by Jennifer Leslie
If you aren’t already aware, the European Union will begin enforcing the General Data Protection Regulation (GDPR) in May 2018. The GDPR was designed to strictly regulate how organizations process and store data relating to an identified or identifiable human, otherwise known as “Personal Data.” The GDPR was intended to give consumers improved privacy and protections they desire, without stifling businesses’ ability to innovate and market themselves. Despite being an EU regulation, the impacts of the GDPR will extend beyond the borders of the EU Member States. Furthermore, the consequences of non-compliance are severe with fines of up to 4 percent of an organization’s annual turnover.
Even if your business isn’t based in the European Economic Area (EEA), which is made up of the EU plus Norway, Iceland, and Liechtenstein, if you have or you target customers in those countries (for example, translating your website into German to attract German customers), your business will be subject to the requirements of the GDPR. Because of this, it’s imperative that you align your business operations and data processing and storage procedures with the requirements of the GDPR.
If you’re not sure where to start, don’t fret. We’ve got you covered.
In October we published an overview of the GDPR and the protections it offers EU residents, and in February, we took a closer look at Article 6 of the GDPR and its implications for the lawfulness of data processing. (If this is your first-time hearing about the GDPR, we highly recommend you start by reading those posts.)
In this blog post, we’ll walk you through the essentials for ensuring your business meets the requirements of the GDPR.
Step 1: Create and maintain a running record of your data processes
The GDPR’s accountability principle (Article 30) requires that all affected businesses demonstrate that they process data in accordance with the GDPR standards. To ensure your organization complies, it’s important to document all data processing activities, including Personal Data your organization’s internal processes, the purposes of that processing, where the data came from, who you share it with and how long it is retained. Basic templates for documenting data processing activities are available on the websites of the data protection authorities of certain European countries such as UK and Germany.
Documenting your data processing operations enables your business to comply with other requirements of the GDPR, like updating your privacy notice or responding to data access requests. It can also help improve your data governance and overall business efficiency. After all, knowing what Personal Data you possess, and why and for how long you’ve had it can help you create a more effective, streamlined business process.
Step 2: Understand your organization’s relationship with its data
Do your business activities make you a Controller or a Processor?
Let’s look at the text of the GDPR:
- ‘Controller’ means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data;
- ‘Processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
- Say you’re a t-shirt business that deploys Infusionsoft to send automated emails to customers and track their engagement activity. In this situation, your t-shirt business would be considered the Controller, and Infusionsoft, the Processor.
Because Controllers have full possession and control of their customers and contacts’ data, the GDPR treats them as the responsible party for things such as acquiring consent and managing revocations of consent, enabling the right to access, etc. Therefore, Controllers face a much more complex set of obligations under the GDPR than Processors.
One of these obligations requires Controllers to work exclusively with Processors that comply with the GDPR (rest assured, as of this date, Infusionsoft is actively striving for full compliance).
Processors may only process Personal Data upon instruction from a Controller and must inform that Controller if it believes the instruction violates the GDPR.
For more information on the obligations of Controllers and Processors, check out this post.
Step 3: Establish Appropriate Processing Practices
As we addressed in the blog post GDPR Article 6: What You Need to Know, the GDPR prohibits the processing of Personal Data without a lawful basis for the processing. Processing Personal Data will be lawful only if it:
- Includes consent of the person who is the subject of the Personal Data processing (Data Subject);
- Is required to perform contractual obligations under a contract with the Data Subject;
- Is necessary for compliance with a legal obligation to which the Controller is subject;
- Is necessary to protect a person’s vital interests; or
- Is in the legitimate interests of the Controller or a third party, and these interests are not outweighed by the rights and interests of the Data Subject(s).
Step 4: Publish your privacy policies
Articles 12, 13, and 14 of the GDPR outline rules requiring Controllers to provide privacy information to Data Subjects. The privacy notification must be concise, transparent, intelligible, easy to access, written in plain language without any legalese (as if writing for a second grader), and available free of charge. Among other things, the notification must include:
- The identity and contact information of the Controller
- How the Controller plans to use the Personal Data it collects
- The lawful grounds under which they’re able to process the data
- Data retention period(s)
- The consumer’s rights
Step 5: Allow your customers to exercise their data rights
The GDPR was created in an attempt to empower people to exercise their rights, including privacy and to their ownership of their own Personal Data. Some of these rights include (subject to certain conditions):
- The ability to access or correct their data at any time
- To have their data forgotten
- To restrict/suspend the processing of their Personal Data
- To submit a complaint to a data protection authority
- To object to processing of their Personal Data for direct marketing purposes
- Data portability—the ability to easily and securely reuse their Personal Data across different services.
You’ll need to ensure your business has the procedures and technical abilities to comply with these requests. This task might be one of the more challenging because you’ll have to consider a variety of factors when deciding if—and to what extent—any given Data Subject’s request should be honored.
Step 6: Put systems in place for quick data breach notification
Let’s face it: even with the best efforts at protecting data, security breaches are possible. That’s a reality any business owner has to face.
Under the GDPR, Controllers must notify the public of any Personal Data breach within 72 hours after becoming aware of it. To meet this deadline, you’ll need to have procedures in place to report and investigate a breach in that timeframe.
Step 7: Upgrade your vendor contracts
Article 28 of the GDPR states that Controllers may only use Processors that can sufficiently guarantee they also meet the requirements of the GDPR. In order to do so, these Processors (i.e. your vendors) must:
- Participate in the EU-U.S. Privacy Shield Framework;
- Sign an agreement for the transfer of Personal Data outside the EEA containing EU Standard Contractual Clauses (as approved by the EU Commission);
- Have binding corporate rules reviewed and approved by EU regulators; or
- Be located in a country deemed to have "adequate protection laws."
Be sure to review your contracts with vendors that process Personal Data on your behalf. You must amend any contracts you have with them to include specific provisions required by Article 28.
Step 8: Educate your workforce
Data security and privacy protections only work when everyone adheres to them. Be sure all your business’s stakeholders understand their GDPR obligations and the penalties for non-compliance. You should also inform and educate your workforce on your business’ privacy and IT security policies. It’s important to establish a culture of data security and privacy within your business.
Step 9: Review your insurance coverage
While not required by the GDPR, because fines for non-compliance will be significant (up to 4 percent of your organization’s gross annual revenue). To mitigate the risk of hefty fines, it’s important to review your insurance coverage make sure your organization will be covered in the event of a violation.
Step 10: Appoint a data protection officer
We’ve included this step last because it only applies to organizations that meet certain conditions. If you have the budget for it, consider hiring a Data Protection Officer (DPO) who will bring expertise to assist you with GDPR compliance.
Unfortunately, there’s a shortage of individuals or organizations who are qualified to serve as a DPO. Furthermore, any DPO you hire won’t be able to ensure an organization’s compliance on her own. The DPO will often need to delegate privacy responsibilities throughout the company. Therefore, you should consider establishing a “Privacy Office,” and appoint “Privacy Champions” within business teams. Your DPO will need support from the highest level of management in your company.
As we’ve discussed, the GDPR will impose a significant set of obligations on companies operating from or within the EEA. With effort and determination, your organization can achieve compliance. And Infusionsoft is here to help with those efforts.