GDPR Cheat Sheet
January 16, 2018
The GDPR (General Data Protection Regulation) as a whole is about establishing rights and protections for the personal data of citizens of the EU.
GDPR is not a technology issue, it is a regulatory one which will require businesses, especially marketers, to rethink how they operate and interact with their customers in the EU.
Although the business will need IT’s close cooperation to succeed, looking at it solely as “IT’s problem” and relying on IT to lead the charge is not the ideal answer and is unlikely to succeed. A purely IT led initiative will result in the people most central to the issues not understanding what is changing, or why, and will only contribute to the perception that IT is adding friction and throwing up barriers that are preventing them from doing the job they “know” (erroneously) that they have to do.
GDPR applies to anyone who sells goods or services to EU citizens or otherwise monitors their behavior – regardless of where the business is located. It is still unclear precisely how penalties will be enforced against companies without a European presence of any type, but for anyone with a footprint in Europe of any kind this is a moot point.
GDPR does not only apply to websites. Although websites can be the most common and visible way individuals interact with a business, it is a mistake to characterize this as a web-only problem. To be successful this has to be a whole organization effort.
GDPR is already in effect, and has been since 2016. May 25th, 2018 is the date it will be enforced.
Existing data (including email lists) collected on EU citizens prior to the GDPR going into effect is not exempt. You must be able to prove you previously obtained their permission in a manner that is compliant with the GDPR, get them to give consent between now and May, or discard their data. There are no other options.
The full text of all 99 articles of the GDPR can be found here.
Personal Data is any information related to a identifiable natural person (data subject) that can be used to identify that person, directly or indirectly. This could include, but is not limited to: names, account numbers, photographs, email address, or even an IP address. It does not matter if this data was generated by user activity or entered on their behalf by a 3rd party.
A data subject is a natural person who has their information collected and processed.
“Clear and unambiguous consent” will need to be provided by the user to collect or process their data. Consent can no longer be implied, hidden in the terms and conditions or be handled on an “opted-in by default, but opt-out if you object basis”.
A “double opt-in” is highly recommended – for example, supplying their email address on a website, as well as clicking a link confirming this action in an email that is sent to them.
A Data Controller is an entity determining what personal data to collect and how it’s processed. Data Controllers are required to verify their Data Processors (or anyone else they share their user data with) are compliant.
A Data Processor is an entity processing data on behalf of a Data Controller. Examples of this include Salesforce, Eloqua, Google/Adobe Analytics, and many others.
Data Protection Officer (Article 38)
Data Controllers and Data Processors are both obligated to appoint a Data Protection Officer who has “expert knowledge of data protection law and practices.” This position is mandatory for all entities that are public authorities (except courts). The core activities of the entity involve systematic monitoring of data subjects on a large scale or the large scale processing of special categories of data (genetic, health, racial, or ethnic) (Articles 9 and 10).
This position may be an employee or contracted out, but must directly report to the highest levels of management and not be assigned any other duties that would introduce a conflict of interest. Articles 36 and 37 go into greater detail about the qualifications and requirements for this role.
NOTE: Earlier drafts exempted organizations under 250 employees from the above requirements – this decision was later reversed.
Data Subject Rights
Data controllers must notify data subjects about a breach within 72 hours of becoming aware of it.
Data processors must notify data controllers of any breach without “undue delay”.
The right to be informed (Articles 12, 13)
Data collection and processing must be transparent. You must identify what you collect, why you collect it, what you’ll do with it, how long you’ll retain it, and whom you will share it with. This must be stated in plain, clear language.
Data subjects must give their consent explicitly in order to collect or process data. This must be in the form of an “affirmative action” – it cannot be a pre-populated box, or assume they opt-in unless they opt-out.
The right to access (Article 15)
Data subjects have a right to request confirmation that their data is being processed and a right to request a copy of all of the personal data that you have collected or are processing regarding them.
The right to rectification (Article 16)
Data subjects have a right to have their personal data corrected if it is inaccurate or incomplete.
The right to erasure (Article 17)
Also known as the right to be forgotten, data subjects may request that you delete their personal data or suitably anonymize it such that it can no longer be used to identify them. Exemptions are made for data you need for critical business purposes – for example, if they owe you money.
The right to restrict processing (Article 18)
Data subjects have a right to request that you cease processing their personal data.
The right to data portability (Article 20)
Data subjects have a right to obtain and reuse their personal data for their own use or with a different service.
The right to object (Article 21)
Data subjects have the right to object, at any time, to the processing of their personal data.
Automated individual decision-making, profiling and personalization (Article 22)
Data subjects have the right to not be subject to any decisions made based upon automated processing unless they provide explicit consent.
Data protection by design and default (Article 25)
Data controllers are required to design their systems to be safe by default, to encrypt data in transit and at rest, and by collecting only the minimum amount of data they need to.
The GDPR itself does not specifically speak to Data Sovereignty, but there is a growing parallel movement that insists data about the citizens of a country must reside on servers within that country, this is especially prevalent in Germany, Russia, China, and France. This is an area to keep an eye on for future developments.
If data about European citizens is stored outside of Europe, it would be prudent to meet and exceed the guidelines established in the EU’s Data Protection Directive and Article 25 of the GDPR.
Companies found to be violating the GDPR can face a maximum fine of up to 20 million euros, or 4% of their annual gross revenue, whichever is greater.
Stay up to date with our email updates!