The European Union's new GDPR (General Data Protection Regulation) becomes effective on May 25th, 2018. Here's what we understand about the privacy law: what the implications are, who will be impacted by them, and how businesses can remain compliant.
What is the General Data Protection Regulation?
The European Union’s General Data Protection Regulation (GDPR) is a new privacy law related to the collection and processing of personal data, specifically that of EU citizens. Any organization that collects personal data from European citizens throughout the course of their business cycle is subject to full compliance. The GDPR's extraterritorial scope, among nations outside the EU, is likely to include many organizations that are based within the United States. It is advised that all companies strongly consider becoming GDPR compliant soon, as the regulation is coming into effect on May 25, 2018.
Within the scope of the GDPR, "personal data" is defined as any piece of data that, used alone or with other data, could identify a person. This includes information such as name, identification number, location data, and email address, among other online identifiers.
The rights of individuals concerning personal data are also outlined in the GDPR. Citizens of the European Union will now have the right to ask for details about the way you use their personal data and companies should be able to perform certain actions on demand for EU data subjects (persons). This could include various requests such as having their data provided to them, corrected, prohibited from certain users, or removed completely.
The GDPR especially emphasizes the importance of collecting customer consent. According to the European Commission, consent “must be explicit for data collected and the purposes data is used for.” Meaning that companies must provide transparent communication regarding data processing and customers must then consent to these terms before their data is collected. Users must then be able to give, decline, or withdraw consent (depending on the regional law). The regulation specifically notes that the mechanism for acquiring consent must be unambiguous and involve a clear “opt-in” methodology. This means no pre-checked boxes may be used during data collection as those constitute as “opt-out” mechanisms. It is also crucial that companies devise a way to keep clear records specifically related to the consent attained.
Which U.S. Companies are Impacted by the GDPR?
It is our understanding that the new law applies to any company that collects, processes and/or retains data about persons within the European Union, regardless of citizenship or nationality. This means that if you do any business in Europe, or collect any data from EU citizens, then the new GDPR law has the potential to impact your business—even if you are based in the United States. If you store personal information on your website (form submissions, newsletter lists etc.) then it is highly suggested that you evaluate your website for GDPR compliance. Additionally, we also understand that any business conducted with EU citizens who are located elsewhere, including the United States, will be impacted by this law.
There are four suggested rules of thumb for determining whether your organization falls under the territorial scope of the GDPR:
-
The new regulations will apply to you if your company has an establishment in the EU. Under this definition, even branches, subsidiaries and joint ventures will count as an “establishment” as far as the GDPR is concerned.
-
If your company exhibits an intent to collect and process information on EU data subjects for marketing companies, the GDPR will apply to you. Also. if your website accepts EU currencies, collects EU email addresses or can be translated in EU languages then it certainly falls under the GDPR’s territorial scope.
-
If your company, regardless of location, monitors EU data subjects through an advertising technology platform (e.g. technology that can track or profile EU residents on the internet) then you will need to be prepared for the GDPR and related Cookie Law.
-
Lastly, your company is certainly subject to GDPR compliance if you have any employees located in the EU. The new regulations have specific rules related to employee monitoring. You will need your employee’s consent to have personal data processed and transferred across borders.
Privacy and Cookie Laws
It should come as no surprise that companies must ensure that their websites have a comprehensive and up-to-date privacy and cookie policy in place. This is particularly important if the site uses any third-party apps. Considering that many apps and services have updated their policy to comply with the new regulations, they now require that other websites and apps do the same. Regarding data collection, popular services and tools provided by Google (think Google Analytics, Adsense, etc.) have now become GDPR compliant, and as a result require any analytics users to update their privacy and cookie policy in order to continue use of services. Your new privacy policy must explicitly state which services are used on your website to collect data (e.g. contact forms and newsletter subscriptions), as well as which third-party applications are used to collect services (e.g. Google Analytics, social widgets, payment processing services, etc.).
In addition to drafting a new policy, companies must also comply with the Cookie Law (see also: ePrivacy Directive)which states that users need to be informed about cookie use and given the option to consent or decline. Not all cookies are used to identify users, but the majority are and will be subject to the GDPR. Implied consent is no longer sufficient (i.e. “by using this site you, accept cookies”). It is also important to note the distinction between the Cookie Law requirements and the Terms & Conditions page on your website. Just because a user has accepted the Terms & Conditions listed on your site, it does not mean that they have consented to data collection. If the users have not been given a “free choice” to consent to cookies, then the data collection is not valid; websites must make it possible for the user to both accept or reject cookies. Furthermore, it must be as easy to withdraw consent as it is to give it, meaning that if you ask for consent through opt-in boxes in a settings menu, then users must be able to return to that menu to adjust their preferences at any time.
Preparing for the GDPR
While our official policy is to recommend that clients seek out qualified, legal counsel; there are many resources online for generating new GDPR compliant privacy and cookie policies. If you do choose to draft your privacy policy, be sure to state the ways in which your website collects or stores data and explicitly identify which internal or third-party applications are processing it. You will want to expressly distinguish these applications (Google Analytics, MailChimp, contact forms, etc.), and list what kinds of data are collected (personal data, cookies etc.) as well as the purposes for collecting this data.
It is suggested that websites, particularly the ones belonging to U.S. companies, utilize a “soft opt-in” option in the cookie collection sequence. According to the EU Cookie Law this means “giving an opportunity to act before cookies are set on a first visit to a site. If there is then a fair notice, continuing to browse can in most circumstances be valid consent via affirmative action.” Most companies are making use of banners and drop down menu selections to allow site visitors to freely consent to cookie tracking before their data is collected.
Penalties for Non-Compliance
The European Commission has disclosed that the maximum fine that can be imposed on organizations for breaching the GDPR is 4% of annual global turnover or €20 Million. This fine applies to the most serious infringements, e.g. not having a sufficient customer consent to process data, or violating the core of Privacy by Design concepts. Article 28 states that a company can be fined 2% for not having their records in order, not notifying supervising authority and data subject about a breach, or not conducting impact assessment. Apart from these examples, companies can expect to face a specific and tiered approach to fines, one that is based off of the severity of their violation.”
Even though the law will be officially enacted on May 25th, 2018, Forrester Research, a reputable business and market intelligence company, has predicted that “80 percent of the firms required to comply with the GDPR will not meet the May 25 deadline.” So any companies worried about not meeting full GDPR compliance by the projected due date, can at least take solace in the fact that they are not likely to be the only ones at risk. Furthermore, of that 80 percent, Forrester has estimated that “50 percent have considered the cost and risks of non-compliance and decided it is in their best interest not to comply.”
How DesignHammer is Working Towards GDPR Compliance
DesignHammer has partnered with iubenda, a provider of attorney-level compliance solutions for businesses who must adhere to the new GDPR law. Iubenda provides a comprehensive generator for custom-building privacy and cookie policies to include only the specific applications and web services that are used on your site (iubenda offers 600 services to choose from).
The company also offers solutions for EU Cookie Policy compliance, such as a customizable cookie banner generator that “seamlessly collects consent and implements prior blocking with asynchronous re-activation”. Cookie solutions are a requirement for any sites that can be visited by European users, especially ones that install non-technical cookies, e.g. via script like Google Analytics or via a Facebook share button. Because our website’s privacy and cookie policies are hosted by iubenda, this means that they will automatically update to satisfy the requirements of any current and/or future legal developments without our intervention.
[Disclaimer] This blog post should not be understood as legal advice for your company, but rather a framework for preparing your website for GDPR compliance. If your business conducts business in the EU, or if you suspect that your website is visited by any number of EU data subjects, then we highly suggest consulting an attorney that is familiar with the new laws.
Looking for GDPR assistance? Let us help!
More Resources on the GDPR:
Add new comment