Unless you’ve been living under a rock for the past few weeks, you’ve most likely been inundated with emails about GDPR. If you’re not in the loop, GDPR (General Data Protection Regulation) is a new set of requirements related to protecting the personal data of EU residents.
Initial discussions began six years ago, but agreement wasn’t reached on what the final GDPR would look like until April 2016, when the compliance deadline was set for May 25, 2018. The compliance frenzy has only increased as the deadline has come and gone, and GDPR is now officially in effect.
So, what exactly does GDPR entail, and what does it mean for website owners and publishers? We’ll break down the need-to-know information in this handy checklist.
Does GDPR affect you?
GDPR doesn’t just apply to companies in the European Union; it impacts any company, anywhere in the world, that collects, stores, or processes data of EU residents. Some companies are impacted more heavily than others, though:
- Companies that process or store a large volume of consumer data
- Technology firms and marketers
- Data brokers that handle data processing or connect disparate systems
- Digital publishers/website operators
The biggest impact? It affects companies with business models that hinge on collecting and leveraging consumer data.
The bottom line: If you’re collecting, using, storing, or accessing data from any European residents, GDPR applies to you. Read on to learn what publishers – and anyone responsible for overseeing a website – need to know about GDPR.
GDPR changes at a glance
What’s different about GDPR compared to the previous data protection regulations that were in place?
- The definition of private information is expanded and now includes any data that could identify an individual – either directly or indirectly. That includes device identification numbers, geolocation data, IP addresses, and even cookie IDs.
- ‘Special category’ data is personal data which is classified as more sensitive, and so requires even more secure protection. In addition to race, ethnic origin, politics, religion, trade union membership, health, sex life, and sexual orientation, this now includes genetic and biometric data.
- You need explicit consent to share any personal data about any EU resident. That consent has to be unambiguous and obtained specific to every data processing activity, allowing EU residents to consent to the types of data processing they are comfortable with. Basically, your users are now opting in to data processing, and you have to inform them that they can withdraw their consent at any time.
- You can be fined for violations no matter where your business is located.
- You’re liable for violations whether you’re a data owner (controller) or data processor. That means that even if your business merely handles data on behalf of another company, you’re responsible for GDPR compliance. Be sure to research your vendors’ steps toward compliance, and understand how to responsibly continue using their tools and services. (For example, if you were using ShareThis’s social media share buttons, you could ensure easy compliance using ShareThis’s new GDPR Compliance Tool.)
- Publishers are often data owners, meaning that you’re responsible for reporting violations to the proper authorities within 72 hours of discovery.
What’s the difference between a data controller and a data processor? A data controller is the entity in charge of determining how personal data is processed and why. Data processors, on the other hand, handle the actual processing on behalf of the controller. Publishers are, in most cases, data controllers.
What to know (and do) if you’re a publisher or website operator
We’ve broken down the action steps and must-dos every publisher or website operator needs to know to comply with GDPR below.
Essential in-house to-dos
- Appoint someone to be in charge of GDPR compliance. Some companies are required to appoint a data protection officer (DPO) under the new rules, including public authorities and any data processors that operate on a large scale, though this is likely not required for smaller scale publishers. Even if you’re not required to appoint a DPO, it’s in your best interests to appoint someone to lead the development of a GDPR compliance strategy, oversee ongoing compliance, and stay on top of new GDPR developments.
- Train your staff on GDPR. Anyone who touches user, customer, or visitor data should know who within the organization is responsible for the GDPR strategy and understand what GDPR violations can occur.
- Documentation is your new BFF. Clearly document all steps in the process of collecting, using, storing, and sharing personal data, and make sure that any changes to these processes are immediately documented as well.
- Audit regularly. To ensure that your company remains compliant, you should regularly audit your digital environment, processes, and documentation.
- Evaluate your vendors and understand their compliance. As a publisher, you’re probably working with a number of vendors for different facets of your operation, such as analytics and advertising. Under GDPR, it’s up to you to determine if your vendors are compliant with GDPR. Publishers are often working with numerous third-party vendors, and now is a great time to evaluate and refine those partnerships. Be selective in who you work with.
- Communicate your data policy. You may need to revise your vendor contracts to incorporate your expectations for data handling. Communicate your data policies with each and every vendor that you work with in any capacity related to data.
- Define processes for breach notifications in your contracts. In the case of a data breach, the vendor is responsible for notifying the data owner (the controller) of a breach as soon as possible. Spelling out this process, deadlines, and other notification requirements in writing is a good idea.
- Do not collect personal data. If any of your users’ data falls under GDPR’s “personal data” definition, take measures not to collect or share it with third parties without explicit user consent.
- Develop new privacy notices. As we mentioned earlier, consent now has to be explicit and specific, so make sure your notices are in plain language and easily understood for users to opt in to data collection and processing activities. Clearly explain what data you want to collect, why, and what you plan to do with it, including how it will be stored and whether it will be shared with any third parties.
- Develop a process for informing users, obtaining consent, and managing consent. Remember, EU residents can now withdraw their consent for any data processing activities at any time, so you’ll need a clear-cut process for staying on top of what consent you’ve obtained for which individuals. ShareThis’ GDPR Compliance Tool makes it easy to give your users control over their data.
- Devise strategies for providing users with access to their data. Under GDPR, EU residents can request copies of their personal data at any time, and data controllers must comply in a timely fashion. Make personal data accessible to users and allow them to fix any inaccuracies with ease.
- Develop processes for identifying breaches and informing affected users and authorities. If a breach occurs, you and your staff should know the immediate next steps. Who is in charge of notifying authorities? How do you determine if you must notify affected individuals? What information do you need to include in a breach notification? All of this information should be immediately accessible, and there should be someone in charge of carrying out each step (even if it’s the same person handling every task).
- Don’t forget about the right to be forgotten. Under GDPR, EU residents can request that their data be erased. Publishers (and any entity subject to GDPR) must comply in a timely fashion, so it’s imperative to have a defined process for meeting these requests. That also means taking “reasonable steps” to notify any processors or other third parties who have touched the data.
GDPR compliance seems daunting to many publishers and website owners, but once you’ve got a firm grasp on what the regulations entail, it’s clear that these are common-sense and (mostly) practical requirements that bolster user privacy. While you’ll need to revisit partnerships, revise contract language, and develop new policies and procedures, it’s well worth your time to avoid costly penalties, and, more importantly, give your users the privacy they deserve.