As of May 25, 2018, the GDPR was enforced in the EU. Companies can now be fined and penalized for improper collection, storage, and handling of personal data, so it’s important to make sure your company is compliant with GDPR regulations.
Companies not located in an EU nation state are also coming into compliance with the GDPR, perhaps for fear of fines large enough to bankrupt most companies. It has become, therefore, best practices to be GDPR compliant, if internet users located in the EU might visit your website and submit personal information.
Evaluating Your Interests
In cases of legitimate interests, businesses are allowed to collect data from users because they need it to conduct business and/or interact with them. While this may or may not require direct consent from the user, the user absolutely must be able to access information about what data is collected, how it’s used, and your company’s privacy policy. People must also have the explicit option to opt-out of marketing campaigns and request that their personal information be permanently removed.
The Legitimate Interest provision does not excuse companies from GDPR compliance. They still need to ensure compliance with all GDPR regulations about data management and collection.
User Consent
There are multiple aspects to consider about online user consent. You must consider the method of getting consent from users, how you’re recording the consent, and how you’re managing the data you collect. Under the new GDPR regulations, consent should be revocable at any time.
Consent is used to gain legal permission to collect and use certain personal data for a specific purpose. The purpose and the type of data collected must be clearly indicated when asking for consent. Requests for consent need to be separate from normal terms and conditions and prominently displayed so that users clearly understand the exact consent they are granting. Passive opt-in or negative requests are not allowed under the GDPR.
To show their compliance, and in case of any legal issues in the future, companies should be recording how and when consent was gained from every user, as well as what the user was told when they gave their consent. This helps to prove GDPR compliance.
Once you’ve gained consent, you must properly manage the personal data collected, and ensure that you adhere to the limitations for which users granted use of their personal data. You cannot go outside the limitations, unless you ask for and gain additional consent.
Users must also have the ability to request, and receive, detailed information about storage and usage of their personal information, and easily withdraw their consent at any time any without penalty.
Providing Information
Companies collecting personal information from users are required to make certain information available to users, including information about:
- Your company’s collection, storage, management, and use of personal data.
- Names of third-party data processors that may work with the data.
- Deletion requests of their personal data, and more.
Working with Third-Party Data Suppliers
If you have been using personal information supplied by a third-party, best practices is to stop using the data. Its collection was not compliant with GDPR, GDPR does not have a ‘grandfather’ provision, and it’s highly improbable a third-party supplier can prove it was absolutely collected from a user outside the EU.
If you are considering purchasing personal information from a third-party supplier in the future, the supplier must prove that it was collected in compliance with GDPR. This means:
- The third-party supplier must absolutely prove, without any doubt, the user was not physically located in the EU at the time the information was collected.
- If the user was in the EU, the user must have given permission for their data to be sold at the time it was collected. And, the third-party collecting the data must comply with GDPR regulations, which is probably impossible with personal information that is sold.
Personal Data Profiling
Personal data profiling occurs when personal data is used to evaluate specific aspects of the individual, typically to predict the individual’s behavior and take an action that would elicit a desired response.
Profiling is allowed under GDPR, but users can request that profiling be halted. In this case, the profiling must cease, except in an extreme instance where the objection overrides the interests, rights, and freedoms of the data subject.
Legacy Data for GDPR Compliance
As mentioned above, GDPR does not contain a ‘grandfather’ provision. Therefore, legacy personal data must become GDPR compliant or deleted.
You have probably experienced companies who have updated their Privacy Policy and sent emails asking users in their database to accept the new policy, thereby bring their database up to GDPR compliance.
Take Away
As of May 25, 2018, GDPR compliance is necessary for the handling of personal information of people located in the EU. Even if your company is not located in the EU, best practices are to be GDPR compliant if anyone from within the EU will visit your website and submit personal information.
Here is a checklist by DMA that is helpful in digesting information about GDPR, and ensuring that your company is compliant.
For more information about what your company should do to become GDPR compliant, request a free consultation or contact us direct.