In Part One of our three-part series, we started with a basic overview of who GDPR applies to and the definition of personal data under GDPR.
Here, in Part Two, we will discuss key elements such as consent and online data technologies, privacy notices and cross-border transfers. Part Three will dive into understanding individual rights and the obligations of a data controller and data processor.
What Data Can I Use?
GDPR allows companies to store and process personal data when there is a legitimate interest (for example fulfilling a contract or service) or when the individual consents. What is data processing? It includes using an employee’s data to process payroll, collecting an email address to send marketing emails, setting cookies to engage in online advertising, or serving as a SaaS provider.
Article 6.1 of the GDPR defines the lawful grounds for data processing as summarized below:
- Consent has been given for a specific purpose
- To deliver on a current or just before entering into a contract
- Due to a legal obligation
- To protect the vital interests of the data subject or another person
- If acting in the public interest or required by a public authority
- For purposes of legitimate interests (note that there are some exceptions like if a child is involved)
The Rules of Consent
Under GDPR, companies must be very transparent about what they’re doing with users’ data.
- Consent should not be a condition to signing up for a service unless it is required for that service. Consent should also be separate from the terms and conditions (don’t bury it!)
- Consent must be easy to understand and specific for each use. The company may only use the consent for that specified purpose.
- Consent cannot be too broad and all-encompassing. It needs to be granular and broken down by type, such as advertising or analytics cookies, or receiving marketing emails about your company’s latest products.
- The user must specifically opt-in and there should be no use of pre-checked boxes.
- Companies need to retain evidence of the consent. This includes what the user consented to, the privacy notice provided at the time and the method of consent.
- Users should be able to easily withdraw consent.
- Ensure an accurate privacy notice was provided at the time the consent was given.
Additionally, companies can store and process personal data for “no longer than is necessary for the purposes for which the personal data are processed.”
Online Digital Technologies
Today, it is common for companies to engage in informed consent by displaying a banner on their website, telling the user that tracking cookies are being used.
With the complexities of the online advertising ecosystem, companies need to have strong digital governance processes. It is critical to understand which vendors are on the site collecting data. Many SMEs may outsource this to agencies. You, the SME, are still responsible for this data collection and need to ensure you have strong contracts and a process managing these tags. Tag management platforms only solve a part of the puzzle.
SMBs Need Accurate Privacy Notices
The privacy notice tells the data subject (customer, vendor, employee) what data is collected, how the data is used, to whom the data is shared, and outlines the customer’s choices. This notice needs to accurately reflect what is happening in the SMB business and should be a dynamic document. Every time there is a new data collection point or use, the privacy notice should be referenced and updated.
Cross-Border Data Transfers
Do you send data outside the EU? Transferring data outside of the EU is prohibited unless adequate protections are in place such as Privacy Shield, Standard Contractual Clauses or if it is going to a country deemed to have adequate protections by the EU Commission.
To adhere to the principles under GDPR, it’s critical for companies to understand what data they have, where it is stored, and how it is being used. Companies then need to create processes to manage consent and the overall data flow. And, finally, companies must also train employees on these new requirements and processes.
Be sure to read Part One and stay tuned for Part Three of this GDPR series, where we’ll dive into the obligations of data controllers and data processors, individual rights, and the new 72-hour rule for data breach reporting.