The General Data Protection Regulation (GDPR) will be enforceable May 25th 2018! The implications for businesses that operate in Europe and collect user data are significant and are certainly not something to be taken lightly.
For the uninitiated, the GDPR is designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy. For industries like online publishing, the way user data is collected and managed is about to change. In a big way!
Brendan Woods, one of our Team Leads, has been leading our research on this and how it will be impacting our clients. As part of this, he ran an internal training session. Seeing how widely relevant these laws are to the industries we serve, we’ve recorded it to share with you.
The rest of this post breaks down the incoming changes and what they mean, but the short of it is…
Who does GDPR apply to?
GDPR applies to any company processing the personal data of subjects within the European Union. Let’s make this very clear from the outset. It’s not just for companies in Europe, but for any company that collects or processes data on European Union (EU) subjects. The net is very wide!
There are a combination of factors that define whether or not a company is targeting European subjects. These include things like:
- Offering European languages on a website
- Offering European currencies for purchases
- Localized content
- Giving international services to people in the EU
It’s interesting to note that as the law was passed pre-Brexit, it will most likely stand and remain relevant to the UK.
What happens if the rules are broken?
These new laws have some serious teeth. The previous iteration of the law had fines of up to £500k pounds in the UK. The GDPR allows for up to €20 Million or 4% of global revenue. Whichever is greater. Keep in mind that for Google, that’s about $3.5 Billion.
Each EU state is required to set up a data protection authority to oversee the enforcement of compliance within their state. They will have powers to do things like access premises, give binding orders, administer fines, hand out suspensions, etc. Not only are the penalties large and clearly defined, each member state will have an organization specifically set up to issue them if compliance is not met.
Modern governments are well adjusted to working across international borders so their will certainly be precedence for having these laws enforced on companies outside of the EU.
The more you understand about GDPR, the more you recognize the room it will create for a whole new class of litigation. These laws significantly increase the rights of data subjects to take civil action if they believe their rights to data privacy have been breached. You can expect to hear of class-action settlements that even exceed the above penalties.
With GDPR, almost every company type will be affected. Within the documentation, the terms controller and processor are used. Controllers are companies that dictate what data is collected and how, where processors are companies that process that data according to the directives of the controller. Previous iterations of similar laws effected mostly controllers, where GDPR broadens the requirements to include processor type companies.
5 Big Changes for Businesses
1. The New Guy
Companies will be now required to appoint Data Protection Officers (DPO). These will be executive level positions responsible for enforcing compliance across the company. It’s expected that approximately 75,000 DPO jobs will be created off the back of this new legislation.
2. The Types of Data
The types of data that are included within the protective rights of subjects are increased from what was included in previous laws. These data types include:
- IP Addresses & Mobile ID’s
- Geolocation Data
- Sensitive Personal Data
- Racial/Ethnic origin
- Political association
- Trade union membership
- Sexual orientation
- Biometric/Health data
When collecting these data types, companies must now explicitly define the reason why they are collecting the data. Companies for many years, under the potential returns of big-data mining, have had a “collect it and we’ll figure out what to do with it later” attitude. This is no longer allowed.
Consent for data collection must now be explicit. Vague reasons such as “for marketing purposes” or “for research” or even “to improve user experience” are no longer acceptable. The company must specifically define and communicate to the user what their data will be used for.
It also must be active consent. Consent through silence or even pre-ticked boxes are off the table.
On top of being explicit in requesting consent, companies must also make it just as clear and easy for consent to be revoked.
The final piece of the consent puzzle is that pre-GDPR collected data is subject to these changes. So if consent has been collected in the past through a method that doesn’t adhere to these new standards, a company is required to re-request consent. We can expect to see many email sequences going out from companies in the coming 12 months with these kinds of requests.
4. Data Breaches
It seems that every other week there is a story about a major data breach from some large company. Within the GDPR, companies are now required to respond in a particular way if this occurs. Specifically, they must:
- Report the incident to their relevant data protection authority within 72 hours
- The incident must be reported to the affected users “without undue delay”
This means that companies will need to update their relevant policies and procedures. And with the hefty fines and potential litigation, they will be very motivated.
5. New Personal Rights
With these new laws, individuals will have new legal rights. Summarised, they will have:
- The right to erasure (deletion of all personal data)
- The right to restrict the processing of their personal data
- The right to data portability. E.g. “Give me my data Mr Insurance Company so I can take it with me when I move to another insurance company”
- The right to knowledge of profiling
The way data is stored and the interfaces for engaging with it have been and will need a lot of attention for many companies. We are working with some of our clients on implementing solutions to facilitate these kinds of data related requests from users.
GDPR and Publishers
We work with a number of large international publishers so we’ve been thinking a lot about how these laws will specifically impact them. Walking through some standard work flows and user experience flows we begin to see how the GDPR will touch on a lot of their points of user engagement, such as:
- Requesting newsletter subscribers
- Profiling subscribers
- Accepting submissions for contests
- User account creation
- Data collection for remarketing/retargeting
- Account creation
- Premium editorial content subscriptions
…and the list goes on. Making updates to the user flows and internal interfaces is where we are seeing the most pressing needs.
At face value, these changes appear incredibly intimidating. Big fines and big operational changes are something most business operators don’t particularly want to be thinking about. However, we see a very positive opportunity within GDPR. It gives businesses everywhere a clear framework for how to go about the collection and use of personal data with integrity. As technology companies, our users trust us and GDPR lays a clear path for how we can repay that trust. For companies like ours as well, it gives us an opportunity to provide value to our clients and walk with them to help achieve compliance.
In summary (of this summary), GDPR is coming in May and it’s going to impact the way businesses operate online perhaps more than most people realize. Taking the time to understand the implications and preparing a path towards compliance is very important. We have been and will continue to work with many of our clients to update their websites and platforms to adhere to these new standards.
Do you have anything to add to this? There’s a lot to cover, so please let us know if you think we’ve missed anything important in this overview. Additionally, if you believe your company needs technology support in achieving compliance with GDPR, please get in touch.