The EU General Data Protection Regulation (GDPR) is bringing about a lot of changes online. Cookie banners are going up, individuals are exercising their data rights, and subscribers are being asked to refresh their consent.
You've read about the GDPR. You know the implications for your business. You have a handle on how your company processes personal data, and why it's important to do this in a secure and transparent way.
Understanding the law is important. But complying with the GDPR isn't just an intellectual exercise. Let's take a look at the practical steps you can take to ensure that you're GDPR-prepared.
- 1. Why the GDPR is Important
- 1.1. Understanding the GDPR
- 1.2. Preparing for Compliance
- 2. Record Keeping
- 3. Legal Bases
- 3.1. Getting Consent Under GDPR
- 3.2. Conducting a Legitimate Interests Assessment
- 4. Security
- 4.1. Pseudonymization
- 4.2. Anonymization
- 5. Data Subject Rights
- 6. International Data Transfers
- 6.1. Standard Contractual Clauses
- 6.2. Privacy Shield
- 7. Data Protection Policy
- 7.1. On Your Website
- 7.2. In Other Policies
- 7.3. On Your Mobile App
- 7.4. In Emails
- 8. Summary of Your GDPR Preparation Planning Checklist
Why the GDPR is Important
The GDPR has forced many companies in many countries to take a step back and examine the ways in which they process personal data.
The GDPR's broad geographic scope means that it applies to any company, European or not, that aims to offer goods and services in the EU. This means that companies in many countries are experiencing a truly rigorous data protection law for the first time.
Complying with the GDPR just makes good business sense. It will show privacy-savvy EU customers that you're treating their personal data with respect. And it will help you to avoid litigation, data breaches, and some potentially crippling GDPR fines.
Understanding the GDPR
Here are some basic terms that you should understand in order to get to grips with the GDPR:
- Personal data - information that can be used, directly or indirectly, to identify a person (e.g. email address, IP address).
- Processing - any operation performed on that data (e.g. storing it, sending it).
- Data controller - a person or organization that determines the purposes and means of processing personal data.
- Data processor - a person or organization who processes personal data on behalf of a data controller.
Preparing for Compliance
Compliance with the GDPR consists of three stages:
- Readiness - understand the GDPR and map out your route to compliance.
- Preparation - take practical steps to make the necessary changes to your business.
- Ongoing compliance - carry out the day-to-day work of fulfilling the GDPR's requirements.
If you're reading this article, we're assuming that you're at stage two - Preparation. If you've yet to complete stage one, take a look at our GDPR Readiness Checklist.
Now we'll look at the practical changes you should implement to bring your company in line with EU privacy law.
Record Keeping
In the GDPR Readiness Checklist, we looked at how you should conduct a data audit, to map the personal data flows within your company. Once you have a handle on what personal data your business collects and processes, you can start documenting this.
Under Article 30 of the GDPR, you are required to keep records of your personal data processing activities. Companies with fewer than 250 employees are exempt from this requirement - unless they carry out high-risk data processing that:
- Is "not occasional," or
- Relates to special category data or criminal conviction data
To comply with Article 30, a data controller must create a document containing the following information:
- Your company's contact details
- Your company's representative and/or Data Protection Officer, if you have either
- Details of any joint controllers
- Why you process personal data
- Whose personal data you process (your customers, employees, etc.)
- What types of personal data you process
- What types of organization you share personal data with
- Details of how you carry out any international transfers
- Details of your company's data security measures
A data processor has similar requirements, focused mainly on the data controllers on whose behalf it processes personal data. These are detailed at Article 30 (2).
Legal Bases
All data processing under the GDPR must take place under one of six legal bases. First, you must identify which of these legal bases applies to each type of data processing you do. Then you need to take some practical steps to make sure you're compliant.
Getting Consent Under GDPR
EU privacy law sets a very high standard for consent. Many companies find that they have been collecting their customers' consent in a way that is not valid under the GDPR.
"Implied" consent is not recognized under the GDPR - you must ask your users to consent via a "clear, affirmative act." If you're using tracking or advertising cookies, you need to ensure that they are not set on your users' computer until they have consented.
These two examples from Digital Route clearly show the difference between implied and affirmative consent. Here's a cookie banner from Digital Route that does not gain "clear, affirmative" consent:
There are two main problems with this cookie banner:
- "We assume that you consent" is not a phrase that really makes sense under the GDPR
- There's no easy option to decline - the user has to opt out by changing their browser settings
But take a look at this GDPR-compliant example, also from Digital Route:
There are three great things about Digital Route's second cookie banner:
- The user is allowed to accept or decline tracking cookies
- Both options are equally accessible
- The effect of choosing either option is clearly explained
There's another common bad habit around gaining consent - the pre-ticked box. Pre-ticked boxes have to go. If you're asking users to opt out rather than in, you aren't earning their "clear, affirmative" consent.
This is simple enough to implement. Don't try to "trick" your users into consenting - give them a free choice.
Here's an example from Auger:
There are five great things about Auger's marketing consent request:
- There are no pre-ticked boxes
- The user is given options about what they are consenting to (known as "granularity")
- The newsletter is honestly described as a "marketing" newsletter
- The user will be asked to confirm consent after receiving their the first email (a "double opt-in")
- Auger's Privacy Policy is presented to users before they subscribe.
Conducting a Legitimate Interests Assessment
Chances are that you will not be seeking consent for every act of personal data processing that you do. In some cases, it will be in your legitimate interests to process personal data in a particular way.
If you're hoping to rely on the legal basis of legitimate interests, you must conduct a Legitimate Interests Assessment. The UK's Data Protection Authority, the Information Commissioner's Office (ICO), suggests a three-part test that you can use to assess whether legitimate interests is an appropriate legal basis for a particular method of data processing.
Here's how the ICO explains the three stages of its three-part test:
- The purpose test (identify the legitimate interest),
- The necessity test (consider if the processing is necessary), and
- The balancing test (consider the individual's interests)
The Legitimate Interests Assessment is essentially a way to determine whether your company will be infringing anyone's privacy rights by processing personal data in a particular way. You must demonstrate that you have conducted this assessment in your Data Protection Policy.
Here's how Blackbaud explains its Legitimate Interests Assessment in its Privacy Policy:
Security
The GDPR requires that you build data protection methods into your systems "by design and by default." This means taking specific technical measures to render your systems safe.
Pseudonymization
Pseudonymization is a method of disguising the "personal" aspects of personal data. The data can still be linked back to its owner - but only by using additional information, which is kept separately.
This method of data protection is specifically recommended in the GDPR at Article 32 and Recital 78. It's also discussed at Article 4 and Recitals 28 and 29.
There are many methods of pseudonymizing data including:
- Encryption
- Hashing
- Tokenization
You may find that your company already applies such techniques to storing passwords or payment information. Where viable, you should roll out such practices to all the personal data you process.
The aim is to render personal data unintelligible in the result of a data breach, but intelligible in day-to-day operations. However, pseudonymization doesn't allow you to circumvent security obligations. Pseudonymized personal data should be treated as personal data because the process is reversible.
Anonymization
Anonymization ensures that the owner of the personal data cannot be identified at all. Once personal data has been fully anonymized, it is no longer personal data.
Ultimately, truly anonymized data no longer falls under the scope of the GDPR. It is a very secure way to treat personal data. However, it will also be impossible to work with this type of data in many circumstances.
The ICO provides some guidance on anonymization. Here's an example of how data might be anonymized.
The example below contains multiple pieces of personal data. In certain contexts it will not be necessary to retain this personal data.
In this example, all personal data has been "scrubbed."
If this data was compromised it would be inconsequential for the interviewee. This is not personal data, and there would not be a legal obligation to store it securely.
Data Subject Rights
You need to take practical steps to ensure you're ready to facilitate your users' data subject rights. Failing to fulfill requests under these rights can lead to the involvement of your Data Protection Authority, fines or private legal action. Having a system whereby you can respond to requests within the one-month deadline is in your interests.
You can provide a form on your website that will allow your users to make data subject rights requests.
For example, Her Majesty's Passport Office provides a .doc form for this purpose.
The University of Cambridge provides a form for requests under the right of access, and gives the following advice for those wishing to submit requests under other rights:
Under the right to data portability you must provide users with a copy of their personal data in an easily accessible format. The ICO gives CSV, XML and JSON as examples of acceptable file types.
Here's how Stripe facilitates the right to data portability:
Other requests might be facilitated in other ways. It almost goes without saying that you should have an unsubscribe link in your marketing emails. This is one way to partly facilitate the right to object.
International Data Transfers
If you're based in the EU and you want to transfer personal data overseas, you'll need to make sure the transfer meets certain conditions. You'll have considered this as part of your GDPR Readiness Checklist.
The European Commission has approved the following countries for international data transfers:
- Andorra
- Argentina
- Canada (commercial organisations)
- Faroe Islands
- Guernsey
- Israel
- Isle of Man
- Jersey
- New Zealand
- Switzerland
- Uruguay
- The United States of America (limited to the Privacy Shield Framework)
If your recipient is not within one of the European Commission's approved countries, or your company itself is not based in one of these countries, there are certain things you'll need to do in order to be allowed to transfer personal data out of the EU.
Standard Contractual Clauses
When transferring data from the EU to a non-approved third country, you'll need to have a contract in place. The European Commission has produced "model contracts" designed to facilitate such data transfers between data controllers, or between data controllers and data processors.
Here's a small sample of a model contract that can be used between two data controllers:
A contract and clause such as this will ensure that the parties are aware that all personal data must be transferred securely.
Privacy Shield
The United States is not one of the European Commission's approved countries. But there's still a way for US companies to ensure that they can easily transfer personal data out of the EU.
If you're based in the US, you will wish to consider joining the Privacy Shield. Privacy Shield certification requires you to demonstrate that your company's data protection practices are up to par. It's a long process, but it will save you a lot of trouble long term.
Data Protection Policy
Having written up a GDPR-compliant Data Protection Policy (also known as a Privacy Policy) during the "Readiness" phase, you'll need to take steps to ensure that it's easily accessible to your users.
You'll need to upload the Policy to your website and ensure that a link to your Data Protection Policy is never far away whenever a user interacts with your company.
On Your Website
Ensure your Data Protection Policy is ever-present throughout your website by adding it to a header or footer that persists as users navigate your site. Here's an example from eBay, which splits its privacy information across several policies:
If users can make purchases on your website, you should display your Data Protection Policy at checkout.
Here's how Amazon does this:
If you ask users to create an account, present your Data Protection Policy before they do so.
Here's how LinkedIn does this:
You should also add a Privacy Policy link to your cookie banner, as the New Yorker does:
In Other Policies
Make sure your Data Protection Policy is accessible via other policies you might have, such as your Terms and Conditions.
Here's how Procter & Gamble references its Privacy Statement in its website Terms of Use:
On Your Mobile App
You must remember to make your Data Protection Policy available on your mobile app if you have one. You can provide this in your app's settings or legal menu.
Here's an example from the BBC Weather app:
In Emails
Link to your Data Protection Policy in the footer or signature of every automated email you send. This is particularly important in the case of marketing emails.
Here's an example from Capital One:
Summary of Your GDPR Preparation Planning Checklist
Once you've made these changes to your company's systems and website, you'll be prepared for the GDPR.
Have you...
- Made records of your data processing activities (if your company is required by the GDPR to do so)?
- Put up GDPR-compliant consent mechanisms across your website?
- Conducted a Legitimate Interests Assessment?
- Implemented suitable data protection methods across your company, such as pseudonymization and anonymization?
- Provided methods by which you users can access their data subject rights?
- Ensured that you have suitable contracts in place, to allow for any international transfers?
- Uploaded your Data Protection Policy to your website?
- Placed prominent links to your Data Protection Policy across your website, policies, mobile app and email signature?
Comprehensive compliance starts with a Privacy Policy.
Comply with the law with our agreements, policies, and consent banners. Everything is included.