Note: This information is provided as a service to clients of The Quell Group and is not intended to provide legal advice or specific guidance as to what policy changes are compliant with GDPR.  Please consult your corporate counsel or outside attorneys for specific legal advice. 

Overview

On May 25, 2018, the European Union (EU) will begin enforcement of the General Data Protection Regulation (GDPR). It was adopted in 2016 and replaces the Data Protection Directive that was originally adopted by the EU in 1995. Because the GDPR is a regulation and not a directive, it is binding and has the full legislative and legal backing of the EU. Companies found to be in non-compliance with the GDPR will potentially face penalties of up to 4% of worldwide revenue or €20 million, whichever is greater.

GDPR applies not only to organizations based in EU countries, but also to all organizations processing and holding personal data of EU individuals. Because most websites, landing pages, and forms collect personal data on a worldwide basis, most companies will need to make changes across their digital properties to be in compliance with GDPR. One of the major changes brought by GDPR is that IP addresses are considered to be personal information subject to similar rules to name, email address, physical address, and other personally identifiable information (financial information, medical information, photos, or posts on social media sites).

The Regulation covers rights to individual consent, access to personal data, data erasure, data breach notification, data portability, and privacy by design. While the focus of this memo is on the impact of GDPR on digital properties such as websites, it is important to note that the rule has privacy implications across the organization. Organizations that are collecting data on EU citizens for direct mail, or recording calls of EU customers for training and security purposes, or any other routine business process involving the collection or storage of personal information – these will all be impacted by GDPR.

Implications for Website Forms

No longer can you assume that anyone filling out a form on your website is implicitly providing consent to be contacted – explicit consent is now required on any forms where personal information is collected.

  • Opt-in language on any form needs to clearly explain why the information is being collected and how this information will be used
  • The opt-in language should link to your privacy policy, which must comprehensively address all of the privacy rights included in GDPR
  • An opt-in checkbox that defaults to unchecked must be included on any forms where personal information is collected

Implications for Website Privacy Policies

Your website privacy policy will almost certainly need to be updated to reflect the privacy rights outlined in GDPR, since you will be linking to the privacy policy in your opt-in language on any website forms. In addition, the collection and use of personal data in cookies will need to be disclosed and policies put in place to allow users to positively consent to cookies.

  • Use of a website no longer amounts to consent to cookies
  • An opt-in box or some other mechanism for consenting to cookies (via a Settings option in the menu, for example) needs to be provided
  • The same mechanism for opting in to cookies needs to be provided for users to opt-out or withdraw consent at some point in the future
  • Make sure that any web analytics tools using IP addresses (such as Google Analytics) are GDPR-compliant by anonymizing or otherwise removing this personally identifiable information

Other Implications

Again, we encourage our clients to seek legal counsel to identify the specific mechanisms they should adopt to ensure compliance with other aspects of the GDPR requirements:

  • Organizations that process large amounts of personal information may need to employ additional privacy safeguards, such as the appointment of a Data Protection Officer
  • When a breach of personal information occurs, under most conditions, organizations have a maximum of 72 hours after becoming aware of the breach to notify those affected
  • The GDPR gives citizens the right to access their personal information, which includes information about its purpose, with whom the data is shared, and how it acquired the data – the mechanism for users to access their data should be outlined in the privacy policy
  • Further, it gives users the right to have their data erased (earlier called a right to be forgotten), and this process should also be outlined in the privacy policy
  • Other privacy rights – such as data portability, data protection by design and default, and maintaining records of data processing activities – are also enshrined in the GDPR, and specific compliance activities will need to be created on a company by company basis

Feel free to contact The Quell Group for more information on GDPR, or for assistance with getting your updated privacy policy posted or adding opt-in language and a checkbox to your existing website forms. All privacy policy and opt-in language should be reviewed by legal counsel to ensure compliance with GDPR.