The official guide to the General Data Protection Regulation (GDPR) – sometimes referred to as the “cookie law” – is over 200 pages long. While it’s sure to be scintillating reading, we thought you’d appreciate a more condensed version to help you with GDPR compliance.
What is the GDPR 2018?
The General Data Protection Regulation (GDPR) was put in place on May 25, 2018 in the EU, and “was designed to modernize laws that protect the personal information of individuals … It also boosts the rights of individuals and gives them more control over their information.”1 The GDPR gives Europe the world’s strongest data protection rules. But here’s the important thing to remember, it also affects the export of personal data outside the EU and EEA areas.
And that could be a problem, since a recent survey by Sage found that 91% of U.S. businesses lack awareness surrounding the details of GDPR compliance!
Before this regulation was enacted, data protection rules in the EU dated back to the 1990s and, according to officials, had not kept pace with technological advances. Basically, the GDPR changes how businesses and other public organizations can handle the information of their customers, while giving individuals more control over their personal information.
What Information is Impacted?
The GDPR covers a very broad category of personal data, which means any information that can be used to identify a person, including name, address, IP address, phone number, etc. It also covers “sensitive data,” which encompasses health/genetic information, religious and political views, sexual orientation and more.
In total, there are 99 articles setting out the rights of individuals and the obligations of companies/organizations to protect those rights and achieve GDPR compliance. However, if we boil it down to the most basic rights, the GDPR allows people easier access to the information that companies have about them and requires that companies obtain a person’s consent before collecting information about them. Companies and organizations that fail to comply, will face fines which may be “up to 2% or 4% of total global annual revenue or up to $24 million, whichever is greater.”
One of the reasons behind the GDPR is the large number of data breaches in recent years, including millions of Yahoo, LinkedIn and MySpace account details. Under GDPR compliance, the “destruction, loss, alteration, unauthorized disclosure of, or access to people’s data must be reported to a country’s data protection regulator.”
How will it Affect U.S. Companies?
In addition to EU members, it’s important to note that any company that markets goods or services to EU residents, regardless of its location, is subject to the regulation. As a result, GDPR compliance will have an impact on data protection requirements globally. In fact, U.S. companies that do not comply could be blocked from transferring data to other countries.
Two notable examples of non-compliance occurred with the Chicago Tribune and the LA Times. Because their websites did not comply with the GDPR, they were temporarily blocked from European users.
While there is currently no federal data privacy legislation in the U.S., there have been an increasing number of discussions on the topic. After the high-profile congressional hearings of Facebook founder Mark Zuckerberg, many states instituted their own laws, the most notable being the California Consumer Privacy Act. Many experts believe that it’s only a matter of time before more stringent data protection measures are enacted here in the states.
In addition to GDPR, an ePrivacy Regulation is currently in the works and should be official by the end of 2019. This regulation will have much the same scope as the GDPR but will specifically outline requirements to protect the privacy of electronic communications.
How Can You Achieve GDPR Compliance? (aka The Cookie Law)
You’ve probably already seen pop-ups and banners showing up on other websites. Here is an example of a GDPR compliant cookie consent notice:
…and here is one that is not compliant:
Use this handy checklist to make sure your cookie consents meet GDPR compliance:
- Make them transparent, providing clear and specific information about data types and purpose.
- Have them appear prior to any processing other than the strictly necessary takes place, also known as “prior consent.”
- Position them as an affirmative, positive action (i.e., unambiguous).
- Document them. They should be recorded and securely stored as evidence that consent has been given.
- Allow users to withdraw consent whenever they want.
- Review and renew them regularly (the ePrivacy directive suggests once a year).
The easiest way to achieve GDPR compliance is to find a reliable cookie consent software that is based on a study of the new regulations. (Check out Cookiebot for more information.)
Another important thing to keep in mind is that you are responsible for protecting your website users and giving them clear information and choice about how their data is being used, both by you and by third parties in use on your website. What does this mean?
If you use Google Analytics, Mailchimp, social media buttons, Salesforce and other third parties on your website, you are collecting personal information through these third parties, and therefore, need to receive consent.
But Wait, There’s More
If your company operates in or serves customers in the EU, there are several more steps you must take to achieve GDPR compliance:
- Make data policies transparent to the average person (i.e., don’t hide privacy info in the tiny legal type that no one reads).
- Allow customers to see and delete the data that concerns them.
- Do not use customer data without consent (there are some exceptions to this rule, so if in doubt, ask a lawyer about specific data). Companies should clearly explain that consent is being given and there must be a “positive opt-in.”
- Provide notice of data breaches within 72 hours.
- Follow “privacy by design” principles. (link to: https://privacytrust.com/gdpr/privacy-by-design-gdpr.html)
- Communicate with customers using multiple channels that your company is taking steps to improve data practices in accordance with the GDPR and ensure them that you are committed to improving data privacy.
- Update privacy policies and put together a simple, easy-to-find FAQ about what the GDPR means for customer data.
- Establish a company-wide system for protecting personal data and train staff members
Some companies may also want to hire a Chief Data Officer (CDO) to ensure that all parts of the regulation are being followed and monitor changes as it evolves. The CDO should know what type of consumer information the company obtains, how its obtained, and how its stored, as well as security measures being employed. If in doubt, you can hire an independent auditor to assess all data processes and provide recommendations.
Considering the hefty fines associated with non-compliance, as well as the risk of being banned from doing business in the EU, companies should become familiar with the regulation and do everything possible to achieve GDPR compliance.
Now, if you made it through this explanation, you should treat yourself to a real cookie!
1“What is GDPR? The summary guide to GDPR compliance in the UK,” by Matt Burgess, Wired, January 2019.
“A Practical Guide to the European Union’s GDPR for American Businesses,” by Nancy Harris, Recode, May 16, 2019.
“The GDPR is in Effect: Should U.S. Companies Be Afraid? by Jeff John Roberts, Forbes, May 2018.
“What is the General Data Protection Regulation? Understanding & Complying with GDPR Requirements in 2019,” by Juliana De Groot, Digital Guardian, January 3, 2019.