We’ve come quite far in our GDPR story since we started our series of blog posts in July. We have addressed quite a few key points that you need to be aware of, as well as looking at how you can start to solve them. So, as the last Tuesday blog post of this year, I thought it would be good to recap on some of those main critical issues again.
GDPR – in a Nutshell
Readers of this series will already be aware of most of the basics concerning GDPR, but to go over these elements once more for the benefit of the uninitiated, we will strip it down to the bare facts. The General Data Protection Regulation, or GDPR for short, is an EU regulation that will come into effect on May 25, 2018, to create a uniformed approach to data protection. It is applicable to any companies that offer goods or services to or monitors the behavioral activities of EU data subjects, regardless of that company’s geographical location. Failure to comply with this regulation leads to a fine of €20M or 4% of total global annual turnover, whichever is greater.
How Much of a Shakeup Is GDPR, Really?
Each company is different. You should be aware already whether you deal mostly with standard or sensitive data, and whether it is central to how you do your business. If you have any gray areas, undergoing a thorough data audit will uncover how your data is mapped and how easy it is to access it. Then, you can think about how you can introduce any mechanisms to facilitate easier access to particular data, and whether you already have someone within your organization that can spearhead this. These first steps are critical if you want to achieve GDPR compliance.
We Are a Digital Agency. Who Has Responsibility, the Client or Us, and Where?
When it comes to dealing with contracts already in place concerning what can and cannot be done with client data, digital agencies, in most cases the data processor, will need to review these instructions. GDPR stipulates that any data breaches must be reported within three days as well as any breach of GDPR compliance in general.
This is where agencies can really benefit their clients. For example, if they can prevent data controllers from performing an action, such as sending newsletters to recipients that had not willfully opted into receiving them, they can help prevent an action that is not 100% GDPR compliant and the subsequent fine.
And digital agencies, as digital processors, will be responsible for ensuring they have put sufficient measures in place not only to prevent data breaches but to protect the rights of data subjects in general.
How Does This Affect Content Management?
GDPR touches so many areas of the personal data aspects of content management systems that they are often a core component when it comes to effective compliance. Having easily accessible consents and properly mapped data flows are essential when proving GDPR compliance, and this is why a GDPR-savvy CMS is an essential part of your technology stack.
Willful ignorance is no defense against the law, and GDPR no less so. Ensuring that you have appropriate consents that can be easily proven is essential should you wish to send out newsletters or enroll people into marketing automation.
This also means that your CMS should make it easy for you to protect those rights that GDPR covers. For example, if a data subject requests a copy of all the personal data you hold on them, you must be able to provide it within 30 days. Plus, the same data subject can also request that you provide them this in a form that can be uploaded easily into another CMS, should they wish to take their data elsewhere.
What Other Rights Does GDPR Cover?
It should be pointed out that GDPR was created to protect the rights of individuals. And this means that a uniform set of rules will come into place that is applicable to all companies falling under the GDPR banner. It replaces disparate guidelines that are often unclear and will, in fact, force companies to store their data more responsibly, which, in turn, will be beneficial to them in terms of accessibility and usefulness.
Individuals will have many rights under GDPR, but the main ones are:
Data portability – As already mentioned, this means data subjects can request all the data a company holds about them to be provided in a form that is easily importable elsewhere.
Notification rights – Individuals must be informed when and how their data is being processed and used.
The right to be forgotten – Data subjects can demand that all data that is held about them be erased. This means that if this data is also shared in other locations, such as a CRM or to a subcontractor, this data must also be deleted. Of course, there are circumstances where the right to be forgotten cannot be carried out, such as public interest, etc.
What About Non-EU Companies?
GDPR responsibilities of EU-based companies should be pretty clear by now, and there is no excuse for not being fully compliant. Unfortunately for those companies not located within the EU, it can be a more confusing concept to get your head around. So, I will recap on the main points about applicability to state more specifically those companies to which GDPR applies.
Maybe the best way to illustrate this is to give a couple of examples.
Say you are an Australian fishing supply company selling fishing tackle online. If you only supply your goods to your region and do not offer your goods in currencies other than those that are local to you, you should be safe. However, if your store allows the goods to be displayed in EU-based currencies, e.g., the Euro, then you are subject to GDPR as it shows intent to sell to EU nationals – even if your checkout process does not allow for payments other than AUSD. Similarly, if you offer order fulfillment within the EU, that is, you allow EU shipping addresses, you fall under GDPR.
Another example—let’s say you are a US hotel based in Memphis, Tennessee, and you use analytics on your site to track visitor’s personal behavior, and through this, you offer travel plans so overseas visitors can prepare their journeys to your hotel. If you are monitoring the behavior of visitors from within the EU, then GDPR is applicable to you, too.
Plus, offering EU language and EU domain variants of your website, as well as offering the selection of an EU international dialing code in online forms also constitute the need for GDPR compliance.
In this article, we have looked at just some of the main points once again from the topics we have been covering. It is necessary to make sure that you are aware of how your data is controlled, used, and mapped within your own organization. We would be very interested to read your feedback on what you have learned from the series so far. As well as any strategies that you have already put in place. Please share them in the comments section below. The topic of GDPR is one that is dear to our hearts. Check out some of the critical points you should be addressing here.
DISCLAIMER: All data and information provided in this blog post are for informational purposes only. Kentico makes no representations as to the accuracy, completeness, currentness, suitability, or validity of any information contained herein. We recommend consulting with a lawyer for any legal advice pertaining to GDPR compliance.