To better understand the legal requirements that accompany the shift towards a privacy safe advertising ecosystem that was discussed in the first article of this series, the following article aims to provide some legal background on the General Data Protection Regulation (GDPR) and equip you with a roadmap to GDPR compliant data processing.
Data is one of the most important resources of the 21st century and vital for companies to stay competitive. As data collection grows increasingly complex and more and more companies are using that data for commercial purposes, strict privacy and security standards apply. The GDPR, which was enforced in 2018 (see Figure 1), aims to ensure a comprehensive protection of individuals’ personal data and unify data protection laws across the European Union.
In order to establish organizational security, protect customers’ data, and avoid costly fines for non-compliance, there are a number of requirements that data controllers need to pay attention to:
Know the data you are collecting, have a lawful basis, and be transparent.
- Conduct an information audit to determine what information is processed, who has access to it (also considering third parties) and what measures you are taking to protect the data, such as encryption (see Article 30 of the GDPR).
- Have a legal justification for your data processing activities (see Articles 6-11). Processing always requires a lawful basis, which can either be “consent” (where it is crucial that individuals may revoke consent) or “legitimate interest” (where you must be able to demonstrate you have conducted a privacy impact assessment).
- Information about your data processing and legal justification needs to be stated clearly in your privacy policy and provided to individuals at the time of data collection (see Article 12) via a cookie banner. Here, there are two different approaches: Users who visit your website may be asked to take a clear positive, affirmative action, such as checking a tick-box (opt-in). Alternatively, the cookie banner will display a box that is already checked and prompts the user to uncheck the box if they want to decline consent (opt-out). Users must be able to revoke consent at any time.
Take measures to keep your customers’ data safe.
- You must follow the principles of "data protection by design and by default" (see Article 25), taking data protection into account at all times, from deciding on the means of processing to the processing itself. Any form of processing must adhere to the data protection principles (see Article 5).
- Encrypt, psydonomise, or anonymise personal data wherever possible, including email, messaging, notes, and cloud storage (see Article 32).
- Create an internal security policy for your organization. It should include guidance about email security, passwords, two-factor authentication, device encryption, and VPNs. Workshops can help build awareness about data protection in your organization.
- The GDPR requires organizations to carry out a data protection impact assessment when they plan to use customers’ data in such a way that it is "likely to result in a high risk to [their] rights and freedoms." (see Article 35). However, It is advisable to conduct such an assessment anytime you are planning to process personal data.
- Establish a process for contacting authorities, as well as individuals in case of a data breach (see Articles 33 & 34).
Be accountable.
- Ensure that someone in your organization is accountable for GDPR compliance. This person should be in charge of evaluating and implementing data protection policies and preferably have a legal background (see Article 25). Moreover, organizations are required to hire an actual Data Protection Officer (DPO) if special criteria are met (see Articles 38 & 39).
- Sign a data processing agreement between your organization and any third party services (e.g. analytics software, email or cloud services) that process personal data on your behalf.
- If your organization is outside of the EU but processes data of EU individuals, have a representative within one of the EU member states who can communicate with data protection authorities on your behalf (see Article 27).
Respect users’ privacy rights.
- People have the right to see what personal data you have about them and how you are using it. Therefore, it needs to be easy for customers to access and view their personal data that is being stored (see Article 15) and they should be able to update inaccurate or incomplete information (see Article 16).
- Website users have the right to request to have their personal data deleted, i.e. “the right to be forgotten” (see Article 17). There are a few exceptional cases in which you do not have to honour this request, such as the exercise of freedom of speech or compliance with a legal obligation.
- Your customers can request to restrict or stop the processing of their data if certain grounds apply, for example, if there is some dispute about the lawfulness of the processing or the accuracy of the data. While processing is restricted, storing their data is still allowed (see Article 18).
- It needs to be easy for your customers (or a third party they designate) to receive a copy of their personal data in a format that is commonly readable and can easily be transferred, such as a spreadsheet (see Article 20). Having to pass on your customers’ data to a competitor might seem unfair from a business standpoint, but from a privacy standpoint, the rationale is that your customers own their data and remain in full control, not you or any other third party.
- In case you are using automation to make decisions about your customers such as profiling (see Article 22), you need to have a process in place to protect their rights, freedoms, and legitimate interests. Customers must be able to request human intervention to re-evaluate decisions that already have been made.
Working through this checklist and putting into practice what is suggested here will set you up for a more compliant data privacy strategy. Nevertheless, please keep in mind that this article does not constitute legal advice. We recommend you consult an attorney specialised in GDPR compliance who can apply the law to your specific circumstances.