You’re Not Ready for GDPR. Is It Time to Panic?
The EU regulation is coming May 25th, so we went to an expert for some last-minute advice.
The business and compliance challenges expected to be brought on when Europe’s General Data Privacy Regulation comes into effect, in May, has had major publishers preparing for months—if not years.
“Every aspect of our business is involved in the effort to build teams, systems and processes to ensure compliance,” wrote Doug Miller, the chief privacy officer at Oath, in a March blog post.
If your organization hasn’t, should potential fines of €20 million (or higher) for violations have you worried?
“The Europeans are looking for a track record of compliance,” explains Carl Schonander, a 25-year veteran of the U.S. State Department who now represents international policy interests for SIIA, The Software & Information Industry Association. “Even if you don’t get it 100-percent right, substantial compliance would allow a company to show that it has made a good-faith effort to comply, thus reducing the risk of fines in the event that a data protection authority asks you questions.”
Schonander prefers not to speculate about which types of companies the authorities will target after the regulation takes effect, but he has outlined a few key steps that b2b publishers on this side of the Atlantic should undertake as part of that good-faith effort at compliance.
Make sure GDPR affects you.
The first thing to determine is whether you are in fact subject to the GDPR—and, let’s face it, you probably are. The regulation applies to any company who collects personal data on an EU citizen—that is, any information related to an individual.
“That sometimes seems counterintuitive to people, because the information is not particularly sensitive,” says Schonander. “There’s a distinction between personal data and sensitive personal data, but nonetheless, you’re still subject to it.”
Review the ways you solicit consent.
There are six lawful conditions for processing personal data, but Schonander says the basis for most publishers will be consent. A practical next step is examining the means by which individuals opt-in or allow you to process their data.
Schonander points to Article 7 (Conditions for consent), Section 2:
2) If the data subject’s consent is given in the context of a written declaration which also concerns other matters, the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language. Any part of such a declaration which constitutes an infringement of this Regulation shall not be binding.
“There’s a bit of a higher emphasis on making sure the consent is unequivocal and clear,” says Schonander. “You can’t provide a pre-checked box for people, for example.”
The UK’s Information Commissioner’s Office has some more bits of advice here, among them, “Keep consent requests separate from other terms and conditions,” “name any third parties who will rely on the consent,” and “make it easy for people to withdraw consent and tell them how.”
Understand the data subject’s rights.
Review your contracts.
Much of of the anxiety surrounding GDPR is associated with the fines it authorizes the EU to levy against companies who violate the regulation—as high as four percent of the offending firm’s annual revenue. Schonander says that all publishers, including those that aren’t established in the EU, should carefully review their partnerships.
“As a practical matter, you’ll need to look at your contracts and see what your vendors and partners ask you to do,” he says. “You may have American or other business partners that require you to be GDPR compliant.”
The reason to review your contracts, Schonander says, is that while the GDPR places new responsibilities on data processors, it does not relieve data controllers of the responsibility to ensure that the data processors they use are doing what they’re supposed to do.
“That’s another thing that is going to have to be looked at very carefully.”
“If you read any article of this,” Schonander says, “Read Article 30.”
Article 30 requires firms to keep a record of their data controlling activities. That requirement doesn’t apply to companies with less than 250 employees, but Schonander recommends using it as a helpful checklist for those concerned about remaining compliant.
“Write all of this down, so that you have a story to tell in case a data protection agency asks you about something. Reviewing it with counsel is a good idea,” he says. “The likelihood that an authority is going to fine four percent of your global turnover is slim, but it’s worthwhile to do this nonetheless.”
Article 30 – GDPR
Records of Processing Activities
- Each controller and, where applicable, the controller’s representative, shall maintain a record of processing activities under its responsibility. That record shall contain all of the following information:
- the name and contact details of the controller and, where applicable, the joint controller, the controller’s representative and the data protection officer;
- the purposes of the processing;
- a description of the categories of data subjects and of the categories of personal data;
- the categories of recipients to whom the personal data have been or will be disclosed including recipients in third countries or international organisations;
- where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and, in the case of transfers referred to in the second subparagraph of Article 49, the documentation of suitable safeguards;
- where possible, the envisaged time limits for erasure of the different categories of data;
- where possible, a general description of the technical and organisational security measures referred to in Article 32.
Clause e., notes Schonander, is particularly salient for U.S.-based firms.
“If you transfer personally identifiable information from the EU to the United States, you have to explain what transfer mechanism you’re using to do that,” he says.
For small or mid-sized companies, Schonander recommends using the EU/U.S. Privacy Shield framework to transfer personal data across the Atlantic.
“It’s relatively inexpensive, and it’s enforced by the FTC and administered by the Dept. of Commerce, so you’ll be dealing with U.S. entities,” he adds.
Use this as an opportunity to reflect.
Schonander says that one of the guiding principles of the GDPR—and a general best practice anywhere in the world—is data minimization.
“You’re supposed to collect data and keep data for the purpose for which it was collected,” he continues. “You’re not supposed to keep data in case you might be able to use it for something down the road, unless you’ve obtained consent from the data subject for that.”
The above guide is intended to serve as an annotated review of the existing GDPR text, and should not be considered a substitute for legal advice.