Today, the protection of data and how it is used in the digital world is a continued topic of discussion. And while you may think the conversation came out of the Cambridge Analytica-Facebook controversy of the past month, it actually started nearly two years ago, with the passage of the General Data Protection Regulation in April 2016.
Please note: This document is issued for informational purposes only. We are not attorneys, and this is not intended to constitute legal advice. The information contained herein does not constitute legal opinion and should not be regarded as a substitute for legal advice. Given the importance of the subject matter, if you have any legal questions about the information or topic presented here, we definitely recommend you seek the advice of an attorney.
WHAT IS GDPR?
The General Data Protection Regulation (GDPR) was created by the European Parliament and Council, designed to limit the amount of data brands can collect from users based in the EU. This new law will go into effect on May 25, 2018 in the European Union.
Its intent is to promote the protection of consumer personal data and privacy rights. Once in effect, it will require sites to update their processes and functionality in order to:
- Inform users of what personal data brands are looking for them to share
- Prompt users to provide active consent for the brand to collect that data, or opt out of having it collected
- Provide users with access to their data and allow users to easily erase it
The regulation aims to minimize data collection, retention, and processing, and requires that these actions only occur in relation to a transparent business need. Companies must take measures to protect data and implement data breach protocols.
Failure to follow the new regulations can result in fines up to a hefty €20 million or 4% of global sales (whichever is larger) for major infractions and up to €10 million or 4% of global sales for other violations.
What Data Is Covered in The GDPR?
Many different types of data are included in this regulation, but can be categorized by the following:
- E-mail address
- Phone number
- Financial information
- Cookie identifiers
- Device ID
- IP/Client ID
- Login IDs
- Health and genetic data
- Biometrics data
- Race or ethnicity
- Political opinions
- Sexual orientation
- Customer loyalty data
- Social media posts
Even information that isn’t personally identifying on its own, such as race, can be considered personal data if it can be combined with other collected data points to effectively identify an individual. Data Controllers and Data Processors must minimize the collection and protect the personal info of Data Subjects, especially children under 16.
GDPR ONLY IMPACTS THE EUROPEAN UNION, RIGHT?
No. It is a global regulation. And compliance is mandatory of all companies that have potential customers in the EU. This means even if your operations are based in the U.S., but you use data to market and sell products or services to customers (or website visitors) that may reside in the EU, this legislation applies to you. And non-compliance means exposure to those large fines.
GDPR COMPLIANCE CHECKLIST
To ensure compliance with the new GDPR regulations, there are three overarching areas in which to act.
Evaluate and Educate
In order to activate GDPR within an organization, it’s important that all stakeholders understand the implications of what is required.
- Ensure stakeholders are familiar with new provisions
- Integrate Marketing and IT departments on a compliance action plan
- Inventory data and review existing systems to identify potential issues
- Complete data flow mapping and privacy assessment
- Review policies for data collection, retention, and usage
- Document measures taken toward compliance
Once the education process has been executed and all stakeholders understand how they are involved, the next steps are centered around how users will engage with your company’s usage of data and the consent they have given you.
- Craft statement of consent and implement procedures for storing status of consent
- Create means by which users can request data or revoke consent
Data Protection Measures
Following are steps your company will want to take to provide confidence that user information and data is secure and won’t be abused by third parties.
- Hire/appoint a Data Protection Officer – can be an existing employee, primary or virtual/consultant
- Ensure compliant third-parties
- Implement vendor management/contract revisions
- Implement tools and data protocols that ensure privacy
- Review and ensure protection of data within mobile apps
- Put Data Breach Protocols into place
Red Door Interactive is obligated to be compliant in our own practices, as well as in our strategy and execution for clients. We recommend that you follow the best practices checklist we have developed to ensure your brand is compliant with the GDPR regulations.
If you need some guidance to ensure your brand is set up for success when GDPR goes into effect, we offer the following services to help:
- Compliance Assessment
- Complete audit of existing data and collection applications to identify GDPR gaps
- Data Breach Policy and Procedures
- Develop policies and procedures that allow your company to meet the 72-hour breach notification window
- Consent Applications
- Craft boilerplate language for consent and transparency that your attorney can review and revise or approve
- Build web applications and data systems that capture and store consent, or recommend third-party tools to deploy
- Implement data portability, encryption and forgettability
As this situation evolves, we will update you about the potential implications for brands. Have more questions about how GDPR might affect you? Contact us today.