In an age of information, more data is available than ever before. In order to help protect customers from having theirs used improperly, new sanctions and regulations are being put into place.
The European General Data Protection Regulation or simply “GDPR” is a new regulation replacing the Data Protection Directive. It protects European Union customer data, in hopes of reducing the severity and frequency of security breaches, and the mishandling / misprocessing of personal data on the web.
The regulation goes into effect on May 25th, 2018 – bringing new definitions of personal data, consent types, accountability standards, and roles along with it. Now that we have the formal definition out of the way, you might be wondering … “Should my company be panicking?”
All of this can sound scary, but don’t worry – we went through and gathered all the information needed to help you understand how to keep your consumer data safe, and your company compliant with new European data laws.
If you control or process data from EU citizens, you are required to comply (even if your company operates outside of the EU)! Fines for non-compliance are up to €20 million (about $25 million USD) or 4% of your company’s global annual revenue (whichever is greater). If your website receives visits from members of the EU, you may need to comply with GDPR in order to avoid hefty fines and penalties.
If you are not a European or Multinational company targeting EU citizens — even if they visit your site, you’re ok.
Companies are either classified as controllers or processors and compliance requirements differ slightly between classifications.
- Controllers are companies/organizations that collect user data and decide what to do with it. An example of this would be a company that is tracking users on their site, and remarketing to them after they exhibit certain behaviors.
- Processors are companies/organizations that help other companies/organizations process their data by recommending decisions to make from it. Like what Seer does for our Analytics clients.
- Subjects are the users whose data is being collected.
* NOTE: In some cases, companies may be classified as both a Controller and Processor.
What is Personal Data, Really … ?
GDPR is mostly focused on protecting the personal data of EU citizens, the goal being less breaches, further security, and increased transparency between companies and users. In order to achieve this, they have further defined all the data points that are considered “personal data”.
Personal data covers a variety of data types including:
- Email Addresses
- Unsubscribe confirmation URLs that contain email and/or names
- IP Addresses
GDPR states that this information can be collected and stored if its properly anonymized.
This means that if you store personal data but it’s formatted in a way that makes identification completely implausible you are OK. For example, if you track users from Germany, and have 1,700 sessions from Berlin with 500 Ecommerce transactions, so long as you’re not able to single out an individual person, you can continue to store and analyze it – you are OK.
|Right to access: GDPR specifies that data controllers must be able to provide a free copy of an individual’s data if requested. Individuals may find out what personal data of theirs is being processed, where it is being stored and why it is being processed.||In order to stay compliant companies will need to keep their data in a centralized, accessible place where pulling data by User ID is easily possible.||Being transparent with your users about what is collected and why, is a great opportunity to build trust with your customers.|
|Right to erasure: GDPR specifies that all users have a ‘right to be forgotten’. This means that users can request, at any time to have their data deleted. Erasure also makes data unavailable to any and all 3rd party providers.||Companies will need to ensure that they have the ability to remove users data. This means consolidating web tracking to a tag management system (think: Google Tag Manager), and having a unified data management solution (think: Google Analytics 360).||By allowing users to opt out, you leave them feeling like they have control over their information, increasing company trust.|
|Data portability: GDPR specifies that all users will be able to request access to their data ‘in an electronic format’. This data can then be shared or transferred to a new processor.||Companies will need to make sure that data is stored in a way where electronic exports are possible while still secure.||Making data available for sharing makes staying compliant easy – and it also makes data more accessible within your organization.|
|Data breach notification: GDPR specifies that users and data controllers must be notified of data breaches within 72 hours.||Data breach notification must go out within 72 hours. To ensure compliance, companies should plan in advance for breaches, this includes a method for dealing with concerned users in wake of a breach.||Breaches can be very scary for companies and their consumers, but by having a plan in place and resources available, you can increase transparency and prove that you care about your customers and their information.|
|Privacy by design: When designing data processes, care must be taken to ensure personal data is secure. Companies must also ensure that only data is ‘absolutely necessary for the completion of duties’.||Planning adds extra time to projects and new features. In order to define what data is necessary for the completion of duties, your company will have to outline all the data collected and purpose for collection.||All this planning means that in case of a breach or request to be forgotten, you are prepared and ready. Defining what data is necessary means that your company is transparent. This secures customer data – ensuring its being properly used and stored.|
|Data protection officers: Companies whose activities involve data processing and monitoring now need to appoint a data protection officer.||If your company requires a DPO and you do not have someone on staff, you will have to hire a person or company to act as a DPO for you. Reach out to the Seer Analytics team if you’re in need of assistance in this area.||Having a data expert on hand means that your questions can be quickly answered, strategies can be built with care, and compliance can have an owner in your organization.|
GDPR is new and mostly targeted at regulating larger companies. Regulators have acknowledged that full compliance could be very difficult for small and medium sized companies, but just making a significant effort should be sufficient.
As you consider how GDPR effects your business, take the time to look at WHAT data you collect, and WHY you collect it. These regulations will have a large impact, but are also an opportunity to show your users that you care about them, their data, and how it is being used. Here are just a few questions to ask of your company, as you come up with a readiness plan:
- Do I operate in the EU?
- Do I collect personal data?
- How can I minimize risk for my company when designing new process?
- How can I be more transparent with my users?
- How can I make data available and easy to remove?
Read more Analytics content to dive deeper into data with Seer.