This Friday on May 25th, a new EU privacy law, the General Data Protection Regulation (GDPR) comes into effect. You might already know about it because your inbox has been flooded with Privacy Policy updates from big companies trying to comply with the law.
GDPR is quite a revolutionary change in data protection reaching broadly outside of the EU territory and issuing substantial penalties for non-compliance. We will have to get used to this type of rigorous data protection regulations as many countries including US will follow suit.
As an online business owner not based in EU, do you have to do anything by the deadline? Here are a few things you should know and take action before May 25th.
1. What is GDPR about?
The EU GDPR is the EU’s new legal framework for privacy and personal data protection. It gives back the control over personal data to people. The law requires that businesses implement detailed controls over how they collect and process personal data. The processing of data should be lawful, fair and transparent, and limited to specific, legitimate purposes. For processing to be lawful under the GDPR, it has to be done under one of six lawful bases. One of the bases that most businesses will rely on is consent of the individual.
In other words, personal data should be collected for legitimate business reasons with consent of individuals and processed in a secure manner to comply with the GDPR.
An important difference of the GDPR from previous regulations is that the GDPR requires you to be “accountable” and be able to demonstrate compliance by documenting how you process data.
2.Who does the GDPR apply to?
Any organization which offers goods or services to individuals in the EU and/or monitor the behavior of individuals in the EU are subject to the GDPR requirements. Even if your business does not have any customer in EU, if your website has EU visitors and collects IP addresses, you have to comply with GDPR.
A business that handles personal information that belongs to people in the EU, like employees or business contacts in EU is also subject to GDPR.
3. Penalty is high for non-compliance
When a business is found not complying with the GDPR, not only will it suffer reputational harm but also will be fined a stiff penalty amounting to the greater of 20 million euros or 4% of global revenue.
4. What is personal data under GDPR?
GDPR concerns processing of personal data, but many people are still unsure what exactly “personal data” refers to.
According to GDPR’s definition, personal data means “any information relating to an identified or identifiable natural person (‘data subject’). The GDPR further clarifies: “An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”
In other words, even if one or few pieces of information do not consist of personal data, if the information alongside other data can identify specific person, it can be considered personal data. For example, an email alone might not be personal data. However, a company email that contains first name and last name initial can sufficiently narrow down an individual working in the company and therefore, can be considered personal data.
An online identifier, e.g. an IP address, cookie identifiers and GPS locations are all personal data under the GDPR.
The personal data that you collect should be secured by pseudonymisation or encryption.
5. Should I update Privacy Policy to comply with the GDPR?
If you monitor behaviors of EU visitors or have at least one customer or employee from EU, you have to meet the requirements of GDPR to process personal data. Privacy Policy informs visitors about how data is collected and processed and their rights to privacy. The GDPR created some new rights for individuals and your Privacy Policy needs to affirm these rights. Make sure the following information is included in your privacy policy.
- Who is collecting and processing the data?
- What data is being collected?
- What is the legal basis for processing the data?
- How is the data shared with third parties?
- How is the data be used?
- How long will the data be stored for?
- How can the data subject request access, correction or deletion of the personal data?
6. Do I need a cookie notice under the GDPR?
The cookie law has been in existence before the GDPR in EU countries, requiring websites to get consent from visitors to store information gathered through cookies. Many websites with EU visitors have implemented a cookie notice to notify the use of cookies and get consent of visitors.
Even if the GDPR does not explicitly require a cookie notice, the law considers cookies that identify an individual via their device as personal data and require consent to collect and process such data.
Under GDPR, legal consent is much harder to get and the cookie notice needs to acquire the higher level of consent to comply. For example, “by using this site, you accept cookies” will not create a valid consent. Consent must be give through an affirmative action, such as clicking an opt-in box (not pre-checked) or choosing settings. Websites also need to provide an opt-out option after a consent is given in case a visitor changes mind.
It is important to have a cookie notice with a proper language on a first visit to a website. Once a visitor is informed by a proper notice, continuing to browse can be viewed as valid consent via affirmative action.
7. Your vendors need to comply with GDPR as well
The GDPR applies both to ‘data controllers’ and ‘data processors.’ The controller says how and why data is processed and the processor is a service provider that processes personal data on behalf of the controller. The GDPR directly regulates data processors. They need to comply with many obligations just like data controllers, such as maintaining adequate documentation and appropriate security standards. Businesses and their data processors can now be held jointly liable for data breaches. A data controller is not relieved of obligations when a processor is responsible for a breach.
If your vendors process personal data of your visitors and customers, make sure they are aware of responsibility to secure personal data and ensure GDPR compliance in a vendor agreement.
8. Consent is an important concept in the GDPR
As mentioned above, consent is one of the six legal grounds for lawful processing of personal data. Other legal grounds include legitimate interest, contractual necessity, public interest, legal obligation and vital interest (Article 6 of the GDPR).
Consent is most applicable in email marketing or website cookies where personal data is collected without contractual business relationship. Businesses using consent as a lawful basis should understand what constitutes valid consent under the GDPR and be able to share a record of consent with regulators if requested.
Under the GDPR, consent should be freely given (not conditional to service), explicit (not by pre-checked boxes or inactivity), and informed. Additionally, individuals must be able to withdraw consent at any time. Here are some suggestions to get valid consent and record properly.
- According to the GDPR, a business should present the request for consent “in intelligible and easily accessible form, using clear and plain language.” When you use a lead capture such as contact form on a website, include a clear explanation of what information a person can expect to receive and a checkbox that the contact must check in to agree to your privacy policy and processing of personal data.
- Send a confirmation opt-in email after a person subscribes to your newsletter where he must click the link to confirm the subscription.
- If any of your current subscribers in the EU has not provided a valid consent, consider sending them a consent form where they can affirmatively make a choice to stay in your mailing list.
- Manage leads and customers with a system where you can easily log consent of subscribers.
- Add a link to your privacy policy in your newsletters.
9. Personal data must be erased if requested
One of the important individuals’ rights protected by the GDPR is the right to erasure (Article 17 of the GDPR) or the right to be forgotten.
A business should be prepared to honor the request to delete or remove personal data if an individual requests it.
For example, Google Analytics now has a function to remove a user’s data from analytics data. You can use this tool when a visitor opts out of tracking.
10. There are more obligations for larger organizations
For organizations that are public authorities or carry out processing of personal data in a large scale, the GDPR requires to appoint a Data Protection Officer (DPO). The DPO, who must have expert knowledge of data protection law and practices, will be responsible for overseeing the organization’s compliance with the GDPR.
A data protection impact assessment (DPIA) is also required if an organization processes personal data that is likely to result in a high risk to the rights of individuals. An impact assessment evaluates the likelihood and severity of the risks involved in the proposed data processing and assesses the safeguards to be introduced to mitigate the risk.
The GDPR requires small and large businesses to be more responsible about how they treat personal data. It might be challenging to understand and comply with all the requirements, but the efforts will help avoid costly consequences and make your business stand out as a trustworthy business.
Speak with an International Business Attorney
If you need to get your business ready for the GDPR, or if you are not sure if you need to comply with the GDPR and would like to find out, we encourage you to contact us for a confidential consultation. To schedule an appointment with an attorney at Jiah Kim & Associates, please call (646) 389-5065 or get on our calendar today.
This blog post is written for educational and general information purposes only, and does not constitute specific legal advice. You understand that there is no attorney-client relationship between you and the blog publisher. This blog should not be used as a substitute for competent legal advice from a licensed professional attorney in your state.