In 2016, the European Union passed legislation that will forever change the privacy landscape of Europe and the rest of the world. This legislation is comprised of the most all-encompassing, severe regulations in the history of privacy law – affecting all business types in potentially every corner of the globe.
The General Data Protection Regulation (GDPR) is coming, and many U.S.-based SME’s have yet to investigate whether the incoming legislation will affect how they do business. Nonetheless, the European Union’s signature data privacy rule aims to protect any person who holds EU citizenship or residency, regardless of where they live in the world.
Preparing yourself for what’s to come is vital. Here’s a quick breakdown of what the GDPR is, and four actionable ways for you to brace for its impact.
What Is The GDPR?
Like the U.S., the EU has experienced sizeable economic losses due to data theft and the exposure and exploitation of private consumer data. In response to these security breaches, the EU Commission passed the GDPR into law to ensure personally identifiable information (PII) of its citizens and residents is properly collected, secured, and remains private – regardless of the interests of any corporate entity that receives it.
The GDPR gives full control of PII to the user, and requires entities that gain access to that data to use it only with explicit authority from the user.
Put simply, the GDPR requires that businesses obtain explicit, affirmative consent before any PII is collected, and before it is used for any purpose.
In contrast, American consumers routinely waive their right to control their PII simply by consenting to that action through a browsewrap agreement when they access a website page or digital program. Once the consumer waives the right, ownership and control of their data and its usage is transferred to the businesses that have collected it.
The mandates of the GDPR also vary from North American data practices in other significant ways:
- The legislation grants EU citizens the “right to be forgotten,” and they can direct any entity that possesses their PII to permanently delete its every instance from their data storage or usage facilities.
- Corporations are required to not only comply with the rule, but also prove their compliance procedures if requested.
- Businesses are also responsible to account for the data practices of the third-party services they employ.
- Penalties of up to 4% annual revenue – or 4 million euros – can be leveraged against companies that fail to comply with it.
All entities that do business with EU citizens or residents are expected to comply by May 25, 2018.
Below, we’ve outlined 4 things you must do to ensure that your enterprise is up to code and compliant with the GDPR come May. You may also want to see the Information Commissioner’s Office (ICO) of the UK’s recommendations for creating a plan for GDPR compliance.
4 Ways to Ensure You’re Prepared
- Identify and Document Relevant Personal Information
- Update Your Privacy Policy and Practices
- Implement a Clickwrap Agreement Modal to Obtain Consent
- Consider Hiring a Data Protection Officer (DPO)
1. Identify and Document Relevant Personal Information
This legislation will hold businesses and enterprises accountable for the information they’ve collected, which includes the PII they’ve stored in their databases and servers, as well as the information they’ve shared with or sold to other entities.
Identifying and documenting the user information you hold or have held on your servers should be the first step you take toward GDPR compliance. Only once you know which information you hold, how it was obtained, and with whom you share it can you begin to account for it from a legal perspective.
Additionally, if any information in your stores has been obtained without first obtaining explicit consent, that information should either be wiped or revisited in order to obtain adequate consent.
2. Update Your Privacy Policy and Practices
The GDPR mandates compliant documentation for all PII protections, including:
- Your current privacy policies and notices, which includes the procedures you need to have in place in order to address the rights of EU citizens.
The GDPR varies significantly from North American data privacy rules, so it is likely that your existing privacy-related systems don’t meet the standards set by the GDPR. Your new policies must account for these game-changing regulations, and the resulting procedures manual should detail,
- how your company will protect that PII at every step,
- the process it will use to delete it from company records, and
- how it will share that data in conformance with GDPR standards.
- Your privacy policy must go great lengths to document (in detail) how PII is collected, which information is collected, how and why it is used, and with whom it is sold, transferred, or shared. It must also detail the data collection practices of the third-party services you employ, as you are also responsible for them.
- Your data breach management strategy. Not surprisingly, the GDPR mandates that every data breach is revealed, investigated, and reported as quickly as possible so that EU consumers know that their PII has been inappropriately exposed. Your corporate documentation needs to outline and share these processes too.
- Your legal obligations. Doing business on two sides of the Atlantic means you now have at least two sets of laws that govern your corporate data-privacy actions. Your documents must reflect the identity of the laws you are following, and compliance requires that you explain your adherence to those laws for your users.
Every change you make must be documented in a GDPR-compliant format, so you can both act on the new procedures and explain to your customers, your industry colleagues, and GDPR overseers how you manage the PII data and privacy concerns of EU residents and citizens.
3. Implement a Clickwrap Agreement Modal to Obtain Consent
The GDPR mandates that consumers are required to affirmatively “opt in” at every point where their data may be collected or shared. Pre-checked boxes and “opt out” as the default are no longer acceptable under the new legislation. These requirements equate to informed consent, and it’s an issue at the heart of the GDPR.
Because the new regulation has not yet been enacted, how consent will be interpreted in European courts has yet to be defined. However, as the GDPR aims to crack down on the exploitation and exposure of the personal information of EU residents, we can assume that only the most clear and explicit forms of consent will be acceptable.
For this reason, it’s imperative that your organization understands the value of having a clickwrap agreement modal. Implementing one on your site will prohibit users from accessing certain content or sharing their data without first granting their consent. Better safe than sorry here.
A clickwrap agreement sets up the “opt-in” process by presenting a button which requires an affirmative click for that purpose. A good example of a clickwrap agreement is Facebook’s signup page, which requires users to first sign up for an account and click the button to create that account.
It is clearly noted on Facebook’s homepage that by creating an account, users are agreeing to their privacy policy and terms of use. Without doing so, users would not be able to share any of their personal information, nor would they be able to access the personal information of others that has not been made publicly available.
Every channel that your organization uses to communicate with any person or organization should have a GDPR-compliant “opt in” capacity by default in order to obtain proper consent, and all presumptive “opt out” options should be removed.
4. Consider Hiring a Data Protection Officer (DPO)
The GDPR also mandates that companies hire a DPO to help bring them into compliance (and keep them there). Your enterprise might not be included in that mandate, but a dedicated DPO can be helpful with internal audits and managing corporate data strategies under any circumstance; especially if you’re doing business in the EU now or plan to do so in the future.
The DPO must be external to your company, and able to exist outside of its hierarchy. You must also provide him/her with a team of auditors that can aid in the workload.
Although this requirement may seem cumbersome and unnecessary for most organizations, it is stipulated nonetheless, and penalties for not acting in accordance with the legislation are steep. In addition, the work and audits of your DPO will help to ensure that you maintain compliance and avoid those penalties.
Although the GDPR is based in Europe, any company that does business on the internet could inadvertently be doing business with European citizens or residents. Even if you aren’t targeting such customers for now, becoming GDPR-compliant represents a sound investment in your company’s future, as it facilitates your unhindered access to those current and untapped markets.
Getting your business ready for the GDPR is one big move toward future success. So is getting a tailored payment processing solution and optimizing your credit card rates. That’s where we come in. And if you’re still looking for ideas on how to improve your business flow, be sure to check out our blog (and feel free to comment below)!
