The new digital economy and growing privacy issues have created a need for the EU to update and harmonise its data protection legislation. As a result, the European Parliament approved the anticipated General Data Protection Regulation (GDPR) in April 2016. The GDPR, coming into force on 25 May 2018, will have significant impacts for all organisations that process EU residents’ personally identifiable information (PII). This will make businesses more accountable for data privacy compliance and gives consumers more control over their personal data.
Who Does the GDPR Apply To?
The GDPR will apply to all organisations that collect personal data of EU citizens, regardless of the organisation’s location. Personal data relates to an individual who can be directly or indirectly identified from the data, for instance names, photos, email addresses, social media posts, IP addresses, and so on. This will have an impact on most e-commerce businesses, online publishers and advertisers. The new law will also apply to the processing of personal data by a processor if they offer goods or services to, or monitor the behaviour of, EU data subjects. This could include many popular online tools and services such as Google Analytics, audience and data management platforms, and online marketing businesses and their tracking software.
How are websites affected by the GDPR
Every organisation is likely to be impacted in different ways. Some sites may choose not to collect any personal information. In this case it is advisable to conduct a snapshot assessment about the current data collection and remove any unnecessary trackers and third party ads. Ghostery is a great tool for finding and highlighting these trackers. It may be necessary to get rid of Google Analytics as well. Piwik is a great analytics tool to track your visitors in anonymised way. It also stores your data in your own database, and will never send any data to third parties. Many websites contain social sharing buttons typically collecting data about the visits including IP addresses. This data is then sent to third party tracking and social media companies. We recommend switching to Shariff share buttons that respect the privacy of your visitors. If you decide to keep collecting personal data please consider the following points
“The new rule requires an explicit affirmative consent for processing private data which must be as easy to withdraw as it is to give it.”
One of the most visible changes for the consumers will be the new rule for obtaining valid data consent. The consent document should be laid out in simple terms and explicit affirmative consent is required to the processing of private data. Please note that if your target audience are children aged 16 and under, you will need to obtain verifiable consent from a parent or guardian to process the child’s data. One of the most common methods used is by charging a small amount to parent’s or guardian’s credit card. The credit card information proves the parents identity, and the charge serves as a record of the transaction. If your website data collection will happen only in logged-in environment it is probably easiest to ask users to give their consent when they register or when they log-in. This should not have huge negative impact on the user experience. For most of the other websites such as news portals etc that collect data on open pages it is probably the best approach to use automated cookie consent landing pages or pop-ups in the same way as the ‘Adblock Detected’ notifications are served at the moment. It must be also as easy to withdraw consent as it is to give it.
Establish a compliance framework for monitoring and reviewing your data procedures, aiming to minimise data collection and processing, and building in safeguards. Make sure you have clear policies in place including documentation and regular audit processes to prove a regulator that the organisation meets the required standards.
Privacy impact assessments
Privacy impact assessments will be mandatory for projects potentially exposing individuals to enhanced privacy risks to due to the nature or scope of the processing operation. This could include large scale profiling or processing of special categories, involvement of criminal convictions or offenses, or collecting from children under the age of 16, or large scale processing of public areas.
Data protection officer
A Data Protection Officer (DPO) must be appointed by all public bodies and by businesses where core activities involve systematic monitoring of data subjects on a large scale or the handling of a large scale of special categories of data.
Breaches must be reported to the data protection supervisory authority within 72 hours of data controllers becoming aware of it. Where risk is high, affected data subjects must also be notified without any delay.
If a company is established in many EU countries, it may take advantage of the “one stop shop” -mechanism which allows one lead Data Protection Officer to operate as a single supervisory body across all EU locations.
Sharing data with 3rd parties
Your company should always have a legitimate basis for any data transfers, for example in the context of intra-group transfers or a joint venture, or using outsourced service providers. The rules require the controller to take full responsibility for transferring personal data to foreign jurisdictions using effective due diligence and contractual measures.
What are the penalties for non-compliance?
Organizations violating GDPR can expect fines between 2% to 4% of their annual global revenue or €20 Million whichever is greater. Fines of this scale could lead to business insolvency and, in some cases, closure. There will be a tiered approach to fines e.g. a company can be fined 2% for not having their records in order, not notifying the supervising authority and data subject about a breach or not conducting impact assessment.