Complying with the General Data Protection Regulation

In the previous sections, we explained why you may not be collecting the data you need to make good business decisions. Not only does data assurance help you to make better decisions, it’s critical to reduce your risk of breaching data privacy laws.

The potential penalties for breaching the GDPR are substantial. You could be fined up to EUR20 million, or 4 percent of your company’s worldwide annual turnover.

For many organizations, the GDPR will have significant ramifications. You must not only protect the names and addresses you collect, but also data that someone might combine with other information to identify a person. That could include IP addresses, according to the GDPR. The law considers whether it’s reasonably likely someone could use the data to identify a person, given the cost and time required to do so.

The full text of the GDPR has many conditions and exceptions. However, some of your overarching responsibilities will include:

• Establishing a specific reason for collecting personal data

  The GDPR specifies that you can only collect personal data for “specified, explicit” purposes. It also says that once your process is complete, you should stop storing that data. Individuals can also ask you to delete data about them if it’s no longer needed for the purpose for which you collected it, or if they no longer give permission for you to use it.

• Being transparent about how you use personal data

  You will need an individual’s consent to process their personal data, and you should use “clear and plain language” when asking for their permission. You should also explain who is collecting their personal data and for what purpose. If you’re processing data about children, then you’ll need to make sure you do this in language they can understand. Under the GDPR, you won’t be able to pre-tick a consent box for visitors to your website—they’ll have to actively consent to you processing their personal information.

  You’ll also have to provide a copy of the personal data you hold about someone if they ask for it. They will be able to ask who you disclosed their personal data to, and how long you will store it. If you didn’t collect the personal data directly from them, they will be able to ask where you obtained it from.

  If the security protecting the personal data under your control is breached, you will have to notify authorities within 72 hours of becoming aware of the breach. In some cases, you’ll also need to notify the person whose data was breached.

  However, it’s not enough to have these systems in place. You’ll also need to be able to demonstrate that you are complying with the GDPR. For example, you’ll need to be able to show that someone has consented to you processing their personal data. You will need to keep records that detail the reason for collecting and processing data under your control, as well as descriptions of each personal data category and the categories of recipients you will disclose the data to. Where possible, you should also keep records that outline when you will erase the data and what security measures you’re using to protect it.

  Note that organizations with fewer than 250 employees may be exempt from some record-keeping requirements. But this depends on certain conditions. For example, if they are processing personal data frequently, risking someone’s rights by processing their data, or processing “special categories” of personal data—such as data about a person’s race, ethnic origin, or sexual orientation—they must still keep records ¹ .

• Building data protection into your systems

  The GDPR requires organizations to implement systems that protect personal data “by default.” Your systems should ensure you process only the amount of personal data necessary for the purpose for which you collected it. They should also make sure you don’t keep personal data longer than necessary, and ensure only appropriate people can access it. Some organizations may have to undergo a data protection impact assessment. You may also need to appoint a data protection officer if your core activity involves large-scale processing of “special categories” of personal data, such as data about a person’s race, ethnic origin, or sexual orientation. This will also apply if you process personal data to target advertising to individuals through search engines based on their behavior online ² .

¹ Article 30, General Data Protection Regulation, 27 April 2016, eur-lex.europa.eu/legal-content/EN/TXT/?uri=uriserv:OJ.L_.2016.119.01.0001.01.ENG&toc=OJ:L:2016:119:TOC
² European Commission, ‘Data protection, Better rules for small business’, ec.europa.eu/justice/newsroom/data-protection/infographic/2017/index_en.htm

These responsibilities could require extensive changes to the way you go about customer analytics. That could include changes to how you collect personal data, the systems you use to store it, and what you tell people about the personal data you collect.

You could try to avoid these responsibilities by not collecting personal data. However, that’s going to disadvantage your business given the growing number of companies using customer data to compete. And if you’re using a lot of analytics tools, you could be collecting personal data without knowing it.

A safer approach is to closely scrutinize the data you collect, or an agency collects on your behalf, and address any breaches quickly.

For example, you should check that forms on your website aren’t collecting personal data if they’re not meant to. That might mean ensuring that some forms collect an alphanumeric user ID, rather than a user’s name.

You should also aim to monitor any changes developers make to your website before they go live. That’s because even the smallest change, such as an incorrectly used tag, could result in a breach of the GDPR.

You’ll also need to monitor how agencies are collecting personal data on your behalf. Even if a third party breaches the GDPR, you could still be liable if the breach involves personal data that is being processed for your business. For example, you should monitor what systems your suppliers are using to collect data for you, and where they are sending it.

To reduce the risk of breaching the GDPR, you should also be able to report on all your data collection activities.

A plan like this doesn’t just help reduce legal risks, it improves your control over the data you’re using to make business decisions. You’ll benefit from more accurate data and you’ll be able to foster trust with people who interact with you online.

Once you have a data governance plan in place, you’ll need a way to put it into action. That’s the focus of our next chapter.