Note: This information is provided as a service to clients of The Quell Group and is not intended to provide legal advice or specific guidance as to what policy changes are compliant with GDPR. Please consult your corporate counsel or outside attorneys for specific legal advice.
On May 25, 2018, the European Union (EU) will begin enforcement of the General Data Protection Regulation (GDPR). It was adopted in 2016 and replaces the Data Protection Directive that was originally adopted by the EU in 1995. Because the GDPR is a regulation and not a directive, it is binding and has the full legislative and legal backing of the EU. Companies found to be in non-compliance with the GDPR will potentially face penalties of up to 4% of worldwide revenue or €20 million, whichever is greater.
GDPR applies not only to organizations based in EU countries, but also to all organizations processing and holding personal data of EU individuals. Because most websites, landing pages, and forms collect personal data on a worldwide basis, most companies will need to make changes across their digital properties to be in compliance with GDPR. One of the major changes brought by GDPR is that IP addresses are considered to be personal information subject to similar rules to name, email address, physical address, and other personally identifiable information (financial information, medical information, photos, or posts on social media sites).
The Regulation covers rights to individual consent, access to personal data, data erasure, data breach notification, data portability, and privacy by design. While the focus of this memo is on the impact of GDPR on digital properties such as websites, it is important to note that the rule has privacy implications across the organization. Organizations that are collecting data on EU citizens for direct mail, or recording calls of EU customers for training and security purposes, or any other routine business process involving the collection or storage of personal information – these will all be impacted by GDPR.
Implications for Website Forms
No longer can you assume that anyone filling out a form on your website is implicitly providing consent to be contacted – explicit consent is now required on any forms where personal information is collected.
- Opt-in language on any form needs to clearly explain why the information is being collected and how this information will be used
- An opt-in checkbox that defaults to unchecked must be included on any forms where personal information is collected
Implications for Website Privacy Policies
- Use of a website no longer amounts to consent to cookies
- An opt-in box or some other mechanism for consenting to cookies (via a Settings option in the menu, for example) needs to be provided
- The same mechanism for opting in to cookies needs to be provided for users to opt-out or withdraw consent at some point in the future
- Make sure that any web analytics tools using IP addresses (such as Google Analytics) are GDPR-compliant by anonymizing or otherwise removing this personally identifiable information
Again, we encourage our clients to seek legal counsel to identify the specific mechanisms they should adopt to ensure compliance with other aspects of the GDPR requirements:
- Organizations that process large amounts of personal information may need to employ additional privacy safeguards, such as the appointment of a Data Protection Officer
- When a breach of personal information occurs, under most conditions, organizations have a maximum of 72 hours after becoming aware of the breach to notify those affected
- Other privacy rights – such as data portability, data protection by design and default, and maintaining records of data processing activities – are also enshrined in the GDPR, and specific compliance activities will need to be created on a company by company basis