DISCLAIMER: This article should not be interpreted as legal advice. The C2 Group recommends consulting your corporate legal team to better understand how GDPR may apply to your organization. For more information on GDPR, please visit https://gdpr-info.eu/.
The European Commission (EC) has given businesses the opportunity to redefine their privacy policies and share with consumers how they process personal data prior to the May 25 deadline. While this is a EU law, it doesn’t necessarily mean U.S. companies and marketers are off the hook. The internet is worldwide, and your customers or clients probably are, too. If your company targets, processes the sensitive personal information of, or otherwise markets to European citizens, GDPR will apply to you.
Sensitive personal data is any data that can used to identify a (living) individual. This includes, but is not limited to: first or last names; home addresses; email addresses; identification or card numbers; location data; IP addresses; cookie IDs; advertising identifiers on phones; or data held by a healthcare provider (Article 4).
Data that isn’t considered personal or sensitive includes company-issued registration numbers or email addresses and any anonymized data. Be careful, though. Data that you may think is anonymous isn’t always what it seems – the anonymization of the data must be irreversible for it to not qualify as personal data.
You’ll need to make known the following in your privacy policies:
Businesses need to be aware of the way they request information and what information they request from users. The information you are collecting should be adequate, relevant, and limited to what is necessary for the requested purpose (Article 5.1c). For example, if a user is signing up for your e-newsletter there is no logical reason they should provide anything other than their name and email.
Any subscription or form that is a sign-up box for direct marketing must have a separate checkbox for every type of way that the user consents to getting marketed to. The checkboxes must be defaulted to unchecked allowing the user to opt-in for what they please. Businesses can never assume a user’s consent to use his or her information.
At any time, a user must have the ability to access their personal data and update it (Article 7.3). They must also be able to retract their consent for marketing (Articles 15.1, 15.3, and Article 16) at any time. This may be allowed via phone, email, direct site, etc.
Regarding back-end marketing systems, it is recommended that consent be managed with timestamps, because the controller must be able to show that the user has given consent to process his or her personal data (Article 7.1).
Finally, users must have the ability to altogether delete their personal data upon request (Article 17). There is no defined way as to how data must be deleted, although it recommends, ambiguously, in a “timely fashion”.
Businesses need to perform a comprehensive data audit to pinpoint all the ways in which they process and secure personal data. This audit should focus on the following four "Ws":
An audit identifying what data is captured, where it is held, and how it’s used and accessed is the first step toward GDPR compliance. Businesses must also determine the security measures for data breaches and create appropriate and timely documentation and reports for data requests.
Ultimately, we recommend completing an internal data audit and consulting with corporate legal representation for a full understanding of this legislation and its application for your organization. These are the initial steps for not only GDPR compliance in general, but more responsible data practices overall.