A (very) brief GDPR overview:
NB: We are not lawyers – and therefore – not your lawyer. However, I do have some informed advice and actionable insights for you to consider while consulting with your legal counsel!
Who: The GDPR covers people in the EU – no matter where the company is. Yes, your EU customers count.
What: Personal data. This concept is far more expansive than the American notion of PII.
When: From 25 May.
The Bosses: Country-specific national data protection authorities charged with implementing and enforcing the GDPR.
There are 2 classes of entities: processors and controllers (definitions: Article 4). A Controller makes decisions about personal data, and therefore has higher compliance requirements, whereas a processor processes data on behalf of a controller. For example, Salesforce, Zendesk, and AWS are (probably!) processors. You’re most likely a controller.
Legal Bases: Each processing purpose requires a legal basis. Article 6 enumerates many – but only two are relevant: consent (exactly what it sounds like but with some caveats) and a legitimate interest. You must decide which basis covers each bit of personal data for each processing purpose.
Consent: You must not opt users in by default. Consent for a processing purpose cannot be required to use a service. If data is required, use the legitimate interest basis.
Marketing may be considered a legitimate interest (Recital 47). STOP: this isn’t a get out of jail free card. You are required to execute a balancing test and analysis.
You must implement Privacy by design, or as the GDPR calls it, “Data protection by design and by default”, as discussed in Article 25. There are many ramifications, but the most important is that you, as a controller, must now minimize:
- data collected (and only for specific purposes and a specific basis, either legitimate interests or consent)
- accessibility of collected data
- retention of collected data
Rights of Data Subjects
Data subjects can:
- Withdraw consent at any time. This must be as easy to do as it was to give consent initially.
The rest of these rights cover data processed both under consent and legitimate interest bases:
- Request all data you have on them (a so-called SAR: Subject Access Request). Unlike access requests under the DPA (the GDPR predecessor), you may not charge a fee for the first request. As a result, this will lead to more requests.
- Correct any data you have on them.
- Delete their data. This is more complicated than it sounds: some data must be deleted immediately, while you will need to retain some records for a longer period (think usage data required for chargebacks, tax data required by governments, etc).
- All data must be deleted when you no longer need it.
- The right of explanation of any automated processing as well as the right to appeal the decision to a human.
Consent must, per Article 7
- be concise and transparent
- be intelligible
- be default opt-out
- enumerate the uses of personal data
- enumerate by name all controllers with whom data will be shared1
- if processors are not enumerated elsewhere, enumerate them by name2
The GDPR doesn’t spell out how to accomplish this – so unfortunately – there aren’t checklists available. Instead, the EU specify the desired goal and leave its execution solely up to you.
2. Excerpted from Article 29 Data Protection Working Party Guidance on Consent, page 14 paragraph 1.
With regard to [the controller’s identity] and [what (type of) data will be collected and used], WP29 notes that in a case where the consent sought is to be relied upon by multiple (joint) controllers or if the data is to be transferred to or processed by other controllers who wish to rely on the original consent, these organisations should all be named. Processors do not need to be named as part of the consent requirements, although to comply with Articles 13 and 14 of the GDPR, controllers will need to provide a full list of recipients or categories of recipients including processors. ↩︎