Disclaimer: This article is not direct legal advice, just a reminder to look to your legal resources to ensure preparation for the new GDPR laws being enacted on May 25, 2018.
The General Data Protection Regulation (GDPR) is coming on May 25, 2018, all companies should take necessary action to ensure that their organizations are compliant. For additional information see our newsletter article that discusses actions required by Google Analytics and their new data retention tool.
US companies are expected to comply with GDPR guidelines for EU end users. The following is a compilation of elements of GDPR that includes extensive excerpts from ico.org.uk, as well as some simplification of some of the content that can be found on ico.org.uk. Ultimately, this is not an exhaustive catalog of all considerations. Each company must understand the principles of the GDPR and identify its own lawful basis for collecting information from users (recognizing the rights of EU users under the GDPR). Significant documentation will need to be created and maintained by companies for them to be compliant.
Organizations based in the US that market to users from the EU need to be in compliance with GDPR before May 25, 2018.
The new regulations are based on ensuring that data is collected lawfully, that organizations are accountable for their data processing and that user rights are assured.
Data processing is the collection, analysis, modification or deletion of data. In order to process data with PII (Personally Identifiable Information) a lawful basis needs to be established. It is important to note that consent is just one method for the lawful basis of processing (All methods are listed below).
Consent needs to be requested, it cannot be pre-checked. Consent information is kept separate from other terms and conditions and consent must be recorded and monitored. (Learn More)
Using the contract method as a basis for lawfully processing data is valid when users have a contractual obligation that requires data processing. (Learn More)
You can rely on this lawful basis if you need to process the personal data to comply with a common law or statutory obligation. This does not apply to contractual obligations. (Learn More)
You are likely to be able to rely on vital interests as your lawful basis if you need to process the personal data to protect someone’s life. The processing must be necessary. If you can reasonably protect the person’s vital interests in another less intrusive way, this basis will not apply. (Learn More)
This lawful basis can be leveraged if and organization needs to process data to perform a specific task in the public interest that is set out in law. The processing must be necessary. If you could reasonably perform your tasks or exercise your powers in a less intrusive way, this lawful basis does not apply. (Learn More)
Legitimate interests is the most flexible lawful basis for processing, but you cannot assume it will always be the most appropriate. The legitimate interests can be your own interests or the interests of third parties. They can include commercial interests, individual interests or broader societal benefits. You must balance your interests against the individual’s. If they would not reasonably expect the processing, or if it would cause unjustified harm, their interests are likely to override your legitimate interests and keep records of the documentation such as a Legitimates Interest Assessment (LIA). (Learn More)
Individuals have the right to be informed about the collection and use of their personal data. This is a key transparency requirement under the GDPR. This includes updating information in your privacy policy. To look for a polished example of a GDPR privacy policy please check out the twitter privacy policy, especially around section 4.1.
Individuals have the right to access their personal data and supplementary information.
The GDPR includes a right for individuals to have inaccurate personal data rectified, or completed if it is incomplete.
The GDPR introduces a right for individuals to have personal data erased. The right to erasure is also known as ‘the right to be forgotten’. The right is not absolute and only applies in certain circumstances.
Individuals have the right to request the restriction or suppression of their personal data. This is not an absolute right and only applies in certain circumstances.
The right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services.
The right to object and lodge a complaint about personalized marketing materials to a supervisory authority such as the Information Commissioner’s Office (ICO) or the Office of the Data Protection Commissioner.
Accountability is one of the primary data protection principles of the GDPR. This includes having contracts in place with organizations that process data on your behalf. This responsibility needs to exist throughout the organization from the highest level of management down. It is vital to update and maintain all documentation such as the privacy policy and legitimate interest assessment. (Learn More)
The GDPR requires you to process personal data securely. This is not a new data protection obligation. It replaces and mirrors the previous requirement to have ‘appropriate technical and organizational measures’ under the Data Protection Act 1998 (the 1998 Act). (Learn More)
Security is an important topic that requires collaboration with internal IT and legal teams to ensure compliance and correct technical measures. There have been several enormous data breaches in the last couple years that result in large fines for organizations. It is important to consider further investment in measures such as:
Cyber insurance is an emerging industry designed to insure against cyber-related security breaches, however insurance is no substitute for GDPR compliance.
The GDPR introduces a duty on all organizations to report certain types of personal data breach to the relevant supervisory authority. You must do this within 72 hours of becoming aware of the breach, where feasible. If the breach is likely to result in a high risk of adversely affecting individuals’ rights and freedoms, you must also inform those individuals without undue delay. You should ensure you have robust breach detection, investigation and internal reporting procedures in place. This will facilitate decision-making about whether or not you need to notify the relevant supervisory authority and the affected individuals. You must also keep a record of any personal data breaches, regardless of whether you are required to notify.
Failing to notify a breach when required to do so can result in a significant fine up to 10 million euros or 2 per cent of your global turnover. The fine can be combined the ICO’s other corrective powers under Article 58. So it’s important to make sure you have a robust breach-reporting process in place to ensure you detect and can notify a breach, on time; and to provide the necessary details. (Learn More)
When relying on consent, make sure that the child understands what they are consenting to, and they are not being exploited due to imbalance in power in the relationship. When relying on ‘necessary for the performance of a contract’, consider the child’s competence to enter into a contract. When relying upon ‘legitimate interests’, take responsibility for identifying the risks and consequences of the processing, and put age appropriate safeguards in place. (Learn More)
More details can be found at ico.org.uk.
975 South Federal Highway, 2nd Floor
Boca Raton, FL 33432
800.787.0497
ph: 561.620.9682
fx: 561.620.9684
info@morevisibility.com
