There's a good chance you are overwhelmed with information about the European Union (EU) and its new General Data Protection Regulation (GDPR). This sweeping regulation will take effect May 25th, 2018, which accounts for the frenzy of activity.
When I first started researching for this article I was surprised by the number of "expert" sources out there. Many of the links that appear at the top of Google search engine result pages appear to be "official" sites.
They're merely marketing microsites for consultancies out to make a buck. While this is true for the ads, it equally accounts for the organic results. Some of the information on these sites is pretty good, but in almost all cases it is incomplete and the authors' motives are unclear.
To avoid all that confusion and misdirection, I decided to go to a single authoritative source: The European Commission Website. My facts and recommendations are based directly on the text of Regulation 2016/679 (GDPR) and I quote it liberally throughout this article.
Alongside the text of the regulation, I researched statements from third party service providers such as Google and Pardot in the "Third Party Complications" section below, but only as it relates to those companies' services that many of our clients use.
My target audience comprises representatives of companies (public and private) based in the U.S. who conduct business in the EU in some capacity. My goal is to help them understand what they need to do on their corporate websites to comply with the new regulation.
If your company is based outside the U.S., your company deals with sensitive data (i.e. medical records), collects data on children, is a government agency or a service provider for government agencies then stop reading now... This is not for you.
To be clear, I am not a lawyer and nothing in here should be interpreted as legal advice.
What is GDPR?
The right to privacy in EU member countries is held to a very high standard and the burden put on those collecting data is greater than it is here in the States. This is not a new situation. Prior to GDPR the EU had the Data Protection Directive (DPD) that was established in 1995 and put forth many of the same principles we find in GDPR. Both DPD and GDPR are based on the Charter of Fundamental Rights of the European Union, which states quite simply:
Everyone has the right to the protection of personal data concerning him or her – Charter of Fundamental Rights of the European Union, Article 8(1)
The fundamental spirit of GDPR is that all "natural persons" (more on that term later) have the right to know when their data is being collected and the right to refuse that data collection. If they do consent to
There are also certain expectations put on data "controllers" and "processors" (more on those terms later as well) in regard to governance and processes meant to protect users' data. And finally, there are things a controller must do in the event of a data breach.
One of the best resources for understanding the spirit of GDPR is its preamble. It is written in plain, straightforward language that makes it more digestible than most legal documents. Yet, this plain language doesn't fully convey the absolute letter of the law and is not a substitute for the actual regulation.
Unlike DPD, GDPR rules apply to all member states. There is no requirement for member states to implement the regulation before it is considered to be in effect. But GDPR does not exclude additional laws of member states that might go even further in protecting certain types of sensitive personal data like medical records.
GDPR applies to all companies doing business in the EU regardless of their location. Having a user access your website from the EU does not establish your intention to do business in the EU. If you actively court business in the EU, however, you need to follow GDPR.
One more note: GDPR does not replace or supersede the EU Cookie Law. That piece of regulation is still in effect.
Who And What Is Protected
Natural Persons living in the EU are protected by GDPR. The regulation takes effect before Brexit so GDPR includes the United Kingdom for now. A Natural Person can simply be thought of as an individual human being. A Legal Person, by contrast, might just be a legal entity. The protections of GDPR do not extend to people outside the European Union.
Any information that can be associated with a single individual regardless of whether his or her identity is currently known is considered "Personal Data".
‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person; – GDPR Article 4(1)
"Identifiable" is a term we need to address. It's not necessary that we currently know the identity of the individual. Having the means (a cookie, IP address and so on) to associate data with an individual at a later time makes his or her data protected under GDPR criteria.
The regulation avoids addressing specific techniques of data collection (except for use in examples) so it is technology agnostic. Given the pace of innovation around data collection, this is necessary so GDPR can remain relatively future-proof. Cookies, IP addresses, browser profiles, RESTful APIs with user data in the path and any other clever techniques that might be conjured up in the future are covered under GDPR.
Who Is Responsible For Compliance?
You. Your organization is the "controller" for your website and is ultimately responsible for ensuring personal data is handled in ways that conform with GDPR. When you choose to use a third party service on your website that falls short of compliance, you are at fault.
‘Controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; – GDPR Article 4(7)
Any service that is added to your website (i.e. Google Analytics, Pardot, etc.) must also comply with GDPR. Even if you don't think the service you are adding collects personal data, you must be wary.
Many free services will include some form of data capture that is later used for advertising networks. In 2011 I ran some tests and found "free" social sharing widgets like ShareThis or AddToAny embedded tracking components for multiple ad networks. In one case, a single share widget enabled tracking by a half dozen ad networks.
You must thoroughly vet every application and service you include on your website. If parts of your website are hosted by third parties (i.e. Careers/HR or Investor Relations), you should make sure those vendors and any third parties they use comply with GDPR.
You must also vet any third parties that don't necessarily collect data on your website but are in some way entrusted with data that has been collected. Analytics consultants might fall into this category.
All of these third parties are "processors" of your users' data.
‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller; – GDPR Article 4(8)
If your company employs fewer than 250 people and you are not collecting sensitive personal data that could result in the risk of rights and freedoms of individuals, then there is some leniency around records of processing activities that reduce your burden. You are not exempt from complying with GDPR, but you are not held to the same standards as larger organizations.
Legal Basis for Processing
For the collection of any personal data to be acceptable under GDPR, it must meet at least one of six criteria. GDPR states in Article 6(1):
- Processing shall be lawful only if and to the extent that at least one of the following applies:
(a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
(b) processing is necessary for the performance of a contract to which the data subject is
partyor in order to take steps at the request of the data subject prior to entering into a contract;
(c) processing is necessary for compliance with a legal obligation to which the controller is subject;
(d) processing is necessary in order to protect the vital interests of the data subject or of another natural person;
(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
Of these six bases, only the first will apply to the majority of our clients' websites. For careers and e-commerce sections, or any service where a login is required, basis (B) could also apply.
This is a very important concept when determining what types of data collection do not require a legal basis under GDPR. In one sense identification is easily understood... Are we able to associate this data with a natural person? If so, then clearly that individual is protected under GDPR.
What happens if we are tracking an anonymous person through the use of a cookie or some other tracking technology? Even if that person is anonymous, it is possible to later identify him or her through additional data gathering. Therefore, that person is protected.
Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them. – GDPR Preamble(30)
The reason is that we should never be able to gather data on individual users without having received consent to do so beforehand. If we were to gather data and then associate it with a natural person at a later time, we would violate that principle.
The Users’ Rights
Consent must be secured before collecting personal data. And all data relating to said consent must be stored, including specifically when consent was given and what forms of processing the user has agreed to. Conversely, if a user revokes consent for some or all personal data collection, that revocation must also be recorded.
‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her; – GDPR Article 4(11)
Note that some third parties might have their own mechanism for securing consent, but allowing those services to inject themselves into your user experiences will be disorienting for people. Unless you are using a single third-party provider to store information about your users, we suggest creating your own single, simple consent mechanism that is clear and concise. It should be used to manage all the various means of data collection on your website, including third parties.
Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject's agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement. – GDPR Preamble(32)
The users have the right to access their data, correct their data and, when there is no longer a legal basis for data processing (for example, a user revokes consent or is no longer a customer) the data subject shall have the right to be forgotten. This includes controllers notifying processors who might also be storing collected user data.
Additionally, personal data should be forgotten when it is no longer necessary for the legal basis on which it was collected or for the purposes for which consent was given.
Data Protection and Certification
GDPR requires data controllers (that's you) and processors to take appropriate steps (both technical and organizational) to protect personal data.
In order to be able to demonstrate compliance with this Regulation, the controller should adopt internal policies and implement measures which meet in particular the principles of data protection by design and data protection by default. Such measures could consist, inter alia, of minimising the processing of personal data, pseudonymising personal data as soon as possible, transparency with regard to the functions and processing of personal data, enabling the data subject to monitor the data processing, enabling the controller to create and improve security features. – GDPR Preamble(78)
Those measures should also include limited access, encryption and other fundamental best practices for data security. The authors of GDPR encourage controllers and processors to identify and comply with data protection certifications such as ISO/IEC 27018 Code of practice for protection of personally identifiable information.
In order to enhance transparency and compliance with this Regulation, the establishment of certification mechanisms and data protection seals and marks should be encouraged, allowing data subjects to quickly assess the level of data protection of relevant products and services. – GDPR Preamble(100)
In my research, I found that Pseudonymization was the most misunderstood concept in GDPR. Pseudonymization is not the same thing as anonymization; it is merely the act of removing the properties from a data set that makes user records identifiable and storing those properties in a separate data source using some form of unique identifier. Pseudonymized data can be reconciled with that separate data source to identify the individual users.
‘pseudonymisation’ means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person; - GDPR Article 4(5)
Pseudonymizing collected data does not create a legal basis for processing user data. It is, however, a best practice for securely storing user data, especially when that data is stored with a processor or other third party. For example, you could use a unique identifier in a processor's data set that could be combined with your own data set to identify the user.
Data Breach Disclosures
In the event of a personal data breach, controllers are required to notify their supervisory authority within 72 hours of becoming aware of it. Because you are part of a U.S. based company, the supervisory authority will be that of the member state(s) where the data subject(s) resides.
'personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed; – GDPR Article 4(12)
Controllers are also required to notify the affected data subjects in the event of a breach, though the timeline for such notification could depend on measures that are necessary to prevent continuing or similar data breaches. The guidelines simply state that data subjects should be contacted without undue delay.
GDPR infringement penalties can be divided into two categories:
- Fines imposed by supervisory authorities
- Compensation for data subjects whose rights have been infringed
Most articles I've read tend to focus on the fines that can be imposed by supervisory authorities.
And it's easy to see why.
Penalties can be as high as €20,000,000 or up to 4% of the total worldwide annual turnover of the preceding financial year. Those are scary numbers.
But it's important to understand that these fines are the upper limits, reserved for the most egregious and damaging situations. Many factors are taken into account when determining the amount of the fine.
When deciding whether to impose an administrative fine and deciding on the amount of the administrative fine in each individual case due regard shall be given to the following:
- the nature, gravity and duration of the infringement taking into account the nature scope or purpose of the processing concerned as well as the number of data subjects affected and the level of damage suffered by them;
- the intentional or negligent character of the infringement;
- any action taken by the controller or processor to mitigate the damage suffered by data subjects;
- the degree of responsibility of the controller or processor taking into account technical and organisational measures implemented by them pursuant to Articles 25 and 32;
- any relevant previous infringements by the controller or processor;
- the degree of cooperation with the supervisory authority, in order to remedy the infringement and mitigate the possible adverse effects of the infringement;
- the categories of personal data affected by the infringement
- the manner in which the infringement became known to the supervisory authority, in particular whether, and if so to what extent, the controller or processor notified the infringement;
- where measures referred to in Article 58(2) have previously been ordered against the controller or processor concerned with regard to the same subject-matter, compliance with those measures;
- adherence to approved codes of conduct pursuant to Article 40 or approved certification mechanisms pursuant to Article 42; and
- any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial benefits gained, or losses avoided, directly or indirectly, from the infringement.
– GDPR Article 83(2)
The greater unknown is what the compensation for data subjects whose rights have been infringed could be. It's unlikely that any violation of GDPR will affect just one individual so it's reasonable to expect some form of group litigation.
The national rules of EU member states vary widely with regard to group litigation matters (class action). So forecasting the consequences before the regulation goes into effect is an exercise best left to legal professionals. Perhaps better yet, clairvoyants gazing into crystal balls.
Some Common Scenarios
The bottom line is GDPR compliance doesn't have to be all that hard. While there are some basic steps you'll need to take, the guidelines are clear and measurable. If you have been doing business in the EU but have been disregarding the Data Protection Directive, you'll have a little catching up to do. But let me emphasize that it's not that bad.
There are some common scenarios shared across nearly all the businesses that BrandExtract services. Generally, we try to steer our clients away from situations that require gathering consent or managing personal data unless it is absolutely necessary. But there are situations where it makes sense. Here are a few specific situations with recommendations:
It is BrandExtract's position that collecting and storing a user's complete IP address is unnecessary to do quality analytics. And anonymizing the IP address by dropping the last octet of IPv4 addresses and last 80 bits of IPv6 addresses is sufficient to eliminate the possibility of user identification on Google's side.
Further, it is possible to disable the use of the Google Analytics cookie on your website. This will result in the loss of some analytics data (we're in the process of testing this to see what is lost). But by anonymizing the IP address and removing the cookie we no longer need to gather consent for Google Analytics because the user can no longer be identified.
It is still possible to use Google Analytics with the cookies, but you must gather consent prior to doing so.
Web Server Log Files
By default, all requests to your web server are recorded in the log files. Each record includes the user's IP address, which counts as personal data because it could be used later to retroactively trace that user's activity if he or she is later identified. IP address recording should be disabled, or the IP address should be anonymized.
Like Google, it is Pardot's position that you are the controller and it is the processor. Pardot's service offering is dependent on being able to identify the user. So if you intend to use Pardot services on your website you must have a legal basis for processing the user's data.
Pardot does not yet have tools in place for gathering or removing user data, and they do not expect to have those tools in place by the deadline. All requests for data and requests to be forgotten will have to be done through Pardot's service desk.
Parts of Hubspot's service offering include intake forms and user tracking. If you are using no other third party providers to track users, then you might consider using Hubspot's consent gathering mechanism. This new feature should be in place by May 25th.
If you are using other providers in addition to Hubspot, or are storing user data on your own systems, then you must create your own mechanism for gathering consent for all the ways user data is stored.
If you are using an email marketing service provider or have your own mechanism for tracking email responses by the user, then you must have consent or a legal basis before you send the email. For email campaigns, you will need an established relationship with the data subject that includes a legal basis for processing.
Hosted Fonts and Other Assets
All providers will have their own terms of service and levels of compliance that will require constant monitoring to make sure their policies don't change. Try to avoid that hassle and risk.
Sharing Services (ShareThis, AddToAny, etc)
They are terrible, don't use them. Even before newsworthy GDPR developments, BrandExtract had always steered our customers away from these parasites disguised as services. Your users don't need the ability to share your web page on 47 social networks that nobody has ever heard of. BrandExtract has custom code for sharing on all the major platforms that actually matter to your business.
This one is also easy. Any personalization scenarios other than broad geolocation by continent or country requires user identification and you must have user consent. There is simply no way around it.
If you're a client of BrandExtract with business in the EU, please email us at email@example.com to discuss how we can help you prepare for GDPR with a website risk audit.