In Part One of our three-part series, we started with an easy primer on GDPR. Our “SparkNotes for GDPR” overview covered 11 fundamental concepts and explained why you must start preparing for GDPR now.
Here in Part Two we will discuss some of the key elements in more detail, including the right to be forgotten, obtaining valid consent, and access to data. Part Three will dive deeper into understanding the obligations of a data controller and data processor, as well as the newly defined role of a Data Protection Officer.
Concept #1: The right to be forgotten
Users can request their data be erased
GDPR introduces the concept of the right to be forgotten, which allows a person to request that their data be erased. This applies to all data controllers. (Every company to some extent is a data controller.)
According to Article 17, data controllers must erase personal data “without undue delay” if the processing was unlawful, the data is no longer needed, or the data subject objects to the processing. In GDPR lingo, the data subject is the person whose data has been collected, aka “the user or the customer.”
There are some exceptions (for example, it cannot supersede any law requiring an organization to maintain certain data. For US companies, this would include HIPAA-required records).
This requirement extends to any company that has made personal data public, especially if it’s online (e.g., an online forum or social media community). The data controller is required to take “reasonable steps,” defined as cost to comply and technology available, to inform any other controller who has processed the data about the data subject’s request.
Important steps IT should take now
- Perform a data inventory so it is clear where a data subject’s data resides.
- Determine if data erasure requests would be unreasonable or unwarranted, or if any exemptions are required, in your company’s industry. For example, there are certain retention requirements around financial or health data. Also determine if your systems need any work done in order to flag data as restricted while a complaint is being processed. If there is data that cannot be erased (e.g., bank records that have to be maintained per legal requirements for a period of time), then your systems need to be configured so that these fields can be appropriately marked as not to be deleted.
- Design a process that will manage data erasure requests.
- Provide training for employees on how to identify and handle data erasure requests.
Concept #2: Consent
Processing of data requires consent (or legitimate interest)
The concept of data processing is a key element under GDPR. Data processing can include everything from using an employee’s data to process payroll, using a customer’s information to send marketing emails or targeted advertising, or serving as a SaaS provider.
Under GDPR, the way users consent to data processing is either by opting in or meeting the definition of legitimate interest. Under the current European Data Protection Act (DPA), consent has been a foundation of privacy law. However, GDPR increases the requirements significantly.
Article 6.1 of the GDPR defines the lawful grounds for data processing as summarized below:
- Consent has been given for a specific purpose
- To deliver on a current contract, or just before entering into one
- Due to a legal obligation
- To protect the vital interests of the data subject or another person
- If acting in the public interest or required by a public authority
- For purposes of legitimate interests (note that there are some exceptions like if a child is involved)
“Say what you do, and do what you say”
Under GDPR, companies must be very transparent about what they’re doing with users’ data. The notion of “say what you do and do what you say” is evident in the GDPR consent requirements. Here are six points to keep in mind:
- Consent must be freely given. Consent should be separate from terms and conditions and should not be a condition to signing up for a service unless it is required for that service.
- Consent must be easy to understand and specific for each use. The company may only use the consent for that specified purpose.
- Consent needs to be granular and broken down by type, such as advertising or analytics.
- The user must specifically opt in. There can be no use of pre-checked boxes.
- Companies need to retain proof of consent including what the user has consented to, what the user was told at the time, and what the method of consent was.
- Users should be able to easily withdraw consent.
European data protection authorities in the UK, France, and Germany state that consumers must be told in a clearly written notice before tracking cookies are used. The user must opt in by checking a box on a website. Obtaining consent in this manner will require software engineers to build this requirement into the design.
With the complexities of the online advertising ecosystem, it is critical to understand which vendors are on the site collecting data. Now more than ever, companies need to have a digital governance process. This includes having contracts with their agencies and marketing partners, as well as performing regular monitoring of the site.
Tag management platforms will catch which tags have been placed on the site. They will not always show the daisy chain effect of tags and cookies. For each tag that fires on the site, the company is responsible for any data that is collected on the data subject. Malware can also exist through an ad tag, allowing hackers to take down a website, steal data, or redirect users when they click on an ad. All of this increases the risk of a data breach.
Marketing & IT must work together to prove consent
The ability to prove consent is a requirement of GDPR. Marketing and IT departments will need to work closely together to ensure that consent is captured, stored, and readily available. It will also be important to know what version of the privacy notice was provided at the time consent was given. For example, if a user provides consent on June 1st and the privacy notice is updated on July 15th, the company needs to know what was included in the privacy notice on June 1st, since that was the date consent was given.
Concept #3: Data portability
GDPR puts data rights in the hands of data subjects
GDPR introduces the concept of data portability. This means that data subjects can demand their personal data be ported to them if they provided their data to the controller, provided consent to the controller, or were engaged in a contract whereby the controller was using their data and processing of the data was automated.
Data subjects will have the right to port their data and reuse “their” data for their own purposes and across different services. This applies to online data only.
Data controllers need to provide functionality that enables the data subject to move, copy, or transfer personal data easily. The data must be provided by the data controllers in a commonly used and “machine-readable” format. There is no specification on how companies should make this data available.
Companies need to make it easy to export data
Given how GDPR puts privacy rights in the hands of data subjects, companies should make it simple for the data subject to port the data. For example, companies could offer a simple self-service tool for data subjects to use. It should allow the data subject to determine which fields can be exported and should also consider the security of how the data is exported. Data subjects can then transmit that data to any other data controller. In some situations, the data controller might be required to send the data directly to a competitor.
Examples of data could include a list of media such as books, songs, movies, photos stored in the cloud, or transaction history. Data that is inferred, such as behavioral data determined from analysis, would be out of scope.
Your next steps: what you need to know
To adhere to the consent, right to be erased, and right to port data clauses under GDPR, it’s critical for companies to understand what data they have, where it is stored, and how it is being used. This is where IT can play an extremely valuable role. Companies then need to create processes to manage consent, the right to be erased, and the right to port data. And finally, companies must also train employees on these new requirements and processes.