For many businesses, few laws have had such a significant impact as the EU General Data Protection Regulation (GDPR). Not only is the effect of this important privacy law noticeable online (you'll most likely have been asked to consent to a lot of activity recently), its broad and international scope has also meant that it has touched a wide variety of companies.
It's essential that you understand the GDPR, and consider how it applies in your situation. As a result of their new-found obligations, many people have learned a lot about the basic principles of data protection. Once you have that theoretical understanding, you're ready to start preparing your company for ongoing GDPR-compliance.
Let's look at the practical steps you can take to adjust your systems and practices in accordance with the new privacy regime.
- 1. Why the GDPR Matters
- 1.1. Some Basic GDPR Terms
- 2. Processing Personal Data Securely
- 3. Collecting Personal Data Lawfully
- 3.1. Establishing Your Legitimate Interests
- 3.2. Earning GDPR-Compliant Consent
- 4. Minimizing Data Collection
- 4.1. Web Forms
- 4.2. Analytics
- 5. Providing Transparent Information
- 5.1. On Your Website
- 5.2. On Your Mobile App
- 5.3. In Emails
- 6. Recording Data Processing Activities
- 7. Summary
Why the GDPR Matters
Any company hoping to enter the EU marketplace needs to treat the privacy of its residents with respect. The EU's data protection laws have been rigorous for many years. But the passing of the GDPR is significant for three main reasons:
- It introduces higher privacy standards and new responsibilities
- It increases accountability and threatens a new range of fines and other sanctions
- It explicitly applies to non-EU businesses, as long as they offer goods or services to, or monitor the behavior of, people in the EU
Many business owners panicked when they first received the 50,000-word rulebook that is the GDPR. Many others, however, decided to make the most of this opportunity to reflect on their data protection practices.
The world is changing, and lawmakers everywhere are determined to reign in data processing practices. Choosing to prepare your systems and processes so that you can comply with the strict privacy standards of the EU simply makes good business sense.
Some Basic GDPR Terms
This article is about the practical stuff - what you need to do in your business to get on board with the GDPR, and how to go about doing it. But in case you're not familiar with GDPR jargon, here are some important terms you need to understand:
- Personal data - any information that can be linked to an "identifiable person." The most obvious example of personal data is a person's name. Some more obscure examples include their Internet Protocol (IP address) and the data collected by cookies.
- Data controller - anyone (including a business, charity, or individual) who decides what, how and why personal data is processed. This could mean something as innocuous as collecting a list of email addresses and responses as part of an online marketing survey.
- Data processor - anyone who processes data on a data controller's behalf. This could be a person who receives this survey data and writes it up into a report. They didn't decide how or why to carry out the survey or write the report, but they're still processing personal data.
Most of the responsibilities imposed by the GDPR fall on data controllers. However to put this in context the GDPR imposes important responsibilities on data processors, too. And it's important to note that most data processors also act as data controllers in some respects.
Processing Personal Data Securely
The GDPR requires you to take technical measures to ensure the security of personal data.
Consider all the different ways in which you work with personal data, and how you might implement practical security measures in relation to each one.
Here are some suggested measures you might take. The European Data Protection Supervisor provides detailed guidance.
Collecting Personal Data Lawfully
It sometimes takes people a little while to understand the concept of lawful bases. Some people approach the GDPR on the assumption that they will need to get consent for all data processing. In fact, this isn't necessary or appropriate in all cases.
If you haven't yet determined your lawful bases for processing personal data, you should take a step back and do this before reading this section. There's some information about this in our GDPR Readiness Checklist article.
Simply knowing that you have a lawful basis for each act of data processing you undertake isn't all you have to do, however. You also need to ensure you are collecting and processing personal data in a lawful way.
Establishing Your Legitimate Interests
It's likely that you'll be relying on your legitimate business interests for collecting personal data in certain ways. For example, you may believe that, under certain conditions, you have a legitimate interest in collecting the IP addresses of visitors to your site.
You won't know for sure until you've conducted a Legitimate Interests Assessment. This is a legal requirement for any company that is hoping to rely on this lawful basis. Carrying out this assessment on recording the results is an important part of your GDPR preparation.
The Information Commissioner's Office suggests that the Legitimate Interests Assessment can comprise main three parts - purpose, necessity and balancing.
Here are some of the questions you'll need to answer in connection with each of these parts:
|The Purpose Test||
|The Necessity Test||
|The Balancing Test||
There's no clear set of "correct" answers. This assessment is a chance for you to demonstrate that you have carefully considered the risks and implications associated with relying on legitimate interests as your lawful basis. You should keep a record of it as well.
Earning GDPR-Compliant Consent
There are a lot of companies that are not getting consent in a lawfully-compliant way. This includes Google, which was fined €50 million in early 2019 for gathering users' consent in a non-GDPR-compliant way (at the time of writing Google is planning to appeal).
Earning lawful consent under the GDPR is actually not an easy task. You'll need consent for a lot of online business activity. And wherever you're asking for consent, you need to ensure that it's:
- Freely given
- Clear and affirmative
In practical terms, GDPR compliance in this area means implementing effective front-end consent solutions for activities like setting cookies and collecting personal data for marketing purposes.
A GDPR-compliant cookie solution does not look a lot like this example, from the The Washington Post:
The Washington Post clearly needs to raise revenue, and personalized ads appear to be an important part of its business model. However, let's consider this example against some of the necessary components of GDPR consent listed above:
- Freely given: The alternative to providing personal data is paying a subscription or not accessing the service - this is not really a free choice.
- Specific: Consent to first- and third-party tracking is "bundled" together - consent is not "specific" to either.
Under the GDPR, you shouldn't ask for consent unless you really mean it. Personal data processing shouldn't be presented as a "payment option."
Here's an example from the University of Edinburgh:
This cookie consent solution has some issues, too, in relation to different factors:
- Unambiguous: It isn't clear that anyone who is subject to this act of data processing has truly consented to it - this is ambiguous.
- Clear affirmative action: The user is supposedly consenting by continuing to browse the site - this isn't affirmative.
Here's a better example from the University of Brighton.
This is potentially problematic, because an obvious option of rejecting consent is not presented to the user. However, this is not an issue as long as you don't assume consent, or deny access to your services until the user has consented.
Here's what happens when the user clicks "Cookie Settings":
Overall, this solution appears to satisfy all these elements:
- Freely given - There is no detriment to refusing consent.
- Specific - Each type of non-essential cookie requires specific consent.
- Informed - The purpose of each cookie is explained.
- Unambiguous - Certain cookies such as targeting cookies are "off" by default. They are not turned on until the user has consented.
- Clear affirmative action - The user must click "I accept" to turn on cookies.
Minimizing Data Collection
One of the key principles set out at Article 5 of the GDPR is data minimization. Don't collect any personal data you don't need. This is a relatively easy principle to implement, and it will save you work and reduce risk in the long term.
One simple way to collect less personal data from your users is simply not to ask for it. Take a look at this web form from Caribbean Smokehouse:
Is a person's date of birth really required when they are signing up for a newsletter? Is collecting a person's name even really necessary? In theory, this is possible, but it seems unlikely. And if you really do need this data, your purposes for requesting it should be explained to the individual.
Purge your web forms of any unnecessary personal data requests.
If you run <
strong>analytics on your website, make sure you're not collecting unnecessary personal data in this way. You should turn off analytics on pages where it is not required. You should be anonymizing IP addresses by default.
Google Analytics provides some guidance on disabling analytics on specific properties:
Google also provides the following guidance on anonymizing IP addresses:
Analytics suite Matomo allows users to select different degrees of anonymization:
Also, note that under the ePrivacy Directive (another EU privacy law), consent is required for most analytics activities.
Providing Transparent Information
On Your Website
On Your Mobile App
The Amazon Kindle app provides access to its Privacy Notice via its "Other" menu, which is easily accessible via the "Setting" tab on the app's main screen:
Here's how Ancestry DNA does this:
Recording Data Processing Activities
Article 30 of the GDPR requires certain organizations to keep records of their data processing activities.
Before you worry about this requirement, you should make sure it applies to your business. The record-keeping obligation does not arise for companies that:
- Have fewer than 250 employees; and,
- Only process personal data occasionally; and,
- Don't process personal data in such a way that is likely to significantly impact on people's privacy (including by processing sensitive "special category" data).
If you're a data controller, complying with Article 30 means maintaining an up-to-date record of:
- Your contact details, and the contact details of your Data Protection Officer and EU Representative (if you have either)
- The reasons that you're processing personal data
- The types of people whose personal data you're processing
- The types of personal data you're processing
- The types of organization with whom you might share personal data
- Any arrangements you have in place to allow you to lawfully transfer data out of the EU
- The storage limits you have in place (i.e. the length of time for which you retain different types of personal data)
- The data security measures you've put in place
Think of this as a way you can demonstrate some of the steps you've taken to prepare for the GDPR. You may be called upon to provide it to a Data Protection Authority.
Here are some of the practical steps you'll need to take to prepare your business for GDPR compliance:
- Implement technical measures to ensure you are processing personal data securely
- Conduct a Legitimate Interests Assessment
- Update your consent request mechanisms to ensure they comply with the GDPR
- Update your web forms and analytics settings to ensure you are only collecting the minimum personal data necessary
- Begin the process of maintaining data processing records, if you're required to do so