DISCLAIMER: This article should not be interpreted as legal advice. The C2 Group recommends consulting your corporate legal team to better understand how GDPR may apply to your organization. For more information on GDPR, please visit https://gdpr-info.eu/.
If you’ve logged into any website, or have checked your email over the past month, you’ve probably received an absurd number of alerts informing you about an updated privacy policy. This is the result of a piece of European Union (EU) legislation, General Data Protection Regulation (GDPR), which went into effect May 25. The law regulates how any organization collects, uses, or shares personal data of EU citizens.
The European Commission (EC) has given businesses the opportunity to redefine their privacy policies and share with consumers how they process personal data prior to the May 25 deadline. While this is a EU law, it doesn’t necessarily mean U.S. companies and marketers are off the hook. The internet is worldwide, and your customers or clients probably are, too. If your company targets, processes the sensitive personal information of, or otherwise markets to European citizens, GDPR will apply to you.
What exactly is sensitive personal data?
Sensitive personal data is any data that can used to identify a (living) individual. This includes, but is not limited to: first or last names; home addresses; email addresses; identification or card numbers; location data; IP addresses; cookie IDs; advertising identifiers on phones; or data held by a healthcare provider (Article 4).
Data that isn’t considered personal or sensitive includes company-issued registration numbers or email addresses and any anonymized data. Be careful, though. Data that you may think is anonymous isn’t always what it seems – the anonymization of the data must be irreversible for it to not qualify as personal data.
Should my site have a privacy policy?
Every site that collects information from website visitors should have its own privacy policy.
A privacy policy addresses three things: the information about website users a site collects, how the site uses that information, and how the site shares that information. Information can be collected several ways, including cookies, registrations, comments, subscription forms, etc. Don’t forget that if your site uses a stats counter or analytics platform, such as Google Analytics, you’re collecting personal information.
It’s imperative to note that any time your site requests information from users, the privacy policy must be linked to within the input form. These information requests for consent must be in a logical context, using clear and plain language (Article 7.2).
You’ll need to make known the following in your privacy policies:
- How long a user’s personal information is stored
- Their right to access/request their personal information
- Their right to withdraw consent
- Their right to complain to a supervisory authority
- Their right to know if the personal data is being used for automatic profiling
How does the GDPR change how I collect, use, and share information?
Businesses need to be aware of the way they request information and what information they request from users. The information you are collecting should be adequate, relevant, and limited to what is necessary for the requested purpose (Article 5.1c). For example, if a user is signing up for your e-newsletter there is no logical reason they should provide anything other than their name and email.
Any subscription or form that is a sign-up box for direct marketing must have a separate checkbox for every type of way that the user consents to getting marketed to. The checkboxes must be defaulted to unchecked allowing the user to opt-in for what they please. Businesses can never assume a user’s consent to use his or her information.
At any time, a user must have the ability to access their personal data and update it (Article 7.3). They must also be able to retract their consent for marketing (Articles 15.1, 15.3, and Article 16) at any time. This may be allowed via phone, email, direct site, etc.
Regarding back-end marketing systems, it is recommended that consent be managed with timestamps, because the controller must be able to show that the user has given consent to process his or her personal data (Article 7.1).
Finally, users must have the ability to altogether delete their personal data upon request (Article 17). There is no defined way as to how data must be deleted, although it recommends, ambiguously, in a “timely fashion”.
Now what?
Businesses need to perform a comprehensive data audit to pinpoint all the ways in which they process and secure personal data. This audit should focus on the following four "Ws":
- What data does our organization collect, and using what systems?
- Where does our organization store this data?
- Who has access to our data?
- Why is this data significant to the organization? What is it used for?
An audit identifying what data is captured, where it is held, and how it’s used and accessed is the first step toward GDPR compliance. Businesses must also determine the security measures for data breaches and create appropriate and timely documentation and reports for data requests.
Ultimately, we recommend completing an internal data audit and consulting with corporate legal representation for a full understanding of this legislation and its application for your organization. These are the initial steps for not only GDPR compliance in general, but more responsible data practices overall.