GDPR Readiness: How GDPR Impacts Privacy Policies

Privacy Policies and GDPR

Since GDPR has become enforceable, the impact of the law on privacy policies has been quite noticeable. Did you receive an influx of emails from your favorite companies notifying you of updates to their privacy policies? In an effort to create GDPR-compliant privacy policies, many organizations rushed to meet the May 25th, 2018 enforcement deadline. But what are some of the mistakes these companies are making while trying to comply with GDPR? In this webinar, you’ll learn how privacy policies have evolved from pre-GDPR to post-GDPR, examples of what to do and what not to do when developing your external and internal privacy policies, and resources that you can utilize to ensure that your privacy policies are GDPR compliant.

How Does GDPR Impact External Privacy Policies?

The primary intent of GDPR is to ensure that privacy policies are concise and written in clear, plain language. However, in the weeks since GDPR became enforceable, many privacy policies are not meeting these requirements. This may be due to organizations rushing to create what they believe to be GDPR-compliant privacy policies but has resulted in quite the opposite. We’re seeing privacy policies that have a higher reading level, longer word count, and longer reading time, making them much more difficult to understand than before GDPR when into effect.

So, what should your organization be doing to avoid these pitfalls? Focus on readability. It is paramount that your consumers actually able comprehend your privacy policy. If your privacy policy is filled with legalese, is too long, is combined with contracts, or doesn’t reference any conditional terms, you are doing not only a disservice to EU data subjects by failing to comply with GDPR, but you are putting your organization at risk to be hit with the steep fines and penalties for non-compliance.

How Does GDPR Impact Internal Privacy Policies?

Different from the policies that consumers will read, internal privacy policies should be established to inform all employees on how they should interact with personal data. Internal privacy policies are just as important as external privacy policies and should include the following to be GDPR compliant:

  • Data minimization
  • Purpose limitation
  • Confidentiality/Non-disclosure agreements
  • Data Protection Impact Assessment
  • Coordination with designated representatives
  • Records of processing
  • Data subject rights
  • Processor management
  • Training
  • Privacy by default and by design

To learn more about the impact GDPR has on privacy policies, download the full webinar. If you’re in the process of developing your organization’s privacy policy, let us help! Use our free GDPR Privacy Policy Checklist or contact us today to speak to a GDPR expert.

GDPR Readiness: Consent, Privacy Policies, and Enforcement

Confusing Aspects of GDPR

Are you unsure how to properly collect data subjects’ consent? Have you seen organizations giving data subjects’ different options for giving their consent? In this webinar, Mark Hinely covers the confusing regarding consent, the regulatory developments since the GDPR enforcement date, and significant litigation to note.

How is Consent Being Collected?

Consent is considered the most confusing and misunderstood legal basis for processing personal data. This is probably because consent isn’t always required, it must be freely and affirmatively given, and is much different than the other five legal bases for processing. There are two areas seem to get a lot of attention in the GDPR realm: paid consent and privacy policies.

  • Privacy Polices: You probably noticed the subject line “We’ve Updated Our Privacy Policy” reappearing over and over in your inbox in relation to GDPR. Many organizations send these updates in an effort to become GDPR compliant, under the misconception that it obtains data subjects’ consent. However, notification of an updated privacy policy does not equal consent.
  • Paid Consent: The “pay for privacy” concept stems from organizations opting to use a tracking wall wherein they give their users different ways to have their personal data obtained or different ways to opt out of giving consent. Organizations such as the Washington Post give their users options for consent and how their personal data is collected. With a free consent-based option, data subjects can read a limited number of articles each month but must consent to the use of cookies and tracking by the Washington Post and third-parties. With a $60 subscription free option, data subjects have unlimited access to their website and apps on any device but must consent to the use of cookies and tracking by the Washington Post and third-parties. For $90, data subjects have unlimited access to the website and apps on any device and do not have to consent to the use of cookies or tracking. The “pay for privacy” concept seems problematic given that consent under GDPR must be freely given.

What are the Regulatory Developments Since GDPR Enforcement?

Since GDPR was officially enforced on May 25, 2018, there have been various regulatory developments, including:

  • European Data Protection Board (EDPB): The EDPB has replaced the Article 29 Working Party and will now be the source for GDPR guidance.
  • Data Protection Impact Assessments (DPIAs): Each EU member state has established or proposed DPIA requirements, which are a systematic way to identify and minimize risk.
  • Data Subjects Complaints and Breaches: Within the first week of GDPR enforcement, there was a significant increase in complaints and reported breaches compared to pre-GDPR activity.
  • Enforcement of Pre-GDPR Violations: Organizations such as the Gloucestershire Police, British and Foreign Bible Society, and Yahoo have all faced fines and penalties for pre-GDPR violations.

To learn more about consent, privacy policies, regulatory developments, and enforcement of GDPR, download the full webinar. For more information about GDPR compliance, contact us today!

GDPR Readiness: Whose Data is Covered by GDPR?

Data FAQs for GDPR

Ready to learn what constitutes a data subject and personal data under GDPR? Mark Hinely joins us in this webinar to discuss!

Who is a Data Subject?

The definition of a data subject under GDPR is one of the most confusing aspects of the law. There’s no formal definition, inconsistent terms within the law, no formal guidance from Article 29 Working Party, and the supervisory authority guidance is dated. So how do organizations determine who data subjects are? The different interpretations of the law say:

  • A data subject is anyone physically within the borders of the EU whose data is being processed while that individual is physically within the Union.
  • A data subject is anyone who formally resides within the EU, regardless of citizenship, while that individual is physically within the Union.
  • A data subject who has formal citizenship in the EU while that individual is physically within the Union.
  • A data subject is anyone who has residency/citizenship in the EU whose data is being processed, regardless of where the resident/citizen is physically located at the time of processing.
  • A data subject is anyone whose personal data is located in the EU, regardless of the residence, citizenship, or physical location of the data subject.

Those interpretations create some confusion, right? There’s some overlap, some questioning. The law is not clear. Reasonable, educated people disagree on the interpretation of what a data subject is under GDPR. We’re here to show you what those different interpretations are and show you what the issues are.

What is Personal Data?

Under GDPR, personal data is any information relating to an identified or identifiable person (data subject), who can be recognized by identifiers like a name, an ID number, location data, or physical, physiological, genetic, mental, economic, cultural, or social identity. Personal data depends on what type of data element it is, the context, and reasonable likelihood of identification. There are logical and legal considerations that apply to the definition of personal data under GDPR.

Listen to the full webinar to educate yourself on who a data subject is under GDPR and if the data you control or process is personal data. For more information on GDPR readiness, contact us today.

More GDPR Resources

GDPR Readiness: What, Why and Who

GDPR Readiness: Are you a Data Controller or Data Processor?

GDPR Readiness: Are You a Data Controller or Data Processor?

GDPR Roles – Where Does Your Organization Start?

The most common questions we’re hearing related to GDPR have to do with roles – what role does my organization play? Are we a data controller or data processor? Joint controller? Controller-processor? Where should we start in our journey towards GDPR compliance? This can be a confusing aspect of compliance, but GDPR requirements depend on roles, so determining what role your organization plays sets the groundwork for determining which GDPR requirements apply to you.

What to Expect in the Webinar

In this webinar, we discuss three types of roles: data controller, joint controller, and data processor. The law defines a data controller as the natural or legal person that determines the purposes and means of the processing of personal data. A joint controller occurs when two or more controllers jointly determine the purposes and means of processing. A data processor is the natural or legal person which processes personal data on behalf of the data controller. When determining which role your organization fits, your organization should consider the following:

  • Organizational size and structure is irrelevant.
  • Processing activity is partially relevant.
  • Data source is incredibly relevant.
  • Contractual arrangements are completely relevant.

In this webinar, Mark Hinely also outlines a list of questions that should help your organization decide what its role is. Who decides…

  • To collect the personal data in the first place and the legal basis for doing so?
  • Which items of personal data to collect?
  • What methods to use to collect personal data?
  • The purpose(s) that the data are to be used for?
  • Which individuals to collect data about?
  • Whether to disclose the data, and if so, who to?
  • Whether subject access and other individuals’ rights apply (i.e. the application of exemptions)?
  • How long to retain the data or whether to make non-routine amendments to the data?
  • How to store personal data?
  • The detail of security surrounding the personal data?
  • The means used to transfer personal data from one organization to another?
  • The means used to delete or dispose of personal data?

Listen to the full webinar to learn about what your organization’s role is and hear Q&A from Regulatory Compliance Specialist, Mark Hinely. For more information on GDPR readiness, contact us today.

More GDPR Resources

ICO’s Data controllers and data processors: what the difference is and what the governance implications are

GDPR Readiness: What, Why and Who

Are You Ready for GDPR Compliance?

GDPR Readiness: What, Why, and Who

What is GDPR?

The European Union’s General Data Protection Regulation (GDPR) is not just one of many other data protection frameworks or requirements. GDPR is the top regulatory focus of 2018, even among US companies, and is considered to be one of the most significant information security and privacy laws of our time. The applicability of the law follows the data, rather than following a person or location. The scope is big and the sanctions are even bigger. Born out of cybercrime threats, technology advances, and concerns about data misuse, GDPR will require all data controllers and data processors that handle personal data of EU residents to “implement appropriate technical and organizational measures…to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services.”

What is My Role?

GDPR requirements depend on roles, so determining what role your organization plays sets the groundwork for determining which GDPR requirements apply to you. Is your organization one of the following?

  • Data Controller: The person or organization that determines the purposes and means for processing personal data. How much authority and decision-making over personal data does your organization have? The greater the authority, the more likely it is that an organization is a data controller.
  • Joint Controller: Multiple organizations having authority over personal data. The purposes and means for processing personal data are jointly determined and the requirement is to clearly define the responsibilities among joint controllers. The organizations must share authority over the data, not just share a data pool. For example, if a few organizations make an agreement to collect, use, or combine personal data and have mutual authority over that data, you might have a joint controller relationship.
  • Data Processer: The person or organization that processes personal data on behalf of a data controller. Data processors cannot process data without the authority of the data controller. They must notify the data controller of any breaches or using/changing of sub-processors. Data processors must provide sufficient compliance guarantees to the data controller.
  • Controller-Processor: You can have situations where a person or organization is both a controller and a processor. A SaaS provider could serve as a data processor based on the data they receive from their clients, but they could also serve as a controller based on the fact that they’re an employer that has EU citizens as employees. Two sets of data exist, and the SaaS provider has difference authority over the two sets.
  • Data Protection Officer: An individual that has expert knowledge of data protection law, is independent from an organizational reporting perspective, cannot be told how to do their job, and cannot be penalized for their job. This could be a person who’s also fulfilling other roles within an organization (without a conflict of interest), but it could also be an outside contractor.
  • Supervisory Authority: Independent, public authorities for each EU member state. Supervisory authorities are responsible for monitoring the application of GDPR and addressing non-compliance. These are the government organizations that you will be interacting with and they have the authority to create additional GDPR compliance.

We know that determining your role can be confusing; there’s a lot of overlap and a lot of questions. Here’s one more example to consider: a manufacturer of shoes. The data controller is the manufacturer. Whenever they sell a pair of shoes, a customer fills out a form that obtains their name, physical address, and other personal data. Now, the data controller (manufacturer) must decide what to do with that data. A data processor, in this situation, could be a marketing company that produces marketing materials on behalf of the shoe manufacturer. The marketing company has the control over color, font, images, or marketing channels to use, but they wouldn’t necessarily have authority over what data to use or who to market to. This makes the marketing company a data processor.

Where Do I Start?

Have you been wondering, “Where do I start with GDPR? What’s my next step?” but you can never get a straight answer? Well, here’s ours: start with data mapping. Consider where personal data enters and exits your organization, even if it’s somewhere that’s not a part of your core services. Who has access to that data? What controls surround it? Be thinking about customer satisfaction surveys, messaging forums, talent acquisition, your HR department, and other areas where personal data could enter your organization. Data mapping helps you to find areas where personal data resides, but you might otherwise overlook.

Another first step towards GDPR compliance is determining what your organization’s posture is under the law. Do you know if you’re a controller, processor, or a joint controller? If you’re a processor, do you use other sub-processors? Do you have legal basis for all of your methods of processing data? Do you have valid transfer mechanisms for international transfers?

Another practical implication to think about is change management. When considering GDPR, you must ask if you have to conduct a Data Protection Impact Assessment. Is a change going to require the use of one or more new processors, new consent from data subjects? Is new technology or a new service going to change the way you facilitate data subjects’ rights? We recommend that you create some type of decision-tree that outlines what the downstream impact of changes are.

Because GDPR law does not go into effect until May 25, 2018, we don’t have enforcement action yet to give us case studies or tell us what is compliant and what isn’t. In this pre-implementation phase, it’s crucial to monitor regulatory developments as they come out.

Listen to the full webinar to learn about industry-specific issues and hear Q&A from Regulatory Compliance Specialist, Mark Hinely. For more information on GDPR readiness, contact us today.