By Derek Lackey, President, Direct Marketing Association of Canada
The General Data Protection Regulation (GDPR) requires a complete re-think of data management practices:
- How you capture it,
- How and where you manage it,
- Whether or not you share it, and most important,
- How and when you process that data.
If you do business in the EU, but not enough to completely rewire your data operations (for example, a firm that markets a product or service to EU citizens), we will address the key areas that we believe the Data Protection Authorities (DPAs) will be looking for after May 25, 2018.
Before taking an action you must assess whether you are a Data Controller or a Data Processor. (See GDPR Chapter 4.)
Stated plainly, a Controller decides what is collected when and how it is processed. A Processor carries out the request of the Controller. It is not unusual for an organization to be both, so always consider which hat you are wearing.
We will break GDPR into 7 areas of concern:
1. EU Data Subject Rights
Under GDPR, every data subject in the EU is entitled to the following rights:
- The right to be informed
- The right of access
- The right of rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
- Rights related to automated decision making and profiling
Details for each of these rights can be found in Chapter 3.
These rights are most easily complied with if your data is centralized.
You must design and document policies and procedures that allow you to fulfill any of these requests within a reasonable period (30 days).
If difficulties are encountered, you can communicate with the Data Subject and inform them you require up to an additional 60 days to manage their request.
To comply with these rights, publishers must:
a) Develop processes to fulfill the request of the Data Subject within 30 days.
b) Be able to immediately stop processing data from individual consumers or sets of consumers when requested.
One of the most important principles within GDPR is the notion of accountability. Any company that stores or processes consumer data must be able to demonstrate how they comply with the principles.
Publishers should answer the following five questions:
- At the point of collection, did we specify how this personal data will be used?
- Can we track and prove how the data was collected (date and timestamp, IP address, etc.)?
- Can we limit data collection to specifically what is necessary to serve the purpose for which it is collected (data minimization)?
- Can we store the data only as long as necessary for its intended purpose?
- Can we prove that we have done our best to secure the data?
In short, GDPR requires new levels of accountability and transparency, placing the responsibility firmly on the publisher’s ability to be able to demonstrate and prove all aspects of compliance.
Documenting how and why personal data was collected as well as the written policies and procedures is an important part of compliance. (See Guidance Document “Accountability.”)
3. Data Minimization
Throughout GDPR, data minimization is called for. If you do not need the collected data to do the business you wish to do, GDPR calls for you to delete that data.
Once the purpose of collecting data is complete, you should consider deleting it. So both the quantity (number of fields provided) and the length of time the data is kept are affected.
In all likelihood, it is this kind of useless data that will result in penalties for your organization.
4. Lawful Basis for Processing
This is a fundamental decision that must be made for every way you process data.
If you are sending emails, that is one form of data processing. If you are using cookies to profile an individuals’ preferences, that is another form of processing.
For each way you process that individual’s data you must decide on the Lawful Basis of Processing. (See Article 6.)
There are 3 lawful bases available to the private sector:
a) CONTRACTUAL: For all customers and near customers, you can do all types of processing required within the fulfillment of that contract. We recommend you update your terms and conditions and call out that you intend to email them, offering an opt-out opportunity at the point of data collection as well as in every email sent (unsubscribe mechanism that allows an individual to easily opt out). It should be as easy to unsubscribe as it is to subscribe. Important to note, this does not give you cart blanche to stuff all sorts of conditions into your terms and conditions. They must be relevant to your ability to fulfill on your contract with those individuals.
b) LEGITIMATE INTEREST: Much has been written and discussed on this form of lawful basis for processing, but our lawyers assure us that B2B players can communicate on a soft opt-out basis. Prospects that are engaged and show interest in your area of business can be contacted on this basis. The rule of thumb when executing is: if the recipient of an email could be left asking “Why did they send this to ME?” you should ask yourself, “Should this person be on our list?” In order to claim it is a legitimate interest, a Legitimate Interest Assessment must be completed. It is, in essence, a balancing test between your organization’s interests and the data subject’s interests.
c) CONSENT: If using webforms and online registration (opening an account) or trade show data collection (business cards, show organized scanners, etc.), be sure to add a couple of sentences to your collection forms like: “Thank you for subscribing to [name of your email subscription] from [name and address of the organization]. We will send you information relative to [your field of service]. You can reach us at ______ or ________. You can unsubscribe at any time.”
As a separate check box you could add “Yes, please include relevant messages from industry sources, including sponsors and advertisers.”
5. Third Party Agreements
All third party agreements/contracts with vendors, partners and even clients do NOT currently include the language needed to provide clarity regarding who is responsible for what under GDPR. As these contracts become due, a close examination of the GDPR impact should be considered and appropriate clauses should be folded in to the new agreements.
6. Data Breach Protocol
GDPR requires all organizations who maintain personal data on EU data subjects to have a documented process in place in case of a Data Breach Incident. There are reporting requirements depending on the nature of the breach; when sensitive personal data is involved and there is potential for harm to the data subject, notification to your Data Protection Authority (DPA) is required within 72 hours. (See Guidance Document “Breach Reporting.”)
7. Webforms and Cookie Notices
This will be the responsibility of the new ePrivacy law working its way through the parliamentary process in the EU. Suffice to say, provide a Yes/No option so consumers can choose the placement of cookies to help serve them better. Forcing them to choose between viewing your site or giving consent is not consent “freely given” as defined by GDPR.
- If your business operates from outside the EU, you should at the very least have appointed a representative within the EU.
- You should only transfer data outside of the EU to countries that offer an appropriate level of protection. PIPEDA (Canada’s current privacy law) has been deemed adequate, meaning data can be transferred across EU borders to Canada. To do so in the U.S. you may consider the Privacy Shield.
- Larger organizations who hold a lot of personal data may want to appoint a Data Protection Officer.
Fines of up to €20 million (US$23.9m) or four percent of annual global sales can be levied for noncompliance. Losing audience data and digital revenues for not having a GDPR strategy in place could prove even worse. (See Guidance Document “Administration Fines.”)
Magazines Canada Hotsheets deliver current information on a single topic, each written by an expert in the field. Return to Magazines Canada Hotsheets.