This blog post is based on our interpretation of GDPR and is not a comprehensive guide to complying with these laws. The suggestions are not to be taken as legal advice, where an attorney applies the law to your specific circumstances. We insist that you consult an attorney if you’d like to ensure compliance.
The General Data Protection Regulation (GDPR), a set of European Union (EU) rules adopted in 2016 and meant to protect personal data of EU residents, will become enforceable May 25, 2018. Under GDPR, users will have assurance that their data will be collected, processed, and stored under lawful and fair conditions.
Although GDPR only applies to businesses that markets to or monitors the online behavior of EU residents, many companies are taking this as an opportunity to update their data collection and protection policies.
What is GDPR?
GDPR was crafted on the idea that your personal data belongs to you and that you should have certain rights and freedoms to protect your information. Other key principles of GDPR include the ideas that personal data is:
- Collected fairly and is processed for a specific and lawful purposes.
- Protected and secure, with safeguards and procedures that prevent misuse.
- Kept for no longer than necessary.
- Accessible by the data subject and can be modified or deleted upon request.
What is lawful under GDPR?
Under GDPR, businesses must become more transparent in the ways they obtain and process personal data. There are several scenarios that give businesses a lawful basis to collect and process data. Some of the most the common scenarios in which collecting, processing, and storing personal data becomes lawful are:
- The processor has given the data subject a clear and accurate notice of how personal data will be used, and the data subject has subsequently given consent that their data can be used for specific purposes.
- The collection and processing of personal data is necessary for performance of a contract. The processor can lawfully store and process personal data when executing its side of a contract, like providing a quote for a service or shipping a purchased product.
- The processor has established that data subjects will have a legitimate interest in how and why their data is being used. This may be the most flexible lawful basis of processing, but may be used to justify use of client or employee data, direct marketing efforts, fraud prevention and other security measures.
How can your company comply?
If your business markets to or monitors the online behavior of EU residents, you will need to modify the way your business collects and processes personal data. Here are some ways to comply with GDPR.
Give notice and collect consent
A key component of GDPR is that consent needs to be affirmative and freely given. An unchecked checkbox on forms is a simple way to give users the chance to opt-in to receive communication from your company. This needs to be paired with a clear, concise, and intelligible notice about how your business intends to use the data. The notice provided and date and time of consent should be recorded on a contact-by-contact basis. In addition to HubSpot's product updates that will faciliate compliant data collection, they frequently use checkboxes on their site to give notice and obtain consent.
Run a permission-pass campaign
Confirmation of consent from your existing contact database can be obtained through a permission-pass email campaign. This is a one-time email sent to your existing database that asks for users to review and confirm things like the subject matter and frequency of the communication they would like to receive. This gives you the chance to capture and record opt-in status for any contact that might not have previously given their explicit consent. Here's an example email from BioSpace that asks current users to update their communication preferences.
Alert users of data tracking
GDPR requires clear messaging regarding data collection, even in the cases when data is automatically collected. Most websites automatically track and store online behavior through cookie tracking. Proper notice of the use of cookies and other tracking technologies can be achieved through a pop-up that explains that data is being stored, and instructs users on how they can change their settings. Nestlé uses a pop-up that informs users of data tracking, provides instructions on how to opt-out, and points to their privacy policy.
Provide access to personal data upon request
Under GDPR, data subjects are given the right to request access to, modify, or delete their information. Your company may need to establish or document internal procedures to satisfy and process these requests. Privacy policies should also be updated with concise and intelligible language that reflects any new data collection and storage practices that comply with GDPR.
Again, these suggestions are not the same as legal advice and do not cover the entire scope of GDPR. We encourage you to seek legal advice regarding compliance.