May 22, 2018

GDPR Compliance – Practical Checklist

Posted by Eugen Marinescu
Five Things to Consider When Localizing Your Payment Process

GDPR is a hot topic on everyone’s minds these days. As the May deadline for compliance approaches, many companies still have a lot to do to get in compliance with new requirements to give consumers greater control over their data.

May 25th - the GDPR enforcement date – is closer than you might think!

One of the key messages of the webinar was ... if you haven’t done much yet, it’s not too late - but get started now. Reading this article is a good start, but make sure to take action as soon as you’re done—and involve others in your company as well.

GDPR summary and key requirements

GDPR is a new data privacy law that affects all types of companies operating in the EU or processing data of EU nationals. Companies are required to get consent and have a legitimate interest to process this personal data. It doesn’t matter what type of business the company is in, if it sells to businesses or consumers or if it has a physical presence in the EU: if the company deals with EU resident data, it must be GDPR compliant.

What happens if I don’t comply?

Companies that are not compliant with GDPR are subject to fines of up to 10-20 million Euro or 2-4% of your company’s annual turnover (these are maximum fines and nuances apply depending on the infringement and other aspects). For companies with thin margins or high turnover, these fines could have a serious impact on business, so it’s worth avoiding them.

What is PII?

When seeking GDPR compliance, it’s important to understand what data counts as personally identifiable information or PII. There are three categories of PII: general personal data, sensitive personal data or criminal activity data.

Support Local Currencies

Most companies will be dealing with general PII like name and surname, address (which includes physical address or IP address), job and similar information. While obtaining consent is enough to gather and use general personal data, additional measures are required for sensitive personal data and criminal activity data.

Know the rights of the data subject

Under GDPR, data subjects—people whose data you (want to) hold—have eight specific rights:

  • Right to complaint
  • Right to data portability (new)
  • Right of access by the data subject
  • Right to rectify or object to data
  • Right to be forgotten or informed
  • Right to oppose automated individual decision-making
  • Right to a data protection officer (DPO) as safeguard (new)
  • Right to restriction of processing

Bold items are new under GDPR. These rights require you to keep track of the data you have (so it can be ported somewhere else) and may require you to have a DPO.

Local Payment Methods – Interesting Stats by Country – Avangate Digital Commerce Platform Data

Know your DPO and reporting obligations under GDPR

A DPO is mandatory only if processing personal data is a core activity of your business, if you do large-scale data processing or if you engage in regular and systematic monitoring of data subjects. Your DPO or other data controller needs to report certain data breaches, so make sure you understand what breaches must be reported, what should be included in the notification and who should be notified—including whether data subjects themselves need to know – and how quickly.

GDPR affects profiling, consent and privacy notices. You’ll need to ensure that contract necessity, controller law, and explicit consent are covered. A positive opt-in is now mandatory for all PII collection, and your privacy policy will probably need to be updated to be much more understandable and accessible (ie, not buried 20 clicks deep on your website and written in legalese). People should be able to read the notice and understand clearly how you might use the data they consent to share.

Your suppliers must be GPDR compliant, too

If you are a U.S.- based company, and you have customers in the EU, you need to be GDPR compliant — and so do your suppliers. It’s not enough to just trust your cloud service providers to be GDPR compliant. You need a statement of commitment from them (no certificate of compliance is available yet), no matter where they’re located, because they will be handling your customer data that’s subject to GDPR. You need to understand not only where they physically store data, but also how they plan to transfer, back up or destroy data as necessary. If you end your contract, you need to verify that the company can destroy the data it held, if required. If your supplier breaches GPDR, it can mean you’ve been negligent as well to some degree, so make sure to audit your upstream and downstream suppliers and ask good, detailed questions. When it comes to moving data outside of the EU, ensure that every company involved is committed to protecting it in line with EU laws. In the U.S., this can be addressed by a program called Privacy Shield.

GDPR affects your entire company

Every department has data subject to GDPR and a role to play in compliance. IT needs to secure data. HR needs to train employees on their GDPR responsibilities and holds employment-related personal data. Marketing needs to rethink how it buys, collect, uses and markets with data, including getting opt-in confirmation and developing clear policies. If your sales team uses a CRM system to store customer or prospect data, you need to be GDPR compliant. The image below shows GDPR considerations for the marketing department alone:

Payment Methods with Recurring Support – Avangate Digital Commerce Platform

Creating your GDPR compliance plan

GDPR compliance is complex enough that it requires a clear plan. Begin by establishing the project and involving the right stakeholders across departments.

Organize your existing data protection process so you protect what you already have as well as what you collect.

Throughout, keep in mind that personal data is never your property: it remains the property of the data subjects. Think of yourself like a “bank” that holds data instead of money. You have to be able to give that data back and let subjects examine it at any time. As you prepare, build up your data inventory: identify all the data you have in the company and make sure you understand how and where it’s held, and whether it’s in compliance. If not, figure out how to achieve compliance. Finally, go after third-party compliance with your supply chain and partners.

Next, we’re sharing answers to these common (and some uncommon) GDPR questions. We’ve divided them into a few categories: consent, data, general and Gray Areas (there are a lot of those!).

Consent

Do you need to ask for consent again from paying recurring customers?

Consent obtained will be valid and may be processed under GDPR only if provisions of the regulations are observed. Varieties include opt-in, informed consent and granular consent. Generally, a refresh of consent is a good idea.

BUT, if it’s personal data that’s processed in relation to a contract you already have in place, then consent is not needed again. Consent is as lawful as the contract you have in place. What you do with the data is another matter – that falls under “data” below.

Do we need to reconfirm mailing list subscribers?

Keep in mind that you could get fined for spamming everyone on your list to ask for consent.

You do need to get consent again, say for a newsletter. But there are creative ways of doing this. Creative, compliant ways. For example, part of your current newsletter could say, “We are reinventing this newsletter with much better premium content: click here to opt-in/subscribe,” and then you have fresh consent. Don’t just ask, “Do you want to stay?” That could already be a breach.

Could you send a Terms of service update email and ask for consent there?

The ePrivacy directive allows opt-out for existing customers. If you have a database with emails and send them a newsletter based on opt-out, that’s okay under current law. As mentioned, if you have an opt-out but you don’t have relationships and the person is not a customer, sending any type of mass marketing communication is punishable even under current laws.

Do we need consent for generic emails that are not personally identifiable, like info@company.com?

These emails would not be considered personal, but keep in mind that if someone replies to one of these email addresses and you gather their name, that would be personal data. Pay attention to what happens at different points in the chain and how the information you hold gets updated.

What about an email list for both EU and non-EU citizens?

It’s correct that you need to get consent only for EU citizens, but be careful: Australia, China, and other countries have similar legislation. Also, the meaning of data subjects “from the EU” is interpretable: Is it citizens, residents? This requires clarity, so it’s best to get consent from everyone and it’s easier to handle too.

If you collect just email addresses, how do you distinguish EU citizens?

Similar to age verification, where someone certifies “I’m at least 18 years old”, you could add something along the lines of “I’m an EU citizen”.

There is a lot of ambiguity around the legal basis of legitimate interest. To what extent does an organization have a legitimate interest in measuring, reporting, testing and optimizing the performance of its website?

Processing “online identifier” personal data but in aggregate, and for the purpose of measuring, say, the completion rate on a form, or buttons clicked on a landing page does not profile or otherwise “directly” impact the user as long as the data is actually anonymized, in which case you are fine. The grey area here comes from inbound marketing tools that by definition profile users’ behavior on a website and need to identify them with a cookie. These tools would require consent for compliance.

If we use a third-party service to manage email newsletter, do we need to mention the name of that company in the opt-in? Or, in a Learn More link?

Yes, if you are going to share a citizen’s data with a third party such as a marketing or mailing agency, then you need to have named them on the opt-in so that the citizen knows their data may be shared with that specific third party. Going further, you’ll need to check that your supplier is also GDPR compliant.

How should email signatures be handled in emails stored in the system? How can you get consent to store this if the signatures are automatically stored once an email is received?

As an email with signature is sent voluntarily by the user with that data attached, with a good understanding that emails are kept and stored and forwarded, the user has given implied consent to that data for that specific use/purpose (i.e., being stored with the email). The user has NOT, however, given consent to now be marketed to or be added to a marketing database.

How do you record consent?

This area is slightly gray, but to comply you need to demonstrate that you have consent from an individual. Therefore you should maintain the following records:

  1. Who consented — the name of the individual or another identifier.
  2. When they consented — a copy of a dated document or online records that include a timestamp.
  3. What they were told at the time — a master copy of the document or data capture form containing the consent statement in use at that time, along with any separate privacy policy, including version numbers and dates matching the date consent was given. If consent was given orally, your records should include a copy of the script used at that time.
  4. How they consented — for written consent, keep a copy of the relevant document or data capture form. If consent was given online, for example via a form, your records should include the data submitted as well as a timestamp to link it to the relevant version of the data capture form. If consent was given orally, you should keep a note of this made at the time of the conversation. It doesn’t need to be a full record of the conversation.
  5. Whether they have withdrawn consent — and if so, for what and when.

What about fraudulent consent, or cases when a customer will deny that he has given consent?

If you can show consent and the required details, you cannot be held as noncompliant if someone fraudulently signed someone else up. In this instance, you would simply remove that data on request to be forgotten. The regulators are NOT going to fine companies for such singular small issues. They do not have the time or resources. GDPR in this case simply protects the citizen by putting the law behind them to fix any such instances.

We will also likely see flaunting of laws from foreign entities as we see today with phishing emails, scam phone calls from abroad etc. The GDPR game is to do what you can and follow best practices so that your house is in shape and you can prove it if asked.

Data

Are there specific requirements for data portability?

When it comes to data portability, you have to be able to give all the data that was provided by or observed from the data subject.

Do the data properties of someone’s computer, like login/logout, fall under profiling and require opt-in?

As an individual, I’d want to know in what situation the logs are being recorded. Again, consent is not the only thing that allows you to process personal data. There’s also legitimate interest. If the logs are done because the data subject is a customer or you have another reason that qualifies as “legitimate interest”, then consent is not needed. If the login is to develop a profile and if you keep a classification of login/logout and send push notifications based on that, then that’s profiling. So why are you tracking logins?

Profiling has two parts: 1) automated processing that puts the user in a classification and 2) what the automated processing will be used for. Being able to see data subject interest or behavior will allow you to see the next behavior.

If we get consent to transfer data to a partner, but the partner breaches GDPR, are we responsible?

It depends who’s the data controller. If at the time of the processing, you were not under the orders of the person to which you transferred, this could be a relationship between data controllers. In this case, you would not be liable. However, if you are the data processor or controller, as you would be if the partner asked you for the data and you collected it for the partner, you would be jointly liable under GDPR.

Is geolocation data considered personal if anonymized?

Not if you do anonymization that can’t be reversed. If you are holding indexes that can link the geolocation data back to personal information, it’s personal data. If the personal data is deleted, then it’s actually anonymized and compliant.

General and Administrative

Is there a certificate for compliance? Our customers are asking for this.

There is no GDPR certificate. There are some guidelines that will allow some quality standards, like an ISO. Likewise, there is no certificate available at this point for a product or a cloud service. While there is no current GDPR certification, there are plans to include it in other certifications.

There is an alternative way to look at this, which is PCI compliance for payment providers. It isn’t exactly GDPR but has – at its foundation – the same mechanisms. It proves the partner is compliant as far as payment data is concerned and that the partner has a solid base for GDPR compliance.

Regarding existing employees’ contracts, does the HR department need to update them or add an appendix with clauses about GDPR requirements?

It is key that HR reviews the employee handbook for any changes needed. Often much will already be covered due to prior data protection law needs anyway. Ideally, this is not in employee contracts, but you will have contracts that refer to the employee handbook, so simply updating the handbook and alerting employees to the central update would be enough. It is recommended, though, that all staff go through a training session on GDPR and their obligations and sign a form to go on file that they attended training, so as a business you have ticked that box.

It is key that HR reviews the employee handbook for any changes needed. Often much will already be covered due to prior data protection law needs anyway. Ideally, this is not in employee contracts, but you will have contracts that refer to the employee handbook, so simply updating the handbook and alerting employees to the central update would be enough. It is recommended, though, that all staff go through a training session on GDPR and their obligations and sign a form to go on file that they attended training, so as a business you have ticked that box.

There are some good online examples such as at Econsultancy AND reading at ICO. This article may help as well.

Does GDPR only relate to electronic data or does it apply to paper records too?

GDPR mostly talks about electronic examples; however, it applies to all citizen or individually held data in any format. It is true that GDPR is harder to do with paper records, e.g., if someone asks to be forgotten, you need to find that data in files of paper records.

One question on the maximum fine for small companies. We’ve heard 10-20 million Euro, and also 2-4% of annual global turnover. For a small company (less than 20 million Euro annual turnover), is the maximum fine the smaller or larger of these two?

The maximum fine is defined as the larger of the two. If you are able to show a documented GDPR effort that you have done all you feasibly could to comply and protect data, then in the case of a breach, the authorities will look more favorably in the fine they apply. If you are negligent, have done nothing and hence caused the breach—i.e., the worst possible scenario—then the fine applied is likely to be on the higher side.

Don’t forget that under the new laws, citizens whose data has been affected can also take civil action for damages, which was not easy to do before!

Gray Areas

Profiling also covers behavioral advertising. If I use AdRoll or another program to target ads on my site, that’s profiling. Do I have to get consent before doing this?

That’s a gray area. What determines the use of data isn’t just consent—you have to have a good reason for using data. You have to be able to say, “I did the right thing based on everything I could have known to do. I didn’t knowingly breach anything”. As long as you can say that, you may be safe.

Where in GDPR is it written that you have to notify the DPA about your DPO?

See section 2.5 (page 12) of the DPO guidelines. It may be that in different regions this varies as the GDPR is a legal foundation, and different countries are adding slight nuances to it. Also related to DPOs, a good example outline is here. Many smaller firms are using consultancy DPOs as external specialists, for example www.assuredata.eu.

Conclusion

In general, remember that showing that you have done all you possibly could to be GDPR compliant and applied best practices is the key. As mentioned in the webinar, no one can be perfect on GDPR. The goal is to have done what is feasibly possible and to have put processes and policies in place, so that anyone checking would say “makes sense” and “good enough”: you did what you could and what we would ask you to do.

-->