and externally. Who within your company has access to data, how do they have access to data (personalized login, company login, company computer, cloud, mobile app?) What third-party vendors, plugins, have access to data? Are they GDPR compliant?
Security and breach testing - if someone were trying to hack or access data, where are you vulnerable, is your company employing industry and technology standards to protect data and mitigate risk?
Hire a web developer experienced in Privacy By Design
Web developers versed in Privacy By Design will approach your project with a compliance and data protection mindset. They will advise you on consent collecting and logging tools, encryption, anonymization, import/export of user data, how to secure and limit organizational access to data, breach prevention and testing, and compliance maintenance and monitoring.
Your policy should state:
- Who you are
- What personal data you collect
- What categories (including sensitive)
- The consent or legal basis you collect it by
- Who data is shared with, including third parties
- How long you retain it or the basis for retention if a time period cannot be specified
- What consent and user rights people have regarding their data
- How they can contact you
- International data transfers