If there’s one message Ralf Wolter would like all ISAers to take away from his two-part webinar series on General Data Protection Regulations (GDPR) compliance, it’s this: Digital freedom ends where user freedom begins.
Wolter, who’s the founder of High-Performance Consulting & Coaching, kicked off the series with a high-level overview of the new E.U. regulation, including some background on how it came into being and how it affects ISA firms.
As he explains, the Internet was designed on the assumption that people would trust each other. But of course, hackers and a variety of other unscrupulous characters made it necessary to add in layers of privacy later on. GDPR’s intent is for organizations to start thinking about privacy from the beginning, guided by a principle of “privacy by design and default.” In other words, whether you’re developing apps, setting up websites, collecting customer data or storing information about training participants, user privacy should be at the forefront, not an afterthought.
The reform actually consists of two elements: (1) GDPR, which is designed to increase access to and control of personal data, and (2) the Data Protection Directive, which focuses on cross-border cooperation of police and justice.
Let’s Talk About Data
There are different types of data that you might collect, and GDPR treats them differently. Personal data includes the basics, like names and email addresses, while sensitive personal data might include things like party affiliation, union membership, prison records and information about children. Sensitive data needs to be treated with higher security, so the first question to ask is, “What kind of data are we collecting and processing?” Also consider, “Who collects and processes data on our behalf?” This could include accounting, email marketing and similar services. You’ll need to sign a data protection agreement with those providers.
Here are some of the key points to keep in mind in terms of GDPR’s requirements around data collection:
- People need to actively opt in: If you want to collect personal data on someone, you need their explicit agreement. Consent can’t be given by default with pre-checked boxes or pre-filled forms, for example. Automatically signing people up for your newsletter when they visit your website or download something also won’t fly. Data extends to people’s likenesses too, so you must have active consent from anyone who’s recognizable in photos you use. This means you can’t get by with a sign that says, “By entering this room, you agree…” You have to give the person a choice.
- Don’t collect more than you need: Data minimization is a key tenet of GDPR, which stipulates that the data you collect must be “adequate, relevant, and limited to what is necessary in relation to the purposes for which [data] are processed.” Consider how much information is legitimately necessary for someone to download a white paper or access other resources from you.
- Don’t keep it for longer than you need: GDPR also specifies how long you can retain information: “as long as is required to achieve the purpose for which data were collected and are being processed.”
- People have a right to know what you’re collecting about them: When someone asks you what information you’re collecting and storing about them, you have 4 weeks to reply. If you don’t, that person has a right to file a complaint, and local authorities are required to respond to their complaint.
- People have a right to be forgotten: By the same token, if someone requests that you delete their information, you have to reply to them, and you have to delete the data (assuming you’re not legally required to retain the information) — and not just in a single database but in all areas where it resides, including back-ups.
- Employees are people too: GDPR doesn’t differentiate between customers and employees, so this is a good time to make sure your internal data is protected as well.
Where to Begin with GDPR
Wolter recommends following a strategy of risk minimization. Consider where you have the most immediate risk and start there. Here are a few steps every organization should begin with:
- Review your opt-in/consent processes for newsletters and other services, and move to double opt-in.
- Minimize the amount of data you collect and retain.
- Find out if you’re required to have a Data Protection Officer (and appoint one if you are).
- Create an inventory of the personal data you collect. (Access a Google Sheets template for this purpose here.)
- Incorporate data protection into daily business. Privacy should be baked in, not an afterthought.
Ready to get more detailed? Part 2 of Wolter’s webinar provides 10 concrete steps towards GDPR compliance.
What’s in it for you to get compliant? For one, Wolter emphasizes the penalty of non-compliance — fines of up to 20 million euros or 4% of your global revenue, whichever is higher. It’s also worth noting that GDPR is just the beginning of this movement toward increased privacy and data protection measures. In Australia, the Notifiable Data Breaches (NDB) scheme went into effect in February of this year, and in the U.S., the California Consumer Privacy Act will take effect on January 1, 2020, with many similar requirements. Others are sure to follow.
But even if you don’t currently have customers or employees in the E.U. or other covered areas, Wolter encourages you to recognize the benefits of compliance and lead by example. When you demonstrate to your customers that you care about their privacy, you’ll stand out and win their trust. With more and more high-profile data breaches making headlines, privacy is increasingly important to your customers, and they want to know that it matters to you too.
To take a readiness assessment and find answers to questions posed by ISAers on the webinars, be sure to listen to the webinar recordings and download the accompanying slides (see below), which include additional technical information, recommendations, planning tools and reference material.