The EU’s General Data Protection Regulation (GDPR) is new privacy regulations that are going into place officially on May 25th, 2018.
According to the GDPR’s official website these new regulations were designed to “harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy”.
And like most government created laws and legislation the GDPR is a huge topic and unfortunately it’s also incredibly complex. The good news is that we’ve done a ton of the homework for you within this article and you’ll have a clear picture of what this all means by the time you finish reading this resource. If you’re US based (and not hosting websites) then the changes you’ll have to make are minimum. The bad news is that the laws and how to comply are very specific to each type of business so you’re going to have to do a little research past this point.
Wondering if this even applies to you? Well, regardless if you’re located inside or outside of the EU, if you do any type of business with Europeans that includes the processing of their personal data (including email or IP address), this legislation applies to you.
Please be warned: This guide is an overview and we are really looking at the topic in terms of the least sensitive category of personal data. If you or your clients’ business(es) regularly deal with sensitive personal data, then you will need professional advice to be sure you’re covered. The potential fines that go with being non-compliant with these new regulations are not something to take lightly.
Section 1: Understanding the GDPR and Who it Affects
What Sort of Data is Covered by GDPR?
At its simplest level, the goal of GDPR is to make companies and charities responsible for protecting data about individuals who are nationals of any European Union countries or the United Kingdom. The law applies to an individual’s data regardless of where your company is based. If your company carries out its business in Europe or the United Kingdom, the regulations affect you. This legislation will still affect the UK, even after it leaves the EU.
Note: It’s easy to fall into the trap of assuming that the ‘data’ they’re referring to is simply that data that’s held online, or electronically. However, GDPR also applies to paper records and importantly, to any device that you use to store and transport the data on.
GDPR is also designed to stop companies from sharing people’s data with 3rd parties or exploiting that data for marketing purposes. Any living individual is a “data subject” and there are two distinct types of data:
Personal data – This is any information that could identify an individual (including IP address).
Special categories – This includes information about someone’s health, trade union membership, race, sexuality, etc. If a company loses this type of data, it can have a more serious impact on the individuals than simply their contact details.
What is Your Role?
There are several important points to remember when you are thinking about GDPR and the way it affects your business and your clients. The law describes two different roles and they carry different levels of liability for the way data is used.
Data Controllers – If you are the person who decides to gather data then you are making decisions about what data is collected and you will also be deciding how the data will be handled. This makes you a Data Controller.
Data Processors – If you receive data from someone else and you follow their instructions in relation to the data that makes you a Data Processor. The law is very broad in its definition of Processing and this includes any activity involving the data. Because this is so broad, it makes it hard to set any limits around our liability. It’s also important to know that this law only applies to individuals’ data, not company data.
When Do You Process Data?
If you hold any data on behalf of your clients then you are a data processor. Your client is the data controller. Examples of when you process data are:
When you send their newsletters via mailing software or exchange files via a cloud storage system.
You are also a data processor if you host websites – and this carries another responsibility under GDPR because you need to ask all the businesses in your hosting supply chain if their systems comply with standards set by GDPR.
A further sting in the tail of this legislation is that you, as a data processor, are responsible for only processing data that is properly controlled and that the system you use for processing the data complies with the law.
If you suspect that a data controller is not following the principles of the GDPR legislation, you bear some responsibility. So what are these principles?
The data that a company holds must be gathered lawfully and the process for gathering it must be fair and transparent.
Data must only be gathered for specific, explicit and legitimate purposes.
The data must be adequately relevant and limited.
It must be accurate and kept up to date.
The data must be kept in a form that allows identification for only as long as necessary.
All data must be kept securely through appropriate technical and organisational measures.
What does this really mean? It means that individuals (data subjects) must be told what data is going to be gathered, why it is a being gathered and what it will be used for. For example:
“Please tick the box if you are happy for us to email you with information about our products and special offers. You can contact us at any time to change or remove your contact information.”
This says what will be used (email address) and why (marketing) and invites the data subject to let you know about any change in the data.
To comply with points 3, 5 & 6 you will need to use some judgment. Think about what is reasonable and proportionate and then write this into your data policy. That makes it transparent. For example, if someone applies for a job but doesn’t reach the interview stage, you might keep their data for 3 months or so. If someone gets interviewed then you might keep their data for 6 months or a year. If someone is employed by you, you need to comply with other legislation around employment and that will dictate the length of time you keep the data and how you process it.
There aren’t any specific criteria for keeping data “secure” but the thresholds for anyone dealing with “special categories” of data are higher. Experts talk about using suitable passwords on all electronic devices that can be used to access the data and passwords for each system where data is held. You can anonymise data by using initials rather than full names or pseudonym-ise data.
Encryption is also important. If you’re transporting data or storing it on devices and it is sensitive, you might consider encrypting the data.
Be proportional to the risk
If you’re taking just a name and number, email address and address for use in say an e-commerce platform or for a newsletter, this is clearly less sensitive than if you take credit card information and store it on your server.
With the latter, financial information, it is clearly much more important to secure the data in a rigorous fashion. A data breach in a system where credit card or highly personal information such as health records are stored, is clearly a far more serious concern due to the harm it could cause. In these instances, amongst others, you will have to more closely track the data processing chain and vulnerabilities and take suitable measures to plug gaps and notify clients.
So if I’m accountable for my clients, what must I do?
Unless you’re a legal expert who really understands all approximately five hundred pages of the GDPR legislation, you don’t want to make yourself responsible for vetting your clients’ systems. What you need to do is to take reasonable precautions so that you can demonstrate you have tried to comply and taken steps to get anyone you are a data processor for to comply also. Ask your clients to inform themselves (send them links to be helpful) and ask them to confirm in writing that they:
Comply with the principles.
If you host for companies, make sure you’ve also checked with your hosting company, in writing, that you are covered or that they are taking steps to cover you and that they comply.
What is a Lawful Basis to Process Someone’s Data?
Under the regulations, you can only process data if you have:
Consent – Remember there is a higher standard of consent required under GDPR, which is why we recommend you update your website forms. You need to be clear on what data is going to be gathered, why it is a being gathered and what it will be used for.
A Contract – One instance of this would be an ecommerce site needs the address, email address, payment details to process an order.
A Legal Obligation – Under employment law, you must pass certain data to the authorities.
There is a Vital Interest – For example, in a medical emergency you will need to access a person’s health records but they might be too ill to give consent.
A Public Task – This would come into affect if you’re doing an official function or working within a public role.
A Legitimate Basis for Processing the Data – If you, or your client, have a legitimate interest in processing the data then you may but you need to weigh this against an individual’s right to privacy.
Take the above principles and then review and update your data policy. For “special categories” of data, or if there is a criminal conviction, then you will need to have additional reasons before you can legitimately process the data. If this applies to your business, you should use the ICO online chat or alternative advice service relevant to your country.
What Happens if You Have a Data Breach?
The ICO says a personal data breach is…
“…a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed in connection with the provision of a public electronic communications service.”
It also explains that a personal data breach may mean that someone other than the data controller gets unauthorised access to personal data. A personal data breach can also occur if there is unauthorised access within an organisation, or if a data controller’s own employee accidentally alters or deletes personal data.
That’s a link you’ll want to bookmark and add to your standard documents on how to handle a data breach. For more information on breaches you can look here.
If your business is based outside the UK, then unfortunately, there isn’t a lot of information currently available yet. The fine print of the GDPR says that you need to find your local lead EU supervisory authority. Unfortunately, we’ve done the research and so far there is no easy way to find that authority. Our best advice is to check with your local regulator to find out how you should proceed. We have a feeling many of these gray areas will be cleared up after the law goes into affect.
The exact steps you follow after a breach will depend on the type and scale of data breach.
Marketo also offers a short easy to understand GDPR Resource that covers many scenarios that you will encounter when you process data that your clients gather. Unsurprisingly, Marketo looks at the question from a marketer’s perspective.
Once you have read the ICO checklist you will have an idea of what kind of data controller or data processor your business is. If you’re in the UK, unless you are POSITIVE that it’s unnecessary, you should carry out the Registration Self-Assessment to check whether or not you need to register with ICO. If you meet the criteria and you fail to do so then you will be breaking the law. This is unlikely to affect SEOs and digital marketing businesses but it could very likely affect your clients so we highly recommend having them go through the process.
Non UK companies
Again, if you have customers that are in the EU then you need to be sure you’re compliant. Unfortunately, the guidance for any company outside of the UE is at a minimum. The ICO website is a good source for checking compliance needs. However, it is responsible for the UK only. Check your national data authorities to make sure you conform to their requirements.
8 Steps to Getting Prepared
There are some simple, practical changes that we are recommending to our clients.
Step One: Audit Your Data! It is extremely valuable to carry out a data audit to track the data you gather (and whether or not it is gathered lawfully under the new legislation) and what you do with that data. To do this, it is very useful to consider a customer’s journey through the organisation. Look at everything that happens from the first moment they make contact to the point at which they move on. Brainstorm every type of data that is collected, where and why it is held, who has (or had) access to it and how you could say with confidence that you have removed all records of that person if they exercise their right to be forgotten.
Remember if you have individuals’ sensitive data on a laptop or other device and the laptop is stolen or lost, that is a data breach. If you have data in a filing cabinet – is that in a shared space? Who has access to the files and is it kept locked? All these considerations as to where data is handled and how it is secured should be considered.
It’s surprising how quickly you can uncover a tangle of data held in paper records (these need to considered too). That includes spreadsheets held by individuals on personal computers, old records ‘held by retired committee members’, cloud based storage systems, accident books, data sent to the Associations or linked organisations, online databases linked to the website and members portals, etc.. A data audit can be daunting but at least you will then have an idea of the work you have to carry out.
Step Three: Check out your email systems. You need to check that email systems are sufficiently secure and that website hosts are committed to meeting GDPR compliance levels by 25th May 2018. If companies aren’t committed to being compliant, you may want to recommend they start looking for alternative hosts.
Step Four: Update your online policy statements. Every company dealing with private individuals data needs a data policy in line with the principles we described earlier. You also need to get your online privacy statement, terms and services as well as your cookies policy updated.
Again, in the case of the UK, the ICO advises all companies to create a ‘Fair Processing Notice’, which is readily available to read and complies with these guidelines.
Step Five: Get Clear & Specific Consent. According to the GDPR you need to get consent from your customers to collect their data and then additional consent on how you plan to use that data. The fine print describes this consent as “freely given, specific, informed, and unambiguous.”
For example, if you’re an e-commerce site (or selling services to people in the EU) then you need to be 100% clear how you’re using the data of anyone who purchases from you. Within your shopping cart you’ll need to outline what you’re using their personal data for and get consent. That means you’ll need separate check boxes (that are NOT default checked) for things like:
To send them promotional emails on additional products and services from your business.
To share their data with affiliates or third party business.
Plus, you’ll need to add separate boxes for anything else you do with that data. You have to be 100% clear and you cannot link out to a long user agreement that’s full of legal jargon. Think about the exact path that data takes and be sure you’re getting consent from the consumer for every step.
Step Six: Reach out to any company that manages or hosts data for you. You’ll want to officially reach out to any other 3rd parties you use to manage or host data to be sure they’re aware of the GDPR and are compliant. If you’re managing the more high risk types of data then you need to be thorough in this. Check their Ts&Cs and make sure you are specific in your checks. For example, at time of writing, the commitments made by Dropbox only comply to Dropbox Business, not the free Dropbox accounts.
Step Seven: Get clients’ sites moved to SSL (HTTPS)! As members of SEN we already know that SSL (HTTPS) is the only route forwards for any website that wants to stay competitive online, but we still meet clients who don’t realise this.
If you have clients and they gather or give access to data via their website and they haven’t yet migrated to SSL then they need to make this move before 25th May 2018.
A note for hosting providers! Remember, you hold some of the responsibility for this now as a data processor if you host their sites, too! Here’s a great resource to walk you through migrated to HTTPS.
Step Eight: Adjust your Google Analytics Data Retention Settings. Google recently sent out an email that explained that you’ll need to manage how long you keep user data within your Google Analytics accounts and adjust it to be compliant with GDPR based on your business. Here’s a quote from the email:
Today we introduced granular data retention controls that allow you to manage how long your user and event data is held on our servers. Starting May 25th, 2018, user and event data will be retained according to these settings; Google Analytics will automatically delete user and event data that is older than the retention period you select. Note that these settings will not affect reports based on aggregated data.
Action: Please review these data retention settings and modify as needed. Before May 25, we will also introduce a new user deletion tool that allows you to manage the deletion of all data associated with an individual user (e.g. site visitor) from your Google Analytics and/or Analytics 360 properties. This new automated tool will work based on any of the common identifiers sent to Analytics Client ID (i.e. standard Google Analytics first party cookie), User ID (if enabled), or App Instance ID (if using Google Analytics for Firebase). Details will be available on our Developers site shortly.
The important takeaway is that you now have control over this data within your Google Analytics accounts and this does not mean you will lose all data (sessions, page views, etc. will stay intact), but you will lose anything that could be considered user-specific, like demographics and location. If you don’t change anything then as of May 25th it will be automatically set to 26 months.
If you’re in the category of businesses that are affected by the GDPR our advice is to let Google change that setting to 26 months to be on the safe side. However, depending on how you’re using that data, the type of business you’re in and how ‘high risk’ it is – then you may need to adjust it to be an even shorter time frame. This is a question you can reach out to ICO specifically about as well as your legal council to get advice on how to handle it.
If you only service US customers and do not have a privacy/use policy stating otherwise, we recommend that you change this setting to do not automatically expire. The more data you can gather the better when it comes to marketing and it’s important that you don’t lose valuable information if you don’t have to.
You’ll find and adjust these settings within your Google Analytics account under: Admin Settings > .JS Tracking Info > Data Retention
One VERY useful source of information (especially for those of you in the UK) is the ICO live chat facility we mentioned above. You can find it here. It’s generally open between 9am and 5pm Monday to Friday UK time. As a note – If you’d like a copy of the conversation then you’ll have to copy and paste before the chat is over. Irritatingly, they don’t send you a copy by email and the agents close the chat on you rapidly at the end, losing the entire conversation!
Here are some more articles that we found some very helpful information:
Although the GDPR has been in the works for over two years the resources to comply leave a lot to be desired and with the legislation going live on May 25th, 2018 it’s understandable that you’re feeling pressure. For now, our advice is to follow the checklist above for yourself and your clients. Then put your best foot forward before that deadline and be sure to document the changes you’ve made to become compliant.
If you’re ever in doubt then be smart and reach out to the regulation authority in your area for guidance or to your attorney for legal advice. We’ll do our best, as always, to support you here at SEN and as new resources come available we’ll share them with you.