In light of recent events such as Cambridge Analytica’s involvement in one of the largest data leaks in social media history, companies and Internet users alike are becoming increasingly (and painfully) aware of the importance of collecting and processing personal data. With GDPR coming into effect May 25th, the obligations involved in protecting Personally Identifiable Information (PII) are obviously top of mind, especially if you want to avoid some unprecedented fines. Among the GDPR’s key aims is to enhance the rights of individuals, including being informed, having access, and being forgotten. And though the new mandates are EU-specific, they will also undoubtedly impact how personal data is collected, processed, and stored both within the EU and internationally.
In this vein, Q4 is actively committed to protecting any and all personal data that we collect. These are a few of the key actions that our privacy team has taken so far:
- Mapping data across our organization’s departments
- Developing internal training plans and seminars
- Establishing security processes (such as breach notifications)
- Proactively assisting our clients with best practices
To help guide your company through the specific actions for GDPR compliance, here are five of the most frequently asked questions from our clients:
1. Does our organization fall under the scope of GDPR?
A common misconception is that the GDPR only applies to EU-based companies. This is clearly not true. Whether or not your organization is based inside or outside of the EU, if you process personal data belonging to EU residents, then GDPR indeed applies to you.
2. What are the first steps to take?
If you haven’t already begun preparing, the initial steps are appointing a Data Protection Officer, and then mapping and auditing your data. You might need a “DPO” if your organization collects and processes large amounts of personal data.
The next step is to orchestrate significant company-wide effort and cooperation. Within and across your organization, it’s critical to understand where and how personal data is collected and processed. Here’s a clever infographic published by the International Association of Privacy Professionals that outlines the overall framework you should keep in mind:
3. How do we map data?
Quite simply, your company needs to understand the data flows within your business, including how data comes in and how your systems collect it. From a security standpoint, it’s crucial to know who has access to the data and what safeguards have been put in place to ensure its protection (such as access controls and authorization).
If you’re sharing data externally, consider if you have sufficient agreements in place with third parties. You’ll first need to identify your Controllers and Processors. According to Article 4 of the GDPR, a Controller determines how data is processed, while a Processor merely processes the data on behalf of the controller. It’s the Controller who is responsible for selecting Processors that are GDPR-compliant.
In terms of documentation, Article 30 of the GDPR requires organizations to maintain Records of Processing activities. This includes contact information, purposes of processing, and all other related details. To help guide you through this documentation, Chaucer Group has an excellent template that includes step-by-step instructions.
4. Do we need to send out emails to re-obtain subscription consent or completely delete our subscriber lists?
It depends on the context, but generally, if you can show that you’ve obtained consent legitimately from your subscribers (such as showing a timestamp for when a visitor opted-in to your newsletters), you shouldn’t need to start from scratch. Our recommendations for ensuring that your email forms are compliant can be found here.
5. Is getting our users’ consent the only legal way to market to them?
No, in fact, this is another common GDPR misconception. It depends on your relationship with your users. According to the GDPR, there are six lawful bases for processing personal data. Obtaining consent is just one of them.
At times, you may be able to leverage Legitimate Interests as your grounds for processing data. This takes into account the balance of interests and reasonable expectations between companies and individuals. The Data Protection Network provides the example of “a social media platform [using] diagnostic analytics to assess the number of visitors, posts, page views, reviews, and followers, to optimize future marketing campaigns.” But proceed with caution, because the Legitimate Interests approach can be easily misunderstood and misused. To determine how and when you can apply it, consider this balancing test from the Information Commissioner’s Office.
Above all, it’s essential to thoroughly review the applicability and scope of GDPR for your entire organization with your legal counsel (including these suggested recommendations).