The European General Data Protection Regulation (GDPR), a form of data privacy regulation that was agreed upon by the European Parliament and Council in April 2016, will come into effect and replace the existing Data Protection Directive 95/46/EC this year on May 25.
The aim of the European data protection regulation is to “protect all EU citizens from privacy and data breaches in an increasingly data-driven world that is vastly different from the time in which the 1995 directive was established.” The regulation, which outlines rules for how the personal data of data subjects are handled by businesses and moves freely in and out of Europe, seeks to standardize previously inconsistent processes that varied from country to country. The regulation was instigated by the alarming rate of increases in data breaches and cyber crimes.
Understandably, you may be wondering or concerned about what these regulatory changes will mean for your U.S. business or organization. Below, I will highlight some of the key changes and have put together a GDPR compliance checklist to help ensure your business is ready by the May deadline.
GDPR Change Highlights
While many of the key principles of the existing legislation will remain the same, there also will be some noteworthy changes to the regulatory policies that have been outlined on the regulation’s official website. I’ve outlined a few of those changes below.
Expanding Regulatory Reach
By and far, the most significant change to the data privacy regulation comes in the form of the GDPR’s increased jurisdiction. Unlike its predecessor, the new legislation applies to “all companies processing the personal data of data subjects residing in the Union, regardless of the company’s location.”
What is Considered Personal Data
The GDPR aims to protect a wider variety of personal data, including personally identifiable information (PII) such as:
- Identity data (name, personal ID number, and address)
- Biometric data (retinal scans, fingerprints, etc.)
- Racial or ethnic data
- Health and genetic data
- Sexual orientation
- Political preferences and opinions
- Web data (IP address, location, RFID tags, and data from cookies)
In what is good news for your data subjects (such as consumers), the new General Data Protection Regulation strengthens the conditions for giving consent. Consent must be “clear and distinguishable” from other information and be written in “clear and plain language.”
GDPR Fines and Penalties
According to the official website, any organization that isn’t in compliance with this new legislation will face heavy GDPR penalties. The EU GDPR outlines a tiered approach to enforcing infringements, meaning that “organizations in breach of GDPR can be fined up to 4% of annual global turnover or €20 Million (whichever is greater).”
How Will GDPR Requirements Affect Me?
For companies based in the U.S. that work with EU member states, the GDPR requirements will require changes to how they process, store, and protect customers’ personal data. Because these rules apply to both processors and controllers whose services operate in the EU member state areas, this means that cloud software-as-a-service (SaaS) companies in the U.S. that conduct business in those areas will not be exempt from GDPR enforcement.
GDPR Compliance Checklist
We’ve put together a 7-step GDPR compliance checklist to help you begin assessing whether your organization’s policies and procedures are in alignment with the new regulation.
1. Become GDPR Compliance Aware
As a leader within your organization, it’s important to ensure that all decision makers and key personnel are aware of the GDPR requirements and the impact of non-compliance.
- Identify key stakeholders within your organization to support GDPR compliance
- Determine whether one or more data protection officers (DPO) should be appointed
- Outline a reporting system within that GDPR compliance governance structure that would include the DPO (if applicable)
- Implement a GDPR compliance training program to ensure data protection is covered and employees are informed about policies and procedures
2. Perform a Personal Data Audit
In order to understand what personal data you hold, it’s important to document the types of data your company possesses, where it came from, whom it’s shared with, and how it’s shared.
- Review how all forms of personal data (employee, consumer, and other) are collected and handled, and for what purpose, by Human Resources and other personnel
- Review how your company monitors employees (CCTV, electronic communications, and internet usage)
- Assess how data is shared with other companies or controllers (safeguards and liability)
3. Review and Update Internal Policies and Procedures
The documented policies and procedures of your organization are the rules that help to ensure your employees follow ethical, compliant and standardized practices.
- Review your company policies to ensure they are compliant with the GDPR
- Make changes as necessary to ensure the collection, processing, use, and storage of data are in alignment with the new GDPR requirements
- Ensure access to personal data is restricted to only necessary personnel
- Assess response policies for data breaches and information security
- Document any lawful basis for your business’s practices of processing personal data
4. Update How You Collect Personal Data
Review your company’s marketing entry points (including websites, web forms, and in person) to ensure that they are compliant with the new GDPR requirements regarding how you're collecting EU citizens’ private information.
- Provide clear consent wording: Organizations are obligated to use clear, non-legalese language that allows the person to provide unambiguous consent. If your company collects personal information through a web form, Constellation recommends posting clearly how the information will be utilized.
- Include a cookie consent notice: As a best practice, include consent verbiage similar to the cookie consent notice on all web forms.
- Create an age-verification process: GDPR requires parental consent to collect or process the personal data of children under the age of 16. Create a dependent verification process such as a form and automated email notification to collect the parent's email and process a separate consent.
- Obtain Consent in Person: Obtain consent to collect personal data in person. If collecting personal data in person, such as at an event, for a testimonial video or at an in-store sign-up, ask for consent and include a check box or other field for the person to check or initial when the individual has agreed to be emailed.
- Validate the Country: Marketers should seek to ascertain whether a person's data is regulated by GDPR by adding a "Country of Residence" field to web forms. If at an in-person event, also ask for the individual's "Country of Residence." Note that on web forms this is a separate field from organizations that collect the "Country" of the company office or headquarters address. Organizations may need to create this as a new field in marketing automation or CRM solutions.
Reminder for Organizations Using IP Addresses for Country Validation: The Court of Justice of the European Union has ruled that IP addresses are considered "personal data" in certain circumstances. For GDPR consideration, if the IP address can identify an individual through logins, cookies, etc. (which many marketing automation systems can), then the IP address is covered under GDPR personal data. It's recommended that in this scenario, organizations remove the IP address validation from their marketing automation workflow.
5. Review Your Consent Policies and Practices
What this means for you is that businesses no longer can use the terms and conditions forms that are seemingly endless pages of “legalese.”
- Review consent policies to ensure consent is easy to give and withdraw
- Ensure that consent forms are easy to read
Review your company’s marketing and CRM system to ensure that it's compliant with the new GDPR requirements regarding EU citizens’ privacy.
- Send a reverification email (double opt-in): Consider sending all active EU contacts a new request to reverify their email address and renew their consent to receive email, mobile in-app, phone or direct mail communication.
- Confirm you have a preference center: Organizations should have a communications preference center that empowers customers to manage their communication preferences. A communications preference center is a central web destination where customers can opt in or opt out of subscriptions such as newsletters or notification emails about discounts or new products. GDPR mandates unambiguous consent to be obtained using clear and specific language. Thus, to ensure compliance with GDPR, the communications preference center should include clearly written descriptions of the subscriptions and the frequency at which the email will be sent. For B2B organizations, consent can be divided by product line and clearly indicate how often the individual will be contacted.
Review your company’s procedures to ensure that they are compliant with the new GDPR requirements regarding EU citizens’ privacy. If you don't already have one, create a Data Breach Plan!
- Right to access: Data subjects will now be able to obtain confirmation from the data controller about whether their personal data is being processed, by whom, and for what purpose. They also will be able to receive a free copy of said data in an electronic format.
- Right to be forgotten (data erasure): Data subjects now will have the right to erase their personal data and half any further dissemination of said information when they withdraw consent or the data is no longer being used for its original purpose.
- Right to be informed: Within 72 hours of becoming aware of any data breaches, all member states will now be required to notify all data subjects of any breaches that may “result in a risk for the rights and freedoms of individuals.”
How FPA Can Help to Prepare Your Business
While these new GDPR requirements are a significant step in the right direction for protecting consumers’ rights and personal data, it also means significant changes to how your business may approach the collection, use, storage, and sharing of information. This complex and far-reaching legislation will affect your business beyond simply data governance and information security concerns, and its impact will soon be felt at all levels of your organization.
Don’t simply view handling these regulatory changes as a threat; instead, view this task as an opportunity to enhance your organization and update its IT security, privacy, and data practices. And, the good news is that FPA is here to help you every step of the way. Regardless of whether your business is now just preparing for the regulation changes or is already part way through the process, our GDPR assessment can help you to assess the aforementioned areas of concern (and others) within your organization. We will work with your main GDPR stakeholders to ensure your business is compliant.
How will you prepare your business for the new GDPR Compliance? Reach out today or comment below to speak with me about how we can work together to prepare your business for the GDPR rollout in just a few months.