What Does GDPR Mean for the Enterprise?

Posted 1 month ago by Rian Kinney, Esq.

Getting your Legal, Marketing and
Technology Teams on the Same Page

Today, it’s more important than ever for marketing, technology and legal teams to work together to focus on a cohesive result rather than crossing the departments’ independent “finish lines.” As an attorney focused on technology, as organizations cast a wider global net in marketing, they need to get their legal teams more involved because there are jurisdictional and legal compliance issues that arise from advertising globally.

With the May 25, 2018, enforcement date looming, there’s been much discussion about General Data Protection Regulation (GDPR), an international privacy law enacted by the European Union that restricts how personal data is collected and handled. To say nothing of the public relations nightmare in store for organizations that fail to comply, the new regulation will include a tiered-fine approach that allows for penalties of up to 4 percent of a company’s annual global turnover or €20 million (whichever is higher), greatly impacting the Enterprise sector.

GDPR: A European Law With Global Impact

No matter where your company is located, if it has an online presence, it will likely be affected by GDPR. Because the regulation’s aim is to ensure that users know, understand and consent to private data being collected about them, companies are now required to be clear and concise about their collection and use of personal and sensitive data. This includes information such as the user’s name, home address, location data, IP address, or the identifier that tracks web and app use on smartphones. Companies have to spell out why the data is being collected and whether it will be used to create profiles of people’s actions and habits. Moreover, consumers will gain the right to access data companies store about them, the right to correct inaccurate information, and the right to limit the use of decisions made by algorithms, among others.

Unlike previous laws, under GDPR, the obligation for compliance arises when personal data is collected from people located within the European Union and Great Britain, regardless of the user's citizenship or nationality and where the collector or processor is headquartered or data is actually stored. And, with the definition of personal data being expanded to include IP addresses, GDPR – which has been hailed as the most inclusive and comprehensive privacy law in the world – will apply to virtually all websites and businesses worldwide.

In the United States, privacy laws have applied at a state and federal level for years, but without a unified body of laws or enforcement infrastructure and budget, enforcement has been primarily reactionary (and seemingly arbitrary). In stark contrast, the EU and Great Britain have experience with creating and enforcing regulatory systems across borders, as evidenced by the prosecution of companies failing to comply with value added tax (VAT) requirements. While we don’t yet know how vigorously the EU intends to prosecute for non-compliance, they’ve certainly made it clear they intend to – the European Union and EU Member States have dedicated millions of Euros to establish National Protection Authorities to implement and enforce data protection laws.

The GDPR has made privacy by design a legal requirement. What does this mean? How do you do this? Click To Tweet

For Businesses,
Data Protection Is Now A Legal Requirement

In short, GDPR will require an overhaul of the way companies conduct business online, design their websites and manage their users’ data. While the concept of Privacy by Design has existed for years, GDPR now makes the concept of designing data protection into a system a legal requirement from the outset. The GDPR requiring controllers to hold and process only the data absolutely necessary for the completion of its duties (data minimization), as well as limiting the access to personal data to those needing to act out the processing means companies will now have to assess where and how they collect data, how securely data is stored and for how long, taking measures not to retain personal or sensitive data longer than is necessary, what employees, plug-ins, vendors and third parties have access to specific user data, and so forth.

Conduct A Privacy Impact Assessment

In the past, companies may have had a more fragmented approach to web development with different departments (executive, compliance, legal, IT, etc.) providing input or signing off on web development at different stages. These departments now need to collaborate and complete a Privacy Impact Assessment (PIA) to create a cohesive strategy, either prior to or while consulting with their web developers, to ensure efficient engineering and compliance with GDPR’s stringent requirements. Consulting with an Enterprise agency that has experience creating complex and secure infrastructures and managing sensitive user data is now a legal necessity.

You should conduct a Privacy Impact Assessment if you:

  • Use new technologies
  • Use systematic and extensive profiling, automated decision making, or special category data to make significant decisions about someone’s access to a service, opportunity or benefit.
  • Carry out profiling on a large scale. Process biometric or genetic data. Combine, compare or match data from multiple sources.
  • Process personal data in a way which involves tracking individuals’ online or offline location or behavior.
  • Process children’s personal data for profiling or automated decision-making or for marketing purposes, or offer online services directly to them.
  • Process special category data or criminal offense data on a large scale. Systematically monitor a publicly accessible place on a large scale.

By considering privacy and data protection during the Requirements phase of your project, you can sidestep increased costs down the road. Crowd Favorite, in particular, offers a ‘privacy by design’ service within its Digital Strategy consulting offerings. This service combines decades of software development and commercial website experience with the data protection expertise gained through working with either internal legal departments or firms such as my own. A thorough Privacy Impact Assessment will help your organization implement effective processes for handling your customers’ personal data by reviewing and documenting information flows, identifying and mitigating risks, and integrating solutions into business processes and project plans to protect and manage information that customers have shared. And, the Privacy Impact Assessment is also the first step in complying with the records requirement of data processing, under Article 30 of the GDPR.

Consider New Roles and Responsibilities for Data Collection

Previous privacy laws applied only to Data Controllers (the party that determines how and why personal data is collected for a website or app). The GDPR broadened its scope to include Data Processors (parties that collect, store and maintain user data) and set forth specific requirements for processors. So while the website owner may have been subject to previous protection laws, their cloud based CRM, payment processor and IT servicer may have been exempt; now controllers and processors are jointly liable for compliance with GDPR.

According to Article 83, fines shall be imposed regarding “the degree of responsibility of the controller or processor taking into account technical and organisational measures implemented by them.” This requires greater consideration for where data is being sent, stored and processed. Data controllers are responsible for having contracts in place with processors ensuring compliance with GDPR.

With a majority of enterprises processing and storing data on their servers and meeting the GDPR’s definitions for both controllers and processors, they must comply with the front-facing User Rights and Consent requirements, as well as the Backend requirements outlined in the GDPR including, but not limited to, Security, conducting Data Protection Impact Assessments, Keeping Written Records, appointing a qualified Data Protection Officer, etc.

You are required to appoint a Data Protection
Officer if:

  • You are a public authority or body
  • Your core activities require regular and systematic processing of data subjects on a large scale
    • While the GDPR hasn’t expressly defined “processing of data subjects”, looking to examples of large-scale processing include:
      • Processing data for behavioral advertising
      • Processing client data by financial institutions
      • Social media websites
      • Grocery/Food Delivery/Shared Ride apps using consumer’s real-time geolocation data for tracking
  • Your core activities consist of processing a large scale of special categories of personal data or data relating to criminal convictions/offenses
    • ‘Special categories of personal data’ is defined in Article 9 of the GDPR and includes data which would reveal information such as:
      • health data/healthcare providers storing patient information
      • ethnic origin
      • personal/political opinions
      • religious beliefs

Because, failing to appoint a DPO can result in fines of up to 10.000.000 EUR or up to 2 % of the total worldwide annual turnover, whichever is higher, the Article 29 Working Party (which interprets the GDPR) recommends most Enterprises voluntarily err on the side of appointing a DPO, whether obligated to by law or not.

The GDPR outlines who may and may not serve as a DPO for your organization. The DPO must have expert knowledge of national and European data protection laws and ethics, understand how to create, manage and update data protection programs as well as train staff and serve as liaison between the organization and supervisory authority. Because this is a newly created professional role, with substantial legal responsibilities and consequences, many organizations are hiring technology and privacy lawyers, internally or externally to serve as their appointed Data Protection Officer.

Develop Your Project with Different Types of Data and Consent in Mind

GDPR will impact how you work in terms of business processes and project planning. These changes are cross-disciplinary and should involve your development, UX, marketing, legal, and management teams.

- Heather Burns (Digital Law and Policy Specialist)

GDPR differentiates the type of data collected between personal data and sensitive data, and the different responsibilities and consent required for each.

Examples of Personal Data:

  • Name
  • Phone Number
  • Address
  • E-mail address
  • Photo
  • IP Address
  • Cookie Data/RFID Tags

For Personal Data, clear and unambiguous consent is required. Someone affirmatively entering their name or e-mail address into a field will meet this standard.

Examples of Sensitive Data:

  • Health and Genetic Data (height, weight, etc.)
  • Biometrics/Browser Fingerprint
  • Racial or Ethnic Data
  • Political Opinions or Philosophical Beliefs
  • Trade Union Membership
  • Sexual Orientation

Sensitive Data requires explicit consent, clear and unambiguous consent and the user must know why their information is being collected; nothing short of “opt in” is required. The user must enter the data and acknowledge consent by manually checking a box – pre-checked boxes or silence do not meet the explicit consent required by GDPR. Records must be kept regarding when and how consent was given and whether and when it was withdrawn.

These increased consent requirements serve to deter the collection of excessive or unnecessary data, and must be factored into web development. For example, when Crowd Favorite is leading a project scoping engagement, part of the process is to include the client’s legal team in clearing data types and ensuring consent.

Design Your Website to Allow for Expanded User Rights

GDPR grants users the right to access, edit, extract, delete and transfer any data collected by any part of the Enterprise. These increased user rights now require web developers to design data flow and storage differently. Each of the following points should be assessed and could possibly require some additional work or adjustments to your backend development:

  • Access: Companies now have to provide users access to change and amend their personal and sensitive data. Users will also have to be provided a copy of their data, free of cost.
  • Erasure: Companies now have to provide Users the right to erase previously collected data and from where it’s stored
  • Portability: Companies now have to provide users with the ability to transfer their data in an electronic format, to a third party; a direct transfer or data is required, where feasible

To preserve users’ privacy, organizations must also implement:

  • Data protection by design and by default
  • Security as a contractual requirement with their partners and service providers
  • Encryption or pseudonymization
  • Security measures that respond to their risk assessment
  • Safeguards, if they keep data for additional processing

Reduce Your Risk of Fines Through Regular Audits

Maintaining GDPR compliance is critical, and will require continuous monitoring, maintenance and technological improvement. Article 35 of the GDPR lays out the requirements for the mandatory Data Protection Impact Assessment and discovery process. Under the GDPR, a breach likely to result in a risk to the rights and freedoms of data subjects must be reported, and affected individuals notified, within 72 hours of becoming aware. Testing Breach Response Plans can reduce the risk of fines and costs associated with public relations fallout for failure to comply with the GDPR.

Maintaining records of all testing, impact assessments and audits performed is necessary for compliance and to reduce risk of fines. The key is Breach Response Plans and Testing - by creating a process and schedule for these types of audits. The good news is, with the right type of planning, this can be partially automated and worked into your existing site maintenance or managed services agreements. In doing so, you can maintain clear records of audit trails and compliance while minimizing future effort and additional costs.

Taking the Next Steps to Ensure GDPR Compliance

With businesses now being held legally accountable for the transparency and security of the user data they collect, it is vital to consult with both legal and digital experts to effectively prepare for GDPR. If you’d like to discuss the ways in which a digital agency can create a custom implementation strategy, feel free to contact either The Kinney Firm or Crowd Favorite directly, or tweet us at: @TheKinneyFirm @CrowdFavorite.

In the meantime, if you’d like to learn more about GDPR, we recommend checking out the below additional resources.

Who is Crowd Favorite?

Crowd Favorite builds high-end digital solutions for medium- and enterprise-level companies around the world, with particular expertise in digital design, web development, mobile development, and systems integration. Past clients include Walmart, Sony, Yahoo, Miramax, National Geographic, Nike, BMW, Microsoft, and many others.