Who must comply?
Companies located in the EU as well as companies who are not located in the EU but they offer free or paid goods or services to EU residents or monitor the behavior of EU residents.
When is the deadline?
May 25, 2018
Are there exceptions for smaller companies?
If you have less than 250 employees there are some exceptions for you. For example, in article 30, you are not required to maintain a record of processing activities under your responsibility if you have less than 250 employees (unless your processing results in the risks to rights and freedoms of data subjects, or your processing of EU citizen data is more than occasional).
Where can I read the full GDPR text?
You can find the full text here.
What is the gist of GDPR?
At a high-level, you need to define (in writing) all of the ways your business collects and uses people’s personal information. You need to identify what data you collect and what legitimate purpose you have to collect the data. You need to define how long you will keep the data and have processes around removing the data when the time is up. You need to give people a way to request a copy of the data you have about them. (This is their right of access.) You need to give people a way to request that you delete their data. (This is their right to be forgotten.) You need to have a plan and a process around how you will handle a data breach involving personal information (and follow it).
What is personally identifiable information (PII)?
There are two types of personally identifiable information – information that is directly linked to someone and information that can be used to indirectly identify someone. (See Article 4.)
Here are examples of directly linked Information:
- Full name
- Home address
- Email address
- Social security number
- Passport number
- Driver’s license number
- Credit card numbers
- Date of birth
- Telephone number
- Log in details
Here are examples of information that could be used as an indirect identifier:
- First or last name (if common)
- Country, state, city, postcode
- Gender
- Race
- Non-specific age (e.g. 30-40 instead of 30)
- Job position and workplace
What about IP addresses and cookies? Are they OK?
The regulation is vague and there is a debate about whether IP addresses and cookies are PII. Some say they are as they could be used along with other information to identify someone. Others say they are not.
What are allowable purposes for processing data within GDPR?
The purposes set out that are likely the most applicable to you are:
- The data subject has given consent
- Processing is necessary for fulfilling a contract
- Processing is necessary for compliance with a legal obligation
See here for all of the lawful purposes.
How is consent defined? What counts as consent?
Article 32 states that “Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication”. It also states that “Silence, pre-ticked boxes or inactivity” do not count as consent.
What do I need to do to comply with GDPR?
Find a lawyer who is knowledgeable about GDPR or a firm who specializes in GDPR compliance. If you don’t have a consultant or a lawyer who can help you may want to consider the services available from OneTrust and asking OneTrust to put you in touch with one of their partner lawyers or consultants. OneTrust has several assessment tools to help with the operational process of managing your GDPR compliance.
Here are things you will do as a part of your work to prep for GDPR compliance.
Identify the PII data you are collecting and processing and define how long you will keep it and what your process will be for getting rid of it.
Identify the vendors you share information with. You will need to have them sign agreements with you. Your lawyer / GDPR consultant can help you with this.
When it comes to your website:
- You will need to add tools to manage consent for cookies. One tool that we are using to implement this for customers is OneTrust’s cookie consent tool. As a part of this, you will need to define what cookies are strictly necessary and ensure your website can function with all the other cookies disabled.
- You will need to make sure only strictly necessary data is collected if you have not been given permission to collect more than that.
- You will need to update your privacy policy on your website.
- To comply with Google Analytics terms of service, you will want to make sure you are not sending any personally identifiable information to Google Analytics (i.e. make sure you don’t have names or email addresses being sent to your site using query strings as this would be recorded in Google Analytics).
What needs to happen in the event of a data breach?
You have an obligation to report certain types of personal data breaches to the relevant supervisory authority within 72 hours of becoming aware of the breach. If the breach is likely to result in a high risk of adversely affecting individual’s right and freedoms, you must also inform those individuals without delay. You must keep a record of any personal data breaches.
How quickly do I need to respond to someone’s request for a copy of their data?
You need to respond to a request for data within 30 days. This includes notifying other vendors who the personal data may have been shared with.
If a user requests to “be forgotten”, do I always need to remove the data from my system?
If you need the data to comply with a legal obligation, you can remove the data from all other uses except for what is required to fulfill the legal obligation (i.e. not use it for marketing purposes) and then have a plan and follow through on removing the data once your legal obligation is complete.
Is this everything?
No. There is more to it than this, but this will give you an idea of what needs to be done.
Remember – this is not legal advice. I recommend you find and talk to your lawyer.
Additional references:
https://iapp.org/resources/article/top-10-operational-impacts-of-the-gdpr/ https://www.itgovernanceusa.com/webinars/eu-gdpr-webinar
https://onetrust.com/products/gdpr-compliance/