The General Data Protection Regulation and what you need to know about it

//The General Data Protection Regulation and what you need to know about it

The General Data Protection Regulation and what you need to know about it

The General Data Protection Regulation and what you need to know about it

The General Data Protection Regulation (GDPR) in the name of the new European privacy regulation that came into effect in May 28, 2018.  The purpose of the GDPR is to give all individuals in the European Union (EU) increased control over their personal data. Through new regulation, GDPR is changing the way data is captured, used and managed.

The GDPR applies to all websites or mobile applications collecting data from EU residents.  Since the internet is a global marketplace, GDPR can apply to virtually any online business located anywhere in the world.

Failing to comply with the GDPR could result in fines of up to €20 million or 4% of your global turnover, whichever is greater.  The GDPR fines apply to non-EU nations like the United States.

Due to GDPR regulating personal data, it is very broad reaching.   The GDPR impacts, among other things, email marketing, website forms, social medial advertising, cookies, IP tracking, privacy policy, etc.  Additionally, some common practices are no longer valid including browsewrap, implied consent or pre-checked boxes.

At its core, GDPR requires that consent on data be “freely given, specific, informed, and unambiguous.”  The GDPR also requires privacy policies to be “concise, transparent, accessible, and written in clear and plain language.”  Plus, data collecting, and processing practices must be easily accessible to the consumer and free of charge to access.

Below are some tips on complying with the GDPR.

WEBSITE POLICIES REGARDING PERSONAL DATA MUST BE TRANSPARENT AND CLEAR

Have documentation (e.g., privacy policy, terms and conditions) on your website that is easy to understand and is clear on what personal data you process and how you process it.  For example, make sure to inform consumers if their information is being collected, the type of data being collected, why it’s being collected and the length of time the information is stored. The GDPR requires sites to provide additional detail to users before collecting data.  Make sure your site provides full disclosure of personal information purposes and time limits.

OPT-IN PROVISIONS MUST BE VOLUNTARY

Under GDPR, your website cannot automatically opt-in a customer.  Ensure that your website or marketing material does not automatically have check boxes already checked.  Additionally, ensure that your website does not automatically opt-in customers by default.  You must give your customers the choice to opt-in by ‘clinking’ their own boxes.

OPT-OUT PROVISIONS MUST BE CLEAR AND EASY

Once a customer has opted in, you must provide a way for them to unsubscribe or opt-out, at any point, and this must be easy and clearly marked.

KEEP RECORDS WITH AN EYE TOWARDS AUDITS

Keep good records.  You should be able to show how your customers’ consent was requested, captured and stored.  For example, make sure your records are clear and can pass an audit.

CHECK IF CONSENT NEEDS TO BE REFRESHED OR OBTAINED

Re-examine existing marketing databases and your website to ensure proper consent was originally obtained.  You may determine that consent needs to be refreshed since the passage of the GDPR.

KEEP TRACK OF YOUR DATA AND WHERE IT IS LOCATED AND STORED

You website might be collecting personal data – be aware of all the types of personal data it collects. It’s important to determine what data is necessary for collection and where it is located (i.e., if third-parties have access). Limiting the amount of data you collect can be beneficial.  This includes a reduction of storage expenses and a reduction of liability and disclosure efforts following a data breach.

ENCRYPT YOUR DATA

Consider using encryption as a part of your data collection and storage.  It protects personal data by making personal data unreadable should it fall into the wrong hands.  Furthermore, encrypted data can be considered “unintelligible”.  In some cases, you do not need to disclose unintelligible data following a data breach.

PROVIDE CONTACT INFORMATION FOR DATA PRIVACY PERSONNEL

Clearly list on your website the contact information for your data privacy personnel. The GDPR requires companies to provide consumers with the ability to view, edit, or delete their personal information.  Additionally, consumers also have the right to send inquiries regarding their information.  Make sure you allow consumers easy access to anyone responsible for managing personal data, so inquiries can be made.

RIGHT TO BE FORGOTTEN

Develop and offer a process that works for you company for easy data deletion.  Completing data requests can be a time-consuming process.  Make sure you have processes in place to timely handle deletion requests.

HAVE A PLAN FOR A POTENTIAL DATA BREACH

Plan for a data breach.  Should a breach happen, make sure you know what to do, who to contact and that all necessary notification forms are in place.  Additionally, you may want to obtain a cyber-security insurance policy.  If you already have cyber insurance – check your policy to confirm what’s covered.

HAVE A PLAN FOR PORTABLE DATA REQUESTS

Prepare for data portability requests.  Another main component of the GDPR is allowing consumers to transfer their personal information from one service to another quickly and easily via a common format (i.e., CSV file).

MAKE SURE MOBILE APPS ARE ALSO GDPR COMPLIANT

The GDPR also applies to mobile apps or devices that collect personal data.  To ensure you are compliant with the GDPR, spend some time reviewing the data your mobile app collects, where it goes and why it is collected.

LEGITIMATE INTEREST

The GDPR regulation recognizes the concept of “legitimate interest”.  This concept covers those areas where you do not need to ask for permission to process data that you already hold about your customers. This includes contacting previous customers regarding other products and services you consider to be relevant.  Legitimate interest does not require specific marketing consent, so long as the content is relevant, based on your previous interaction with the customer.

The GDPR regulations can be onerous. Please contact Hackler Flynn and Associates if you need assistance in compliance.

 

Recent Post

Personality Test Photo

Are you giving your job candidates personality tests? If so, you may want to think again.

LEGAL ISSUES AND CONCERNS RELATED TO PERSONALITY TESTING IN THE HIRING PROCESS Finding the perfect employee is not an easy ...
>
Sexual Harassment Picture

California’s New Sexual Harassment Training Requirements

California's New Sexual Harassment Training Requirements It’s been just about a year since the Harvey Weinstein allegations hit the press.  ...
>
GDPR image

The General Data Protection Regulation and what you need to know about it

The General Data Protection Regulation and what you need to know about it The General Data Protection Regulation (GDPR) in ...
>
By |2018-12-04T10:20:09+00:00December 3rd, 2018|Contracts|

About the Author:

Ms. Flynn believes her attorneys and staff should come from a wide range of legal backgrounds and experience. She provides a workplace that is team-oriented and works together to bring the best results to her clients.