The mantra of the Internet has always been “Content is King.” But now, the new mantra is ”Consent is King.” You must get consent to store and process an individual’s personal data. After a two-year warning bell, on May 25, 2018, the General Data Protection Regulation (GDPR) takes effect which serves to protect the personal data of anyone in the European Union. If a data controller has a breach of personal data, they have 72 hours in which to notify the regulator and potentially any person affected. Be aware that the penalties are hefty, €20 million, which is over $24 million, or 4% of the worldwide annual turnover of the parent company, whichever is higher.
The GDPR is also in United Kingdom law, so this applies to all of the UK as well. Now, you’re thinking, hey it’s Europe, how can they come after me in America? United States trade agreements with the EU are being enforced by the US government, which now includes the GDPR and pursuing companies breaching the regulations. If you’re a US business and storing data of an EU citizen who happens to live in New York, you’re on the hook as much as you would be as a company doing business in Germany with the locals.
10 Steps to GDPR Readiness
To meet the impending GDPR deadline, here are ten steps to ensure your company and CMS are ready for the GDPR.
- Get consent. Consent must be freely given and verifiable. For example, there must be a positive opt-in. You cannot infer or have a pre-selected checkbox for consent. You must also provide everyone an option to easily withdraw consent. Withdrawal of consent must be as easy as the way the person gave consent. If you have a site that is geared to a younger audience, such as a gaming site, and you will be collecting personal data, you will need to get parental consent from anyone under 16 years old. In the U.S. the Children’s Online Privacy Act (COPPA) and some EU member states require parental consent for anyone under 13 years old, so be sure to check to make sure you are compliant.
- Maintain records. Be sure to maintain records of your personal data processing activities. You need to know what personal data you hold, where it came from and who you share it with. Data mapping is a powerful tool for tracking data processing since it allows you to see how personal data from one information system maps to personal data from another information system. Making sure that you have a CMS that has access to data storage and includes an Application Programming Interface (API) that can be easily used to track data processing activities to show how you are complying with data protection regulations.
- Retrievable data capability. Make sure personal data is easily retrievable. A primary tenant of the GDPR is to respect individuals’ rights. A person visiting your site has the right to be informed and access his or her data. For example, Google lets you access and export all data given to Google using Google Takeout. LinkedIn enables you to see your privacy settings. The data needs to be presented in a machine-readable format, such as a CSV, JSON, or XML file. Having a CMS that supports working with third-party tools or databases, allows you to identify and access personal data that can significantly simplify making data retrievable.
- Protection by design. Data protection by design and by default is required. Be aware that visitors can reserve the right to refuse service. An individual can ask for his or her personal data to be erased. Individuals can request that you restrict processing their personal data. A person can object to being subjected to automated decision making, including profiling. It is essential that your CMS has ways of restricting capturing personal data.
- Be sure you can rectify mistakes. Rectification must be made for incorrect usage of personal data. Say, for example, that I have stored incorrect information about you and passed it onto a third-party company. A person can demand that you and the associated company correct the inaccurate information. In most cases, you will have to make rectification requests free of charge within 30 days.
- Get a DPO. There’s a new sheriff in town known as the Data Protection Officer (DPO). Having a DPO is a requirement for companies that deal with a large amount of data or companies that frequently deal with sensitive information, such as healthcare info, information about minors, racial, biometric, or political opinions. The DPO cannot be your IT Manager, CTO, or security personnel since they will be governing data protection. A Marketing manager is out of the running since he or she is likely to be defining how data is managed. The DPO is a “protected” role; you can’t fire a DPO for doing his or her job well. The DPO does not have to be a dedicated job. Some organizations only need a few days a month of work by a DPO, so it can be outsourced to one or more individuals.
- Detect, investigate, and report. You must have procedures in place to effectively detect, report and investigate a personal data breach. If a data breach puts an individual’s rights and freedoms at high risk, you are required to address the cause and notify anyone that has been impacted by the breach. Failure to report a high-risk breach of personal data likely will result in a fine. In fact, you are likely to be fined for the breach itself. Having a CMS that has the API support to work with any system connected to your site collecting, storing, or processing personal data to detect data breaches is essential.
- Understand your data usage. Ensure you know how the personal data in your CMS is being used. If you are sharing personal data with a marketing agency, you will need to keep track of the data and ensure its integrity. You are responsible for the data, so you need to make sure any third-party agency is storing and using the data appropriately and has GDPR compliant policies in place. Having a CMS that supports the API tools needed to have an audit trail of internal and external shared data will save you a lot of work.
- Have a contingency plan. Last, but certainly not least, have a contingency plan. In most cases, companies do not have a contingency plan of what to do if they are not able to work with personal data. If users do not consent, you will want to have a plan to anonymize the data, since data that has been sufficiently anonymized is excluded, but still allows you to use anonymous user data for tracking your site pages and advertisements. Additionally, have a worst-case scenario contingency plan, for example, say a breach happens on a long holiday weekend. Be prepared to be able to notify subjects of the data breach promptly, so that you can meet the GDPR time guidelines.
Following these steps is a great way to ensure that your company and CMS are ready for the GDPR deadline. Making sure your CMS has the APIs to help you track and manage personal data is key to your success. If you are interested in finding out more about the GDPR, you can visit the English version of the EU GDPR site at the following URL:
Learn more here: https://ec.europa.eu/info/law/law-topic/data-protection_en