The General Data Protection Regulation, or GDPR, is a piece of regulation from the European Union that is designed to empower individuals to control their own personal data. You may have wondered whether your company is subject to GDPR, if you've even heard of it at all!  

If you are subject to the GDPR, being compliant is serious business. Non-compliance can carry a penalty of up to 4% of your global revenue! However, complying with the spirit of GDPR is good business practice, even if your company does not operate in the EU (yet). Caring about customers' data preferences makes customers feel respected, builds trust, and strengthens your company's reputation in the marketplace. And fortunately, PactSafe is here to help.

At a high level, complying with GDPR means getting individuals' consent before you collect and use their data for a particular purpose, plus allowing them to easily revoke that consent. This video gives an overview of how the consent management tools in PactSafe can help keep you compliant:

Legal Terms

Whenever you're discussing GDPR, you may run across these legal terms:

  • Data subject: This refers to the individual whose personal data we're talking about. The data subject is your employee, vendor, customer, or other human whose personal data you collect.
  • Personally identifiable information (PII) and personal data: Traditional privacy discussions in the U.S. have revolved around personally identifiable information, or information that you can trace a person's identity. Name, SSN, date of birth, and other data that is linked to a specific individual are PII. By contrast, the GDPR deals with personal data, which is any information relating to an identified or identifiable natural person. As you can see, "personal data" goes quite a bit beyond the scope of PII.    
  • Data handler, controller, or processor: There are different terms used for the various players involved in collecting, managing, and using data. These roles have different responsibilities. If you don't already know, starting by researching what kind of role your company would have under GDPR will help guide your plan of action.   
  • Legitimate interest: GDPR offers a few other means by which your company can process personal data even if you don't have explicit consent. One of those is the somewhat ambiguous means of "...legitimate interests pursued by the controller..." You might be tempted to try to lean on legitimate interest as justification for your use of personal data, but you may be on thin ice. Getting explicit consent is always a better bet if you can possibly do it, even if you do have a legitimate interest.

Concepts to Understand

The spirit of GDPR is to give individuals control over their own personal data, which is probably something your company agrees with—it just hasn't been your driver up to this point. Because of that, there may be a few concepts that sound pretty new. 

Granularity

Getting consent can't be a one-time catch-all activity anymore. Under GDPR, individuals get to pick-and-choose how you use their personal data and you need to request consent (plus offer an easy way to revoke consent) for every single activity you plan to use it for. Collecting granular consent means being specific about what the individual is consenting to and requesting consent for each kind of processing you want to do with their data.

Limited collection

In the past, businesses have been free to ask for any kind of personal information, even if they didn't have a particular use in mind for that data at the time. Under GDPR, you need to collect only the information that is adequate, relevant, and necessary to the purpose to which the individual has consented.

Action that is clear and affirmative

GDPR requires that the individual actually does something expressly to give the consent. A pre-selected checkbox won't cut it; the individual needs to do the clicking. You also can't count on a "by continuing you agree to our privacy policy" kind of statement.  

As a best practice, you should clearly distinguish your privacy policy. Don't bury it in your terms of service or other contracts. Also, make the privacy policy super-easy to get to by linking to it right at the place where the individual is giving the consent.

Consent to unrelated activities can't be a condition

One thing that GDPR is specific about is that you can't require other usage of personal data as a condition of using your product. If you need an individual's email address for the operation of your application, for example, you can't make receiving your newsletter a condition of using the app.

Be able to prove it

Of course, it's one thing to try your best and entirely another thing to be able to prove that you've followed these guidelines. If regulators come to your door asking you to demonstrate that you receive and respect individuals' opt-outs, you need an authoritative record. 

For example, if your solution to tracking opt-outs is to go back through logs that you control looking for them, the regulator could reasonably ask how they know for sure that you didn't modify those logs before handing them over. 

There really is reason to think that people could be that adversarial when it comes to enforcing GDPR. We've seen plenty of examples of legal professionals looking to bring class-action suits against companies over regulations like this. It is essential that you keep records that show how and when you obtained consent, and be able to prove that the consent met all the relevant criteria:

  • The name or other identifier of the data subject who consented
  • The dated document, a timestamp, or a note when oral consent was given
  • The version of the consent request and privacy policy existing at the time of the consent
  • The document or data capture form by which the data subject submitted his or her data

PactSafe is great for this. Not only do our records check all those boxes, but as a third-party, we keep records that regulators know you didn't tamper with. A sophisticated app or website may have several places where the privacy policy appears and where granular consent needs to be given for different functions, and with PactSafe you can centralize the management of all those contracts.

The time to get started is now. You can learn more about PactSafe's consent management expertise at www.pactsafe.com/consent. When you're ready to get started, just drop us an email at help@pactsafe.com.

Did this answer your question?