Guide to Data Assurance: Complying with the General Data Protection Regulation

Although data privacy is already an important issue around the world, the arrival of the General Data Protection Regulation (GDPR) in May 2018 should have your attention. That's because the penalties and steps required to comply with the GDPR are significant. In addition, organizations based outside the European Union may be subject to the GDPR.

This section explains what the GDPR is and why it matters to organizations—including marketers, digital business owners, and their technical teams and digital agencies—in any country. It's not intended as legal advice, but highlights key steps you can take to reduce your risk of breaching the GDPR.

The GDPR is designed to protect individuals' rights in relation to their personal data. Organizations subject to the GDPR are responsible for protecting information that relates to an “identified or identifiable” person, which you might already know as personally identifiable information (PII).

The GDPR will apply to your organization if it processes data about people in the European Union (EU) in order to offer them goods or services. It will also apply to the data you process to monitor the behavior of people in the EU by, for example, tracking their Internet activity or using data to analyze or predict their personal preferences.

You could be fined up to EUR20 million, or 4 percent of your company's worldwide annual turnover

The potential penalties for breaching the GDPR are substantial. You could be fined up to EUR20 million, or 4 percent of your company's worldwide annual turnover.

For many organizations, the GDPR will have significant ramifications. You must not only protect the names and addresses you collect, but also data that someone might combine with other information to identify a person. That could include IP addresses, according to the GDPR. The law considers whether it's reasonably likely someone could use the data to identify a person, given the cost and time required to do so.

The full text of the GDPR has many conditions and exceptions. However, some of your overarching responsibilities will include:

• Establishing a specific reason for collecting personal data

  The GDPR specifies that you can only collect personal data for "specified, explicit" purposes. It also says that once your process is complete, you should stop storing that data. Individuals can also ask you to delete data about them if it's no longer needed for the purpose for which you collected it, or if they no longer give permission for you to use it.

• Being transparent about how you use personal data

  You will need an individual's consent to process their personal data, and you should use “clear and plain language” when asking for their permission. You should also explain who is collecting their personal data and for what purpose. If you're processing data about children, then you'll need to make sure you do this in language they can understand. Under the GDPR, you won't be able to pre-tick a consent box for visitors to your website—they'll have to actively consent to you processing their personal information.

  You'll also have to provide a copy of the personal data you hold about someone if they ask for it. They will be able to ask who you disclosed their personal data to, and how long you will store it. If you didn't collect the personal data directly from them, they will be able to ask where you obtained it from.

  If the security protecting the personal data under your control is breached, you will have to notify authorities within 72 hours of becoming aware of the breach. In some cases, you'll also need to notify the person whose data was breached.

  However, it's not enough to have these systems in place. You'll also need to be able to demonstrate that you are complying with the GDPR. For example, you'll need to be able to show that someone has consented to you processing their personal data. You will need to keep records that detail the reason for collecting and processing data under your control, as well as descriptions of each personal data category and the categories of recipients you will disclose the data to. Where possible, you should also keep records that outline when you will erase the data and what security measures you're using to protect it.

  Note that organizations with fewer than 250 employees may be exempt from some record-keeping requirements. But this depends on certain conditions. For example, if they are processing personal data frequently, risking someone's rights by processing their data, or processing “special categories” of personal data—such as data about a person's race, ethnic origin, or sexual orientation—they must still keep records ¹ .

• Building data protection into your systems

  The GDPR requires organizations to implement systems that protect personal data “by default.” Your systems should ensure you process only the amount of personal data necessary for the purpose for which you collected it. They should also make sure you don't keep personal data longer than necessary, and ensure only appropriate people can access it. Some organizations may have to undergo a data protection impact assessment. You may also need to appoint a data protection officer if your core activity involves large-scale processing of “special categories” of personal data, such as data about a person's race, ethnic origin, or sexual orientation. This will also apply if you process personal data to target advertising to individuals through search engines based on their behavior online ² .

How you could breach the GDPR

How you could breach the GDPR

Scenario 1:

A new customer completes a registration form on your website, and an advertising retargeting system collects their email address without their permission.

Scenario 2:

Your developer updates a form on your website, which results in users' email addresses becoming part of a URL when they unsubscribe from your newsletter. Your analytics system stores the email addresses while tracking URLs on your site.

Scenario 3:

A digital agency working on your behalf places a marketing tag on your site. However, when this first tag renders, it also triggers a second tag or even multiple tags without your approval. The additional tags may collect data about your visitors without your knowledge. This is a common issue for advertising related tags—an approach known as piggyback tagging.

These responsibilities could require extensive changes to the way you go about customer analytics. That could include changes to how you collect personal data, the systems you use to store it, and what you tell people about the personal data you collect.

You could try to avoid these responsibilities by not collecting personal data. However, that's going to disadvantage your business given the growing number of companies using customer data to compete. And if you're using a lot of analytics tools, you could be collecting personal data without knowing it.

A safer approach is to closely scrutinize the data you collect, or an agency collects on your behalf, and address any breaches quickly.

For example, you should check that forms on your website aren't collecting personal data if they're not meant to. That might mean ensuring that some forms collect an alphanumeric user ID, rather than a user's name.

You should also aim to monitor any changes developers make to your website before they go live. That's because even the smallest change, such as an incorrectly used tag, could result in a breach of the GDPR.

You'll also need to monitor how agencies are collecting personal data on your behalf. Even if a third party breaches the GDPR, you could still be liable if the breach involves personal data that is being processed for your business. For example, you should monitor what systems your suppliers are using to collect data for you, and where they are sending it.

To reduce the risk of breaching the GDPR, you should also be able to report on all your data collection activities.

Gaining a high degree of visibility and control over the systems and people involved in data collection isn't always easy. One way to achieve this is to create a data governance plan that sets out company-wide rules.

Consider appointing a Chief Risk Officer (CRO) to drive the creation and execution of the plan. They can help ensure relevant people contribute to the plan, and hold employees and business partners accountable for adhering to it. The CRO can also ensure that senior managers understand the risks of non-compliance.

Your data governance plan should:

• Identify broad principles that all data collection activities must follow. This should cover issues such as transparency, accountability, consent, privacy by design, and the public's right to access their data.
• Establish detailed rules that ensure your data collection processes comply with those principles. That could include a list of rules each website tag must comply with.
• Audit your existing data collection processes and the data that you or your partners already store.
• Set out how you will monitor any changes to the way you collect data before the changes go live. You will also need to determine how you and your business partners will be alerted if the rules are breached.
• Have a plan in place to quickly remove personal data from your or your partners' systems. You should work out how you will notify authorities and users if the security protecting personal data is breached.

A plan like this doesn't just help reduce legal risks, it improves your control over the data you're using to make business decisions. You'll benefit from more accurate data and you'll be able to foster trust with people who interact with you online.

Once you have a data governance plan in place, you'll need a way to put it into action. That's the focus of our next chapter.