The General Data Protection Regulation (GDPR) is a new regulation set by the EU that provides citizens of the EU greater control over their personal data.
It assures that the information is protected no matter where it is sent, processed or stored, even outside the EU.
Additionally, the regulation has much broader terms on what constitutes personal data, and your site may be processing more personal data than you think. It includes things like names, email addresses, dates of birth, photos, IP addresses, cookie strings and more.
In short, the new law imposes strict requirements on the way businesses collect, store and manage personal data.
The GDPR goes into effect on May 25, 2018.
Who does it impact?
The GDPR impacts any company that uses personal data from any EU citizen. Even if you are not located in the EU, if you provide goods and services to, send email to or have subscribers in the EU, you must comply with GDPR. On top of all that, the GDPR not only applies to data collected or transmitted after May 25th, but also applies to all existing data.
The European Commission Fact Sheet outlines some of the new requirements:
-
A "right to be forgotten": When an individual no longer wants her/his data to be processed and provided that there are no legitimate grounds for retaining it, the data will be deleted. This is about protecting the privacy of individuals, not about erasing past events or restricting freedom of the press.
-
Easier access to one's data: Individuals will have more information on how their data is processed and this information should be available in a clear and understandable way. A right to data portability will make it easier for individuals to transmit personal data between service providers.
-
The right to know when one's data has been hacked: Companies and organizations must notify the national supervisory authority of data breaches which put individuals at risk and communicate to the data subject all high-risk breaches as soon as possible, so that users can take appropriate measures.
-
Data protection by design and by default: 'Data protection by design' and 'Data protection by default' are now essential elements in EU data protection rules. Data protection safeguards will be built into products and services from the earliest stage of development, and privacy-friendly default settings will be the norm – for example, on social networks or mobile apps.
-
Stronger enforcement of the rules: data protection authorities will be able to fine companies who do not comply with EU rules up to 4% of their global annual turnover.
What this means for you
The first step in GDPR compliance is to audit your data for Personally Identifiable Information (PII), and find out where and how it is stored. Once you have made a thorough assessment of your current compliance state, you can start to build a program to ensure your data handling and processing is up to speed.
There is a lot of good information available on the implications of GDPR, and what you will need to do next. One of our favorites is provided by The Information Commissioner's Office (ICO) in easy to follow PDF guide. Here are the 12 steps they recommend:
1. Awareness
You should make sure that decision-makers and key people in your organisation are aware that the law is changing to the GDPR. They need to appreciate the impact this is likely to have.
2. Information you hold
You should document what personal data you hold, where it came from and who you share it with. You may need to organise an information audit.
3. Communicating privacy information
You should review your current privacy notices and put a plan in place for making any necessary changes in time for GDPR implementation.
4. Individuals' rights
You should check your procedures to ensure they cover all the rights individuals have, including how you would delete personal data or provide data electronically and in a commonly used format.
5. Subject access requests
You should update your procedures and plan how you will handle requests within the new timescales and provide any additional information.
6. Lawful basis for processing personal data
You should identify the lawful basis for your processing activity in the GDPR, document it and update your privacy notice to explain it.
7. Consent
You should review how you seek, record and manage consent and whether you need to make any changes. Refresh existing consents now if they don't meet the GDPR standard.
8. Children
You should start thinking now about whether you need to put systems in place to verify individuals' ages and to obtain parental or guardian consent for any data processing activity.
9. Data Breaches
You should make sure you have the right procedures in place to detect, report and investigate a personal data breach.
10. Data Protection by Design and Data
You should familiarise yourself now with the ICO's code of practice on Privacy Impact Assessments as well as the latest guidance from the Article 29 Working Party, and work out how and when to implement them in your organization.
11. Data Protection Officers
You should designate someone to take responsibility for data protection compliance and assess where this role will sit within your organisation's structure and governance arrangements. You should consider whether you are required to formally designate a Data Protection Officer.
12. International
If your organisation operates in more than one EU member state (ie you carry out cross-border processing), you should determine your lead data protection supervisory authority. Article 29 Working Party guidelines will help you do this.
Read the complete version of the PDF, "Preparing for the General Data Protection Regulation (GDPR) –12 steps to take now".
Misconceptions
The GDPR is a massive document, and between its length, its sometimes vague language, and the nature of the internet, misconceptions are arising faster than you can say "GDPR". You are encouraged to read up on the more extensive list, meanwhile here are just a few, from a recent article by Barry Levine in which he interviews two experts: Gary Southwell, VP/general manager of the cybersecurity division of security firm CSPi, and Kristina Podnar, a digital policy consultant.
"Legitimate interest" allows marketing uses of personal data without user consent.
While there is a "legitimate interest" exception in GDPR, it is always weighed against personal data rights. Podnar said a company could, for instance, utilize data without consent under legitimate interest if it were under court order to do so, or if the data were needed to protect some vital interest like human rights, or if I needed your Social Security number after you'd already agreed to buy a car. But otherwise, consent is needed, and it's not enough that a user has agreed to receive marketing info.
There are several articles that take on Legitimate Interest specifically here, here and here.
Small businesses are exempt.
There is no exclusion under current GDPR for businesses with only a few employees. "GDPR doesn't care" about your firm's size, Podnar told me.
The data privacy movement behind GDPR is limited to Europe.
Southwell points out that GDPR-like regulations are now also being considered in Asia — notably Japan and Singapore — as well as Australia. And, he noted, almost all US states have laws governing involuntary data exposure, and at least three — California, New York, and Massachusetts — are exploring the possibility of implementing more stringent consumer data privacy laws.
As is true with most of life, it's good to be informed, gain a thorough understanding of the issue, and if still in doubt, get some help!
Implications for the rest of U.S.?
It's no surprise that legislation has been proposed at the Federal level in the U.S., in the wake of the Facebook-Cambridge Analytica scandal.
As it unfolded, US Senators Edward J. Markey (D-Mass.) and Richard Blumenthal (D-Conn.) introduced a privacy "bill of rights" to protect American consumers' personal data. It's called the CONSENT Act and stands for The Customer Online Notification for Stopping Edge-provider Network Transgressions. It would require the Federal Trade Commission (FTC) to establish privacy protections for customers of online edge providers.
"The avalanche of privacy violations by Facebook and other online companies has reached a critical threshold, and we need legislation that makes consent the law of the land," Sen. Ed Markey (D-Mass.) said.
The jury is still out on whether the "bill of rights" will pass but it could have a giant impact on the way US companies handle PII. (The Federal Communications Commission (FCC) defines as an "individual or entity that provides any content, application, or service over the Internet, and any individual or entity that provides a device used for accessing any content, application, or service over the Internet." Read: Companies like Twitter, Facebook, Netflix, Google.)
Needless to say, the GDPR is having a massive effect on the marketing and advertising landscape as well, and we're seeing several new open-source alliances forming to tackle key issues in personal data management, transparency and data security. In a recent MarTech article, mParticle CMO David Spitz is quoted as saying, "...The central problem here, is that GDPR is bigger than any one company."
Options for Personal Data Management
There are a couple of unrelated initiatives being rolled out to provide a framework for maintaining GDPR compliance:
OpenGDPR framework
The OpenGDPR Framework was created by a concerted effort between customer data platform mParticle, mobile attribution/analytics provider AppsFlyer, mobile marketing firm Braze (previously known as Appboy), and analytics firm Amplitude.
It's described as a "common framework enabling companies to work together to protect consumers' privacy and data rights" and can be found on Github.
Open-GDPR open-source platform
The Open-GDPR open-source platform was created earlier this year by the AdLedger Consortium and was "designed to safeguard companies against the new GDPR sanctions on data management."
The Open-GDPR platform, when installed, will be able to cryptographically store data on a data controller's private blockchain, and protect companies from violating GDPR sanctions. The platform will use blockchain as an audit trail to manage the new privacy rights under GDPR regulations, namely the Right to Access and the Right to be Forgotten.
Learn more at adledger.org.
How Mura Helps You Maintain GDPR Compliance
Working with GDPR compliant vendors and partners is part of a solid compliance strategy. Here are some of the ways that Mura 7.1 can help you maintain GDPR compliance.
Consent Management
With Mura 7.1, you can add notifications to your site to inform visitors that Mura tracks personal identifying information within the system to better customize their experience and provide consent to do so.
Applies to: Mura DXP, Mura X
Bulk Delete
EU citizens have the right to be forgotten, and personal data must be erased upon request. Mura's Bulk Delete feature allows you to update personal data — or delete it.
Applies to: Mura DXP, Mura Core, Mura X
Personalization & Experience Management
Opt-In
Allows someone to opt-in and allow Mura to store identifying information in order to deliver increasingly personalized experiences.
This does not apply to Mura Core, as it does not store any individuals information by default. However, if you use third-party analytics, marketing automation or anything else that tracks personally identifiable information, allowing opt-in should ensure compliance.
Applies to: Mura DXP, Mura X
Session-Only Opt-in
Mura will track behavioral data, and use any enriched data available during a single session to deliver personalized experiences. However, it won't save any identifying information after the session is complete.
The benefit here is that Mura can deliver content personalization, creating relevant, high-value, low-effort customer experiences without compromising GDPR compliance because the data collected isn't personally identifiable. It's a win-win for both the business and the individual.
Applies to: Mura DXP, Mura X
Opt-Out
Disables all personalization and does not store any identifying information. Again, this is the default for Mura Core as it offers no personalization capabilities.
Applies to: Mura DXP, Mura X
For more information on the GDPR, visit the European Commision website.
Disclaimer: This blog post was written to help inform our clients of the GDPR, and of Mura features that can help with compliance. If you are unsure if your organization conforms to GDPR regulations, we advise seeking appropriate legal counsel.