The General Data Protection Regulation, or GDPR, is a piece of regulation from the European Union that is designed to empower individuals to control their own personal data. You may have wondered whether your company is subject to GDPR, if you've even heard of it at all!
If you are subject to the GDPR, being compliant is serious business. Non-compliance can carry a penalty of up to 4% of your global revenue! However, complying with the spirit of GDPR is good business practice, even if your company does not operate in the EU (yet). Caring about customers' data preferences makes customers feel respected, builds trust, and strengthens your company's reputation in the marketplace. And fortunately, PactSafe is here to help.
At a high level, complying with GDPR means getting individuals' consent before you collect and use their data for a particular purpose, plus allowing them to easily revoke that consent. This video gives an overview of how the consent management tools in PactSafe can help keep you compliant:
Whenever you're discussing GDPR, you may run across these legal terms:
Data subject: This refers to the individual whose personal data we're talking about. The data subject is your employee, vendor, customer, or other human whose personal data you collect.
Personally identifiable information (PII) and personal data: Traditional privacy discussions in the U.S. have revolved around personally identifiable information, or information that you can trace a person's identity. Name, SSN, date of birth, and other data that is linked to a specific individual are PII. By contrast, the GDPR deals with personal data, which is any information relating to an identified or identifiable natural person. As you can see, "personal data" goes quite a bit beyond the scope of PII.
Data handler, controller, or processor: There are different terms used for the various players involved in collecting, managing, and using data. These roles have different responsibilities. If you don't already know, starting by researching what kind of role your company would have under GDPR will help guide your plan of action.
Legitimate interest: GDPR offers a few other means by which your company can process personal data even if you don't have explicit consent. One of those is the somewhat ambiguous means of "...legitimate interests pursued by the controller..." You might be tempted to try to lean on legitimate interest as justification for your use of personal data, but you may be on thin ice. Getting explicit consent is always a better bet if you can possibly do it, even if you do have a legitimate interest.
Concepts to Understand
The spirit of GDPR is to give individuals control over their own personal data, which is probably something your company agrees with—it just hasn't been your driver up to this point. Because of that, there may be a few concepts that sound pretty new.
Getting consent can't be a one-time catch-all activity anymore. Under GDPR, individuals get to pick-and-choose how you use their personal data and you need to request consent (plus offer an easy way to revoke consent) for every single activity you plan to use it for. Collecting granular consent means being specific about what the individual is consenting to and requesting consent for each kind of processing you want to do with their data.
In the past, businesses have been free to ask for any kind of personal information, even if they didn't have a particular use in mind for that data at the time. Under GDPR, you need to collect only the information that is adequate, relevant, and necessary to the purpose to which the individual has consented.
Action that is clear and affirmative
Consent to unrelated activities can't be a condition
One thing that GDPR is specific about is that you can't require other usage of personal data as a condition of using your product. If you need an individual's email address for the operation of your application, for example, you can't make receiving your newsletter a condition of using the app.
Be able to prove it
Of course, it's one thing to try your best and entirely another thing to be able to prove that you've followed these guidelines. If regulators come to your door asking you to demonstrate that you receive and respect individuals' opt-outs, you need an authoritative record.
For example, if your solution to tracking opt-outs is to go back through logs that you control looking for them, the regulator could reasonably ask how they know for sure that you didn't modify those logs before handing them over.
There really is reason to think that people could be that adversarial when it comes to enforcing GDPR. We've seen plenty of examples of legal professionals looking to bring class-action suits against companies over regulations like this. It is essential that you keep records that show how and when you obtained consent, and be able to prove that the consent met all the relevant criteria:
The name or other identifier of the data subject who consented
The dated document, a timestamp, or a note when oral consent was given
The document or data capture form by which the data subject submitted his or her data
The time to get started is now. You can learn more about PactSafe's consent management expertise at www.pactsafe.com/consent. When you're ready to get started, just drop us an email at firstname.lastname@example.org.