On May 25, 2018, the Global Data Protection Regulations handed down by the European Parliament as Regulation EU 2016/679, will go into effect. By now, your inbox has been flooded with notices from the Big Data Companies (Amazon, Twitter, Pinterest), announcing that they have new privacy policies and that you MUST READ THEM. If you’re in the US and you are a normal, individual customer of these companies, you can delete all those notices immediately. If you’re in the EU, you can delete them too, because there’s nothing in the GDPR that says you have to read them. But it’s definitely the company’s job to make sure that it’s EU-based customers know what these policies say, so the emails are likely to keep coming.
Most of you have heard by now that it’s not just the Big Data Companies that have to worry about this. The GDPR affects every commercial and government enterprise that has business with EU-based individuals, whether it’s for pay or not. So I’ve spent the last week or so reading Regulation EU 2016/79, so that I may bring you the following Things You Must Do.
***THESE GUIDELINES ARE NOT SUFFICIENT IF YOU ARE COLLECTING INFORMATION ABOUT HEALTH, MONEY, OR KIDS. MORE ON THAT LATER****
A couple of introductory principles of the GDPR that govern everything else it says.
- “Natural Persons should have control of their own data.”
- There is a weighing to be done of an individual’s privacy against the public interest or the interest of third parties, but the scales are tipped in favor of data protection.
- The GDPR divides data proprietors into “controllers” (the entity or person that determines the purpose and means of the processing of personal data) and “processors” (the entity or person that actually acts upon personal data, through collection, storing, using, or disclosing). You are a controller if your website targets EU customers by offering prices in Euros, is provided in languages prominent in EU countries, or talks specifically about shipping goods to Europe. You are a processor if you are, for example, a website hosting company, order fulfillment center, or payment processor for controllers. Controllers may also be processors. Controllers are ultimately responsible to the relevant “supervisory authority” in the EU for the actions of its data processors.
Data Protection Agreements
A word here about the Privacy Shield. There has been a mechanism in place since 2015 between the EU and the US to allow for the transfer of data between companies in the two regions. It is possible to self-certify under the Privacy Shield on an annual basis to take advantage of the benefits that entails, which you can read more about here. The Privacy Shield is a good complement to the GDPR, but it is neither a necessary nor a sufficient condition to compliance with the GDPR.
- Use, and
Customer’s information. Likewise, the GDPR requires data controllers and processors to clearly communicate to “data subjects” in the EU how their personal data is:
- Adapted or altered,
- Disclosed or made available,
- Aligned or combined, or
- Erased or destroyed.
You can see the EU’s list is a little longer, but at the end of the day, most robust Privacy Policies in the U.S. should cover this anyway. So where are the differences?
- Be Specific. The GDPR requires more specificity about all of the actions in that list than we often see in the U.S.
- We have to name names now (who’s holding their data).
- We have to give more details about data security, which can and should include one or more of the following technical measures:
- Minimising processing to that which is absolutely necessary;
- Psuedonymising data;
- Enabling the Data Subject to monitor the use of his or her data;
- If you are a processor, allowing controllers to create or improve your security measures;
- Complete transparency; and/or
- Encrypting data.
Depending on a particular processor’s available technical measures, certain of these measures are going to sound more attractive than others, but the point is, implement as many as you can.
- Impose Time Limits. Do not keep information for longer than you must, and tell the Data Subjects how long that time is. (10 days after order fulfillment for a single order before the next data purge is probably sufficient. 6 months is probably not).
- Tell them who your third party vendors (“Subprocessors”) are. This could be a one-sheet that lists that your website is hosted on GoDaddy and your email is handled through Gmail. But if any other company touches Data Subject’s personal information through your activities, the Data Subjects have the right to know.
- Get Informed Consent. Before now, we generally did not require customers to “consent” to privacy policies. Moreover, even consent to Website Terms didn’t have to be informed (it’s not like anybody reads those). But now it’s up to data processors and controllers to be able to demonstrate that Data Subjects gave informed consent to how their information was being used, each and every time. This is going to require some re-programming.
- In that checkbox, or in an email you send after they check the box and before they can place orders, add a summary of what information you’re going to collect, how it’s going to be used, how it’s going to be protected, and how they can ask you to remove or correct it.*
If you can’t get informed consent for whatever reason, there are other bases that give a controller or processor the right to act on a Data Subject’s information:
- If there’s an EU law or EU country law that requires it.**
- If you have a contract with the Data Subject to fulfill.
- If there are third party interests, not outweighed by the Data Subject’s interest, which will always be given more weight.
- If you are sharing the information internally in your company, including with affiliates, for internal administrative purposes. (Not so your affiliates can market separately to the Data Subjects).
- For network security testing
- For reasons that are “compatible with the purposes for which the personal data was initially collected.” This is a nice catch-all provision, but it would be inadvisable to abuse it. If Holding on to a Data Subject’s information because you are providing them with a monthly service or magazine subscription are good examples of “compatible purposes.”
It’s a lot, and it’s coming fast, but you can do this. And of course, we’re here to help.
* Yes, this is going to make it harder to do business with EU-based customers.
** Yes, it’s very possible that this provision and the GDPR at large are going to run up against U.S. law.