GDPR Compliance Plan
The General Data Protection Regulation (GDPR) has an enforcement deadline of May 25, 2018.
This new legal framework out of the EU is the most comprehensive and expansive digital privacy law in the world at this time.
The GDPR has two main goals:
To unify the data privacy laws throughout the EU, and1Strengthen the rights of European citizens in regard to protecting their own personal information
2
Here’s how to determine if the GDPR applies to you.
If you do, you must comply with the GDPR.
If you don’t, you still may fall under its scope...
Do you offer products or services to citizens of the EU?
If you do, you must comply with the GDPR.
Do you collect information from
citizens of the EU?
The GDPR covers two categories of protected information: Personal and Sensitive Personal Information.
Depending on what type of information you collect, you may be held to stricter requirements.
The definition of personal information remains the same as previous legislation (The Data Protection Directive) (1).
It’s anything that can be used to identify a person, such as:
Email addressesFirst/last namesPhotos/videosMailing/shipping addressesOnline identifiers such as an IP address, cookie string, etc.
(1) Link to https://termsfeed.com/blog/uk-dpa/
Personal Information
Personal Information
If you collect this type of information you’ll have to:
Comply with all six privacy principles(2) of the GDPR, and
Satisfy at least one of the processing conditions (3)
(2) Link to https://termsfeed.com/blog/gdpr-compliance-plan/#Appendix_A
(3) Link to https://termsfeed.com/blog/gdpr-compliance-plan/#Appendix_B
The second category of protected information under the GDPR is Sensitive Personal information.
This includes information that could damage or harm someone if it were to be made public.
Sensitive Personal
Information
Examples of sensitive personal information include the following:
Health dataPolitical viewsSexual orientationReligious/philosophical beliefs
Sensitive Personal
Information
Sensitive Personal
Information
If you collect this type of information you’ll have to:
Comply with all six privacy principles(4) of the GDPR, and
Satisfy at least one of the sensitive data processing conditions (5)
(4) Link to https://termsfeed.com/blog/gdpr-compliance-plan/#Appendix_A
(5) Link to https://termsfeed.com/blog/gdpr-compliance-plan/#Appendix_C
Data Controllers versus Data Processors
While the old Data Protection Directive only applied to data controllers, the GDPR expands to include data processors as well.
Data controllers are the parties that decide what personal data your business will collect, and why.
Data processors are the parties that maintain and process the data, either according to instructions from the data controller or according to its own standards.
Consider the following four examples to see this distinction in real-life situations.
A website collects email addresses to provide a company newsletter. The website uses MailChimp as its email newsletter service.
Since the website chooses to collect the email addresses, the website is the data collector.
MailChimp is the data processor because it takes the data collected by the website, stores it and processes it to send newsletters on behalf of the website.
Example 1:A website collects email addresses to provide a company newsletter. The website uses MailChimp as its email newsletter service.
Since the website chooses to collect the email addresses, the website is the data collector.
MailChimp is the data processor because it takes the data collected by the website, stores it and processes it to send newsletters on behalf of the website.
Example 1:
A mobile app shows ads to its users via a third party such as AdSense or Mixpanel.
Here, the app collects user data and then implements a third party to use this data for the purpose the third party provides – showing ads.
In this example, the mobile app is the data collector because it collects user data.
AdSense or Mixpanel is the data processor because it processes the data through its own service in order to show ads on the app.
Example 2:
A website has a signup and login form that collects email addresses to create an account. The website doesn’t use any third party services, and there are no other parties involved.
In this example, the website would be both the data collector and the data processor because it is in charge of both collecting and securing/processing the data it collects through its signup process.
Example 3:
A website simply provides users with information and content. It has no signup capabilities, no login form and doesn’t send out newsletters. It’s a presentational website such as Wix.
However, this website does use Google Analytics.
Example 4:
In this example, Google Analytics would be both the data collector and the data processor.
This is because the website itself doesn’t collect any information, but rather gives Google Analytics the OK to collect what it needs to function. Google Analytics will then collect and process the information on its own.
Example 4:
Remember:
Data controllers are the companies that collect the data, while data processors are the companies that store, process and protect the data.
Requirements for GDPR Data Controllers
Data controllers have had a number of legal requirements since the 1990’s with the introduction of the Data Protection Directive.
The GDPR has added additional requirements.
Data controllers are required to conduct Digital Privacy Impact Assessments (6), or DPIAs.
DPIAs evaluate the risks that come with processing personal data, as well as the effects on the security of the data.
Data Privacy Impact Assessments
(DPIAs)
(6) Link to https://gdpr-info.eu/art-35-gdpr/
Data controllers now have increased consent requirements.
If personal data is collected, you’ll need clear, unambiguous consent before collecting the data.
Increased Consent
Requirements
For example, if you collect email addresses, include a sign-up button and have users manually enter their email addresses.
This shows clear and unambiguous consent to share their email addresses with you.
Increased Consent
Requirements
If sensitive personal data is collected, you’ll need explicit consent before collecting the data.
For example, include a checkbox that users have to click to show they consent. Include text near the checkbox that clearly states what a user is consenting to by clicking the box.
Increased Consent
Requirements
Increased Consent
Requirements
Remember that pre-ticked checkboxes, silence or inactivity can no longer be used to show consent to collect user data under the GDPR.
Data controllers need to respect the 8 rights of users under the GDPR:
The right to be informedThe right to access their dataThe right of rectification of their dataThe right to erasure of their dataThe right to restrict or block data processingThe right to make their data portableThe right to object to having their data processedThe right to be protected from automated decision making processes
The 8 Rights of Users
1.
2.
3.
4.
5.
6.
7.
8.
Privacy by Design
Privacy by Design (7) has always been recommended, but the GDPR makes it a requirement.
There are 7 key principles that you’ll need to make efforts to satisfy.
Privacy by Design
(7) Link to https://termsfeed.com/blog/privacy-design/
Privacy by Design
Proactive to prevent breach rather than
just react to it.
Embed privacy into design
Avoid false dichotomies, like
privacy vs. revenue
Full lifecycle protection
Be transparent with users
Taking a user-centric
approach
Valuing privacy is the default setting
Requirements for GDPR Data Processors
Keep Written Records
Data processors must now keep written records about any data processing activities they carry out on behalf of a data controller.
Have Appropriate Security Measures
in PlaceData processors must have technical and organizational measures in place that ensure security and data integrity for any data they process.
Notification of Breaches
If a breach of data ever occurs, data processors must now notify the data controller without undue delay.
Data Protection Officer Requirements
Data Protection Officer Requirements
Not everyone will need a Data Protection Officer (8) (DPO).
You’ll only need one if you meet any one of the following:
Process sensitive data or data relating to criminal convictions and offensesAre a public authority such as a university, state school or publicly funded entityRegularly monitor or process data on a large scale from EU citizens
(8) Link to https://termsfeed.com/blog/data-protection-officer-dpo/
Data Protection Officer Requirements
If you do need a DPO, you can use an in-house expert or hire a consultant.
DPOs are responsible for:
Educating data controllers and processors about GDPR obligationsMonitoring GDPR complianceAdvising upper management about changes that need to happen Helping with informed decision-making regarding data security issues
The GDPR applies to you if your business does any one of the following:
Offers products or services to EU citizensCollects or uses personal or sensitive personal information from EU citizens (data controllers)Stores or processes personal or sensitive personal information from EU citizens (data processors)
Data controllers are responsible for:
Conducting Data Privacy Impact Assessments (DPIAs)Getting appropriate consent before collecting dataRespecting the 8 rights of usersImplementing Privacy by Design
Data processors are responsible for:
Keeping written records or data processing activitiesHaving appropriate security measures in placeNotifying data controllers of breaches
Your DPO (if required) is responsible for:
Educating data controllers and processors about GDPR obligations and how to fulfill themMonitoring GDPR complianceAdvising upper management of changes that need to be madeHelping make informed decisions regarding data security and compliance