GDPR is a hot topic on everyone’s minds these days. As the May deadline for compliance approaches, many companies still have a lot to do to get in compliance with new requirements to give consumers greater control over their data.
To help companies make progress on GDPR and achieve compliance as quickly as possible, we recently hosted a webinar with GDPR and legal experts Bianca Naghi, Managing Associate at David & Baias, connected law firm of PWC, Ian Moyse, Board Advisor for Assuredata, Tudor Galos, Consultant for Advisera, and Eugen Marinescu, Senior Legal Counsel at 2Checkout (formerly Avangate). This blog post summarizes key points of the webinar, but you’ll want to watch the whole event for the full nuance on these detailed topics.
May 25th – the GDPR enforcement date – is closer than you might think!
One of the key messages of the webinar was … if you haven’t done much yet, it’s not too late— but get started now. Reading this article is a good start, but make sure to take action as soon as you’re done—and involve others in your company as well.
GDPR summary and key requirements
GDPR is a new data privacy law that affects all types of companies operating in the EU or processing data of EU nationals. Companies are required to get consent and have a legitimate interest to process this personal data. It doesn’t matter what type of business the company is in, if it sells to businesses or consumers or if it has a physical presence in the EU: if the company deals with EU resident data, it must be GDPR compliant.
What happens if I don’t comply?
Companies that are not compliant with GDPR are subject to fines of up to 10-20 million Euro or 2-4% of your company’s annual turnover (these are maximum fines and nuances apply depending on the infringement and other aspects). For companies with thin margins or high turnover, these fines could have a serious impact on business, so it’s worth avoiding them.
What is PII?
When seeking GDPR compliance, it’s important to understand what data counts as personally identifiable information or PII. There are three categories of PII: general personal data, sensitive personal data or criminal activity data.
Most companies will be dealing with general PII like name and surname, address (which includes physical address or IP address), job and similar information. While obtaining consent is enough to gather and use general personal data, additional measures are required for sensitive personal data and criminal activity data.
Know the rights of the data subject
Under GDPR, data subjects—people whose data you (want to) hold—have eight specific rights:
- Right to complaint
- Right to data portability (new)
- Right of access by the data subject
- Right to rectify or object to data
- Right to be forgotten or informed
- Right to oppose automated individual decision-making
- Right to a data protection officer (DPO) as safeguard (new)
- Right to restriction of processing
Bold items are new under GDPR. These rights require you to keep track of the data you have (so it can be ported somewhere else) and may require you to have a DPO.
Know your DPO and reporting obligations under GDPR
A DPO is mandatory only if processing personal data is a core activity of your business, if you do large-scale data processing or if you engage in regular and systematic monitoring of data subjects. Your DPO or other data controller needs to report certain data breaches, so make sure you understand what breaches must be reported, what should be included in the notification and who should be notified—including whether data subjects themselves need to know – and how quickly.
GDPR affects profiling, consent and privacy notices. You’ll need to ensure that contract necessity, controller law, and explicit consent are covered. A positive opt-in is now mandatory for all PII collection, and your privacy policy will probably need to be updated to be much more understandable and accessible (ie, not buried 20 clicks deep on your website and written in legalese). People should be able to read the notice and understand clearly how you might use the data they consent to share.
Your suppliers must be GPDR compliant, too
If you are a U.S.-based company, and you have customers in the EU, you need to be GDPR compliant—and so do your suppliers. It’s not enough to just trust your cloud service providers to be GDPR compliant. You need a statement of commitment from them (no certificate of compliance is available yet), no matter where they’re located, because they will be handling your customer data that’s subject to GDPR. You need to understand not only where they physically store data, but also how they plan to transfer, back up or destroy data as necessary. If you end your contract, you need to verify that the company can destroy the data it held, if required. If your supplier breaches GPDR, it can mean you’ve been negligent as well to some degree, so make sure to audit your upstream and downstream suppliers and ask good, detailed questions. When it comes to moving data outside of the EU, ensure that every company involved is committed to protecting it in line with EU laws. In the U.S., this can be addressed by a program called Privacy Shield.
GDPR affects your entire company
Every department has data subject to GDPR and a role to play in compliance. IT needs to secure data. HR needs to train employees on their GDPR responsibilities and holds employment-related personal data. Marketing needs to rethink how it buys, collect, uses and markets with data, including getting opt-in confirmation and developing clear policies. If your sales team uses a CRM system to store customer or prospect data, you need to be GDPR compliant. The image below shows GDPR considerations for the marketing department alone:
Understanding ecommerce and GDPR
Every ecommerce business should begin its GDPR compliance journey by assessing existing processes (which includes interactions with supply chain partners), engaging in privacy-by-design, ensuring access to and transparency over data and deactivating default opt-ins. Privacy by design encompasses collecting sensitive information and providing a clear statement on what happens to that data: where it goes, who’s responsible for it and so on. This information should be made clear to the customer at the time they provide data and consent to you using it.
When it comes to payments, companies selling online have two models to choose from: merchant of record (MOR) or payment service provider (PSP). Under the MOR model, the digital commerce vendor is the merchant of record and liable for processing customer payments. The MOR is primarily responsible for GDPR compliance, but the company must still use data as defined by the data controller (the MOR) and by customer consent, as well as verify that the MOR is GDPR compliant. In the PSP model, both the provider and the company must be GDPR compliant: even if the PSP is, your company must achieve compliance as well.
While the MOR is easier and faster to work with and gives you no headaches regarding PCI compliance or payment information, keep in mind it doesn’t free companies entirely from the need to think about GDPR.
Key implications for software and SaaS companies
Just a quick recap of the key points that are important for Software & SaaS companies selling their products online to the EU or EU nationals:
- Assess and map your systems and processes
- Design your systems to ensure data is secure from inception
- Validly collect the consent from PII subjects
- Review and update Terms & Conditions and Privacy Policy
- Strengthen your security systems and evaluate your providers
- Organize your data by cleaning what is no longer used and have one single repository for data
GDPR Myths: A myth to watch out for is that you can become 100% fully compliant. The law is very vast and personal data is very vast. Don’t think of GDPR compliance as simply checking a box once; think of it as changing how you handle data and consent.
Creating your GDPR compliance plan
GDPR compliance is complex enough that it requires a clear plan. Begin by establishing the project and involving the right stakeholders across departments.
Organize your existing data protection process so you protect what you already have as well as what you collect.
Throughout, keep in mind that personal data is never your property: it remains the property of the data subjects. Think of yourself like a “bank” that holds data instead of money. You have to be able to give that data back and let subjects examine it at any time. As you prepare, build up your data inventory: identify all the data you have in the company and make sure you understand how and where it’s held, and whether it’s in compliance. If not, figure out how to achieve compliance. Finally, go after third-party compliance with your supply chain and partners.
For help with the process, consider Advisera’s GDPR Documentation Toolkit or the more in-depth Conformio resource. You can also check the official EU GDPR site, Advisera’s EU GDPR Academy and Assuredata training.
We hope that this webinar wrap-up provides enough detail for your company to get started with GDPR compliance. Stay tuned for part two of the summary, where we dive into questions that came up during and after the webinar. Goes without saying, you can always watch the replay of the webinar at any time.