Lyquix

GDPR: What You Need To Know

GDPR is a European privacy law that went into effect on May 25, 2018. It imposes new regulations that may affect many US business, and may have great implications from legal, process, technical, and security perspectives. In this post we will present our initial findings on how GDPR may impact you and your business.

General Data Protection Regulation (GDPR) is a law that addresses personal data protection and privacy for individuals within the European Union (EU) and the European Economic Area (EEA). GDPR aims to give individuals more control over their personal data, and to simplify the regulatory environment for international business by unifying the regulation within the EU/EEA. After four years of debate, GDPR was officially adopted in May 2016, and went into effect on May 25, 2018. It supersedes the Data Protection Directive of 1995.

GDPR defines new rules for collection, processing, storing, and using personal data. One of the most important elements of GDPR is that it applies to any organization collecting personal data of any person located in the EU/EEA, regardless of the organization location. This mean that your business doesn't need to have a physical presence in the EU/EEA, or have its servers in a EU/EEA location to be subject to GDPR.

You may be thinking: "We don't collect personal data, this doesn't concern us." But you need to think again. According to GDPR personal data is any piece of information that can be used directly or indirectly to identify an individual. This includes the IP addresses collected by Google Analytics running on your website, and the names and email addresses you collect from your website contact form.

Here is where things start to get complicated for US businesses. For companies that actively target EU/EEA customers there is no ambiguity, they need to comply with GDPR. But what about US businesses that aren't actively targeting EU/EEA customers? Should they comply with GDPR just because website visitors are located in EU/EEA? Most brick-and-mortar businesses probably have nothing to worry about. But if you are currently able (and willing) to take and fulfill orders from EU/EEA customers, for either products or services, or are planning to do so in the future, you may need to look into complying with GDPR.

GDPR defines two types of organizations, Controllers and Processors, that have to comply to different requirements. A Controller is an organization that determines the means and purpose of personal data collection, while a Processor is an organization that handles personal data on behalf of a Controller. In the case of your website's analytics, Google is the Processor and you are the Controller. Some of the requirements that GDPR impose on Controllers and Processors include naming a Data Protection Officer, disclosing privacy policies, and to ensure privacy protections are implemented in the organization systems and processes by design, and not as a mere afterthought.

Several new rights for individuals have been created as part of GDPR. These include the right for individuals to get free access to all the personal data held by an organization (Controller and all of its Processors), the right to make changes or corrections to such personal data, the right to download all your personal data (and the right to transfer it to another organization), the right to be forgotten (withdraw consent, and the removal of all personal data held by an organization), and the right to be promptly notified of any data breaches.

Another important aspect of GDPR is the new rules regarding consent. When an individual gives consent to collecting and processing personal data, it is in relation to a specific purpose. Organizations are not permitted to hide consent-related information in long, illegible terms and conditions that are full of legalese. Requests for consent must be presented in an easily accessible and intelligible form, using clean and plain language. Consent must be explicit, meaning that you should not use pre-checked boxes assuming the user is giving consent by default. Finally, consent must be granular, allowing users to give consent on specific purposes.

Failure to comply with GDPR may result in fines up to EUR20 million or 4% of annual global revenues (whichever is greater). The amount of the fine will depend on the seriousness of the infringement. It is not clear yet how aggressively will these penalties be imposed, or whether there will be any attempt to penalize US businesses that don't have a physical presence in the EU/EEA.

 

Key Points to Remember

Territorial Scope
Although GDPR is an EU/EEA law, it concerns organizations located outside of the EU/EEA that target customers located in the EU/EEA. Many US businesses may be affected by GDPR.

New Rights
GDPR introduced a number of new rights for individuals in regards to their personal data. This may have an impact on the way you collect, process, and store such data, as well as the new kinds of requests regarding personal data that you will need to support.

Consent
Individuals must give explicit consent on specific purposes. Consent cannot be assumed or accepted by default, and it cannot be hidden in layers or legalese. Consent can be revoked.

Penalties
Failure to comply with GDPR may result in very high fines up to EUR20 million or 4% of annual global revenues (whichever is greater).

 

GDPR Compliance Checklist

The following is a high-level compliance checklist. Its purpose is to give you a general sense of the actions and changes needed to comply with GDPR. Please consult with your legal and IT advisors for specific actions that need to be taken for your business to be in compliance with GDPR, if applicable.

Company Information

  • Your company has a list of all types of personal information it holds, the source of that information, who you share it with, what you do with it and how long you will keep it

  • Your company has a list of places where it keeps personal information and the ways data flows between the storage locations

  • Your company has a publicly accessible privacy policy that outlines all processes related to personal data

  • Your privacy policy should include a lawful basis to explain why the company needs to process personal information

Management and Accountability

  • Your company has appointed a Data Protection Officer (DPO)

  • Create awareness among decision makers about GDPR guidelines

  • Make sure your technical security is up to date

  • If your business operates outside the EU/EEA, you have appointed a representative within the EU/EEA

  • You report data breaches involving personal data to the local authority and to the people (data subjects) involved

  • There is a contract in place with any data processors that you share data with

  • Your business understands when you must conduct a Data Protection Impact Assessment (DPIA) for high-risk processing of sensitive data

  • You should only transfer data outside of the EU/EEA to countries that offer an appropriate level of protection

  • You regularly review policies for changes, effectiveness, changes in handling of data and changes to the state of affairs of other countries your data flows to

New Rights

  • Your customers can easily request access to their personal information

  • Your customers can easily update their own personal information to keep it accurate

  • You automatically delete data that your business no longer has any use for

  • Your customers can easily request deletion of their personal data

  • Your customers can easily request that you stop processing their data

  • Your customers can easily request that their data be delivered to themselves or a 3rd party

  • Your customers can easily object to profiling or automated decision making that could impact them

Consent

  • Ask consent when you start processing a person's information

  • Your privacy policy should be written in clear and understandable terms

  • It should be as easy for your customers to withdraw consent as it was to give it in the first place

  • If you process children's personal data, verify their age and ask consent from their legal guardian

  • When you update your privacy policy, you inform existing customers

 

Temporary Workarounds

Given the technical challenges and the investment needed to comply with GDPR regulations, many US business have opted to block all web traffic from EU countries. News organizations like Los Angeles Times, and The Chicago Tribune are showing a message to visitors from the EU informing them that the site is not available in most European countries. The Washington Post has decided that instead of complying with all the requirements from GDPR, they are stopping all advertising and third-party ad tracking for visitors located in the EU/EEA, but with a 50% price increase for those users.

 

 Screenshot of Los Angeles Times website when visited from a EU country, showing that the site is temporarily blocked for EU users. 

 Screenshot of The Washington Post website showing a new premium subscription plan for EU users that is 50% more expensive than the regular subscription plans. 

If you do not solicit business from the EU/EEA and would like to block EU/EEA traffic from reaching your site, please contact us.

 

Resources

Infographic: GDPR Summary for Businesses

The GDPR Compliance Checklist

GDPR Portal

GDPR Legislation Browser

Ruben Reyes - Lyquix Principal

Ruben Reyes

-Technology, Usability & Analytics

Ruben is the lead technologist at Lyquix. He consults directly with clients and manages Lyquix's development team.

Read More