What is the GDPR?
The General Data Protection Regulation is a framework of legal guidelines for collection and processing of personal info of individuals within the European Union. Or, in short, it’s a set of rules that companies need to follow to collect and protect a user’s data. As of May 25th, 2018, any company, group, or individual, that handles European data, or resides in Europe, must comply with GDPR. This goes for massive players like Google down to bloggers who collect email addresses for their newsletter.
Four terms to understand:
Personal Data – any identifying information . This includes submitted information such as your name, email, SIN, address, phone number, biometrics, or account numbers. It also includes information that could be used to identify you indirectly such as location data.
Data Subject – simply put it is the user or the person who is identified by the information.
Data Controller – the person or company who determines the purpose and use of the collected data.
Data Processor – the person or company who processes the data. This includes analytics, marketing, as well as storage such as cloud services.
The controller and processor can be the same or separate. For example, my company collects email addresses for our newsletter. That makes us the controller. We can choose to store these addresses on our own machines, that makes us the processor. Alternatively we can choose to store them in Mailchimp, which is a newsletter app, or perhaps on a document in Google Drive, which is the cloud. Now we have chosen an outside processor. As the controller, we are responsible for GDPR compliance for both our company and our chosen processor.
Security and Privacy Features
The full regulation is over 100 printed pages long. It includes your rights as a data subject as well as regulations around how controllers and processors are required to protect your data.
The basis of GDPR is the User Rights, second to that is emphasis on consent, and finally privacy incident response.
Here are 5 highlights from the regulation:
Right to be forgotten – This is the most talked about and least understood. It is the right for a user to retract their data from storage or processing, from any company at any time. When the Cambridge Analytica scandal broke with Facebook in 2018, people wanted to delete their accounts but there was no regulation to dictate that that Facebook had to delete their data as well. This ruling would have forced both Facebook and Cambridge Analytica to delete the data they had on any qualifying individual that requested it (Facebook as the Controller and CA as the Processor). Note: This right is not an opportunity to have unflattering articles or reviews removed. The rule allows for personal mentions if they fall under freedom of expression, public interest, public health, or research.
Right of access – As a data subject, this is your right to ask about the purpose for the collected data, the processors involved, and even if the data is being manipulated with artificial intelligence or machine learning. All these answers *should* be covered in the new consent request (see below).
Right of restricton of processing – You know those pesky ads that follow you from one website to another? That’s called direct marketing. The restriction of processing means you can indicate specifically that you do not want your data used in direct marketing campaigns.
Consent – For all data collection, the data subject has to have the ability to both opt in AND withdraw consent. Controllers also have to present the information to support right of access. I like to break these down as the 5 Ws:
- WHO – Details of the recipients of the data including links to the controller and names of processors
- WHAT – List of the data being collected
- WHY – Reason for the collection (known as legal basis)
- WHEN – The duration for which the data will be retained
- WHERE – Clear links provided so user knows where to go to enact requests
There is a list of specific pieces of information that must be included according to the Right to Information. The simplest way to satisfy this right is to put all the information in your Privacy Policy.
Privacy Incident Management and Breaches – In terms of protection of data, this is a big one. In the past there was NO regulation that a company had to report a privacy breach. Uber took 6 months to report their 2018 data breach. Now compliant companies have to report any breaches within 72 hours of their knowledge.
For Individuals
Technically the GDPR only applies to citizens in the European Union. In fact, the UK doesn’t even fall under these rules though they do support a Data Protection Bill, which is similar. Check the links below for the related terms and service agreements.
For Businesses and Corporations
Any organization that “processes or stores large amounts of personal data, whether for employees, individuals outside the organization, or both” is required to designate a Data Protection Officer. That person is responsible for ensuring compliance of GDPR.
If a company is caught in non-compliance then they face a fine. Depending on the infraction, a tier 1 offence results in a fine of the higher of 2% of the company’s world wide gross revenue or 10 million euros. A tier 2 offence is the higher of 4% of global revenue or 20 million euros. As an example, when Equifax was breached in 2017 they suffered no penalties. Had GDPR been in place they would have owed 67 million dollars in fines.
Every applicable company needs to run a DPIA, or Data Protection Impact Assessment, that includes an explanation why they are collecting the data requested, an assessment of risks to the rights and freedoms of data subjects, and documented proposed measures for safety and security of the collection.
Global Privacy Regulation Compliance is largely what WE do as a company. From DIY checklists to templates to having us do it for you, contact us for more information on how we can help.
For Small Business, Charities, & Clubs
Unfortunately even small businesses, groups, not-for-profits, and charities fall under these regulations. If you run or are part of a group that collects information (newsletters, databases, list serves, forums, etc.) then this could apply to you. Fortunately most of the individual tools that small business uses, like cloud servers, Newsletters, and CRMs, have updated their terms to comply.
What you should do:
- Make a list of all of the software and services you use (good to have this anyway)
- Consider each one for data collection, storage, and processing
- For those that do, type the name of the service and ‘GDPR’ in to Google for instructions
Loads of Links
For a full picture of what compliance looks like for GDPR, download our FREE GDPR overview page of all ten areas on which you need to focus.
After having gone through multiple sites, here several you may find useful:
- The official GDPR site
- The entire GDPR brown down nicely by links
- The GDPR broken down by chapter and in plain english
- Facebook group: GDPR for entrepreneurs – as written by a lawyer
Actions for Businesses that Collect Data
- Getting consent in Google For Business – as controllers. Includes ads, apps, sites
- Google’s G-suite and Cloud Agreements – as processors
- AWS GDPR site
- Dropbox
- Rules for Email Marketers
- Mailchimp’s New Consent Collection
- Facebook for Business
- LinkedIn for Business – includes marketing, sales, developers
Individual Terms and Services for Networks
- Instagram (now combined with Facebook)
- LinkedIn – link for their new terms, coming soon.
If you want help from our consultants, have any questions or find something we’ve missed let us know!
If you run a company, PLEASE PLEASE PLEASE offer the same rights, tools, and privacy settings to call users globally. There is no reason not to!
In an ideal world, yes, we’d all have the same privacy rights. The issue is that many of these rules and regulations, though better for the consumer, are difficult from an implementation and maintenance stand point to a software company so they do not have an inclination to do so.