GDPR: What You Need To Know


GDPR: What You Need To Know
 May 15, 2018

Hopefully by now you have read about the European Union’s newly enacted General Data Protection Regulation that rolled out May 25, 2018 and followed the recommended updates to ensure your company’s compliance. Remember, the fines for non-compliance with this regulation are massive: up to 4% of your annual, global net revenue for the year prior to the non-compliance offense. Do the math. That is a serious chunk of change. If you market to residents of the EU, then you cannot afford to ignore this regulation.

That said, however, do not be afraid of GDPR. Its intent is a noble one: protecting the privacy rights of personal data for the residents of the EU. And, if you are making concerted efforts toward compliance, you likely won’t have anything to worry about. If you blatantly ignore GDPR, then that’s a different story.

Important reminders for GDPR:

  1. Consult your legal team. At this point, there is NO ONE legally certified to tell you that you are GDPR compliant, except for an attorney. Any and all updates you make surrounding GDPR should be reviewed by them. You cannot afford to risk skipping this step. Remember, GDPR fines for non-compliance are massive.
  2. Review and re-work your Privacy Policy on your website. Important things to include:
    • What personal information you collect
    • What you do with that information
    • How you protect that information
    • Cookie Policy
    • Note any Third-Party vendors who have access to that information
      • And why they have access
    • The Right to be Forgotten
      • Note how you will delete someone’s information if they make that request
        • Include a timeframe (must take place within 30 days of the request)
      • Note that you will not charge a fee to delete or provide someone’s information if they make that request (charging is not permitted)
      • Full contact information for someone to contact if they have questions about their personal information stored by you:
        • Email
        • Phone
        • Mailing Address
        • Compliance Officer (if applicable)
      • Update website contact forms to include a consent disclaimer message with a check-box. The check-box may not be pre-ticked. This disclaimer message must be very clear, written at a 5th-grade reading level, and include a link to your Privacy Policy.

Example:

  • YES! I would like to receive future emails about industry trends and updates. I understand by providing my information I am opting in to receive monthly enewsletters, which I may opt out of at any time. Privacy Policy.
  1. Add a Cookie Tracking Statement notification message to your homepage. A Cookie Tracking Notification Statement notifies users that their behavior will be tracked on the site. People must have the option to not be tracked if they want. A simple message like “This website utilizes cookies to track website performance. Do you agree?” Include “YES” and “NO” buttons. Additionally, be sure to add a link to your Privacy Policy here as well.
  2. Review your email lists. If you cannot prove consent for any person on your list, you must delete them. If you can prove consent, it must include a timestamp of date consent was received.
  3. Protect databases containing Personally Identifiable Information (PII). Any active databases (used within the last 24 months) containing Personally Identifiable Information (PII) must be password-protected.
    • PII includes ANY information that can be used to track or identify a human being.

Examples of PII:

  • Email
  • Phone number
  • Birth date
  • Address
  • Sex
  • IP addresses
  • Cookie ID’s
  • Device Identifiers
  • Ethnicity
  • Religion
  • If you ever send a database containing PII via email or any other transfer platform (We Transfer, DropBox, etc), the database must be password protected and you cannot send the password to the other party via an uunsecuredmethod. It is best to call the individual to share the password.
  1. Record what assets you have that contain PII. Note who has access to this information and how to contact them.
  2. Limit access. Ensure only people who need to have access to databases have permissions. All others should be kept out. This will limit the possibility of a data breach. Maintain a record of who has access to any PII information. This will be required documentation to provide, should you ever be audited for GDPR compliance.

If you have completed all the recommended steps we noted, it is important to know you will never truly ever be “done” with GDPR. The compliance effort will be ongoing and require continuous attention. However, take comfort in knowing once you are compliant, staying compliant will be much easier (and cheaper) than trying to get compliant once you receive a fine.