April 04, 2018

YouÕre Not Ready for GDPR. Is It Time to Panic?

The EU regulation is coming May 25th, so we went to an expert for some last-minute advice.
The business and compliance challenges expected to be brought on when EuropeÕs General Data Privacy Regulation comes into effect, in May, has had major publishers preparing for monthsÑif not years.

ÒEvery aspect of our business is involved in the effort to build teams, systems and processes to ensure compliance,Ó wrote Doug Miller, the chief privacy officer at Oath, in a March blog post.

If your organization hasnÕt, should potential fines of Û20 million (or higher) for violations have you worried?

ÒThe Europeans are looking for a track record of compliance,Ó explains Carl Schonander, a 25-year veteran of the U.S. State Department who now represents international policy interests for SIIA, The Software & Information Industry Association. ÒEven if you donÕt get it 100-percent right, substantial compliance would allow a company to show that it has made a good-faith effort to comply, thus reducing the risk of fines in the event that a data protection authority asks you questions.Ó

Schonander prefers not to speculate about which types of companies the authorities will target after the regulation takes effect, but he has outlined a few key steps that b2b publishers on this side of the Atlantic should undertake as part of that good-faith effort at compliance.

Make sure GDPR affects you.

The first thing to determine is whether you are in fact subject to the GDPRÑand, letÕs face it, you probably are. The regulation applies to any company who collects personal data on an EU citizenÑthat is, any information related to an individual.

ÒThat sometimes seems counterintuitive to people, because the information is not particularly sensitive,Ó says Schonander. ÒThereÕs a distinction between personal data and sensitive personal data, but nonetheless, youÕre still subject to it.Ó

Review the ways you solicit consent.

There are six lawful conditions for processing personal data, but Schonander says the basis for most publishers will be consent. A practical next step is examining the means by which individuals opt-in or allow you to process their data.

Schonander points to Article 7 (Conditions for consent), Section 2:

2) If the data subjectÕs consent is given in the context of a written declaration which also concerns other matters, the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language. Any part of such a declaration which constitutes an infringement of this Regulation shall not be binding.

ÒThereÕs a bit of a higher emphasis on making sure the consent is unequivocal and clear,Ó says Schonander. ÒYou canÕt provide a pre-checked box for people, for example.Ó

The UKÕs Information CommissionerÕs Office has some more bits of advice here, among them, ÒKeep consent requests separate from other terms and conditions,Ó Òname any third parties who will rely on the consent,Ó and Òmake it easy for people to withdraw consent and tell them how.Ó

Understand the data subjectÕs rights.

Schonander says firms need to put processes in place that allow data subjects to exercise their rights, including the right to have their data erased.

ÒThey also have a right to access their data, and they have a right to data portability,Ó Schonander adds. ÒYou have to have that ready to go.Ó

Review your contracts.

Much of of the anxiety surrounding GDPR is associated with the fines it authorizes the EU to levy against companies who violate the regulationÑas high as four percent of the offending firmÕs annual revenue. Schonander says that all publishers, including those that arenÕt established in the EU, should carefully review their partnerships.

Screen Shot 2018-03-29 at 2.42.50 AMÒAs a practical matter, youÕll need to look at your contracts and see what your vendors and partners ask you to do,Ó he says. ÒYou may have American or other business partners that require you to be GDPR compliant.Ó

The reason to review your contracts, Schonander says, is that while the GDPR places new responsibilities on data processors, it does not relieve data controllers of the responsibility to ensure that the data processors they use are doing what theyÕre supposed to do.

ÒThatÕs another thing that is going to have to be looked at very carefully.Ó

DonÕt panic.

ÒIf you read any article of this,Ó Schonander says, ÒRead Article 30.Ó

Article 30 requires firms to keep a record of their data controlling activities. That requirement doesnÕt apply to companies with less than 250 employees, but Schonander recommends using it as a helpful checklist for those concerned about remaining compliant.

ÒWrite all of this down, so that you have a story to tell in case a data protection agency asks you about something. Reviewing it with counsel is a good idea,Ó he says. ÒThe likelihood that an authority is going to fine four percent of your global turnover is slim, but itÕs worthwhile to do this nonetheless.Ó

Article 30 - GDPR

Clause e., notes Schonander, is particularly salient for U.S.-based firms.

ÒIf you transfer personally identifiable information from the EU to the United States, you have to explain what transfer mechanism youÕre using to do that,Ó he says.

For small or mid-sized companies, Schonander recommends using the EU/U.S. Privacy Shield framework to transfer personal data across the Atlantic.

ÒItÕs relatively inexpensive, and itÕs enforced by the FTC and administered by the Dept. of Commerce, so youÕll be dealing with U.S. entities,Ó he adds.

Use this as an opportunity to reflect.

Schonander says that one of the guiding principles of the GDPRÑand a general best practice anywhere in the worldÑis data minimization.

ÒYouÕre supposed to collect data and keep data for the purpose for which it was collected,Ó he continues. ÒYouÕre not supposed to keep data in case you might be able to use it for something down the road, unless youÕve obtained consent from the data subject for that.Ó

The above guide is intended to serve as an annotated review of the existing GDPR text, and should not be considered a substitute for legal advice.


Copyright 2018 Access Intelligence, LLC. All rights reserved. From http://www.foliomag.com. By Greg Dool.

To view all articles, check out the Internet Travel Monitor Archive