What You Need to Do to Satisfy the EU
A checklist for dealing with Europe's new privacy law, which raises questions about arrangements with third-party data companies.
Last week the European Union agreed on a new privacy law that is expected to set the worldwide standard for the collection and usage of data online. When the General Data Protection Regulation (GDPR) is passed as expected early next year, companies doing business in the 28 member states of the EU (and that's most global businesses) will have two years to shift their online strategies to accommodate opt-in and data transparency policies or face fines of up to 4% of their total revenues.
To help prepare online marketers for a brave, new, more private world, a group of security and risk analysts at Forrester issued a list of 10 critical issues companies must consider to be compliant by 2018:
1. Do a privacy assessment. Benchmark your current strategy against existing laws and best practices, build a business case for future investments, and present your new privacy initiative to your company's board of directors.
2. Hire a data protection officer. If one of your core activities isthe systematic collection of personal data on a large scale, this is a must. Your DPO should partner with privacy peers to align controls and policies with an eye toward establishing privacy as a competitive differentiator.
3. Establish a breach notification plan. The law allows enterprises only 72 hours to issue notice of a significant data breach. It's tough enough to give proper notification to regulators, but tougher to communicate it in a sensitive fashion to customers. Plan for failure and be ready to leverage corporate communications and marketing staff—as well as third parties—to get the job done.
4. Reassess your outside data and analytics providers. Under GDPR, they too can be held liable for privacy violations. This changes the arrangement in two ways: They may charge more to allow for costs of compliance and they may need more visibility into your data, thereby exacerbating the risk of data leakage.
5. Know where all the data is. The GDPR's “right to be forgotten” clause gives users full access to and control of the data you keep on them. As a result, you have to know where personal data is at all times and be ready to delete it. Third-party contracts must also allow for immediate data deletion.
6. Think of the children. GDPR sets the age of digital consent at 16, though member states can decide to lower it to 13. What, however, will stop a 13-year-old from setting up accounts when visiting countries where they're digitally legal? Don't count on box-checking mechanisms to cover your liability here. Instead, institute initiatives to educate kids about privacy and security risks online.
7. Home in on the opt in. Plenty of companies have complied with opt-in rules set in the EU, but regulators continue to snare some not following the letter of the law. One issue to watch out for: failing to get user consent to share their data with third parties.
9. International data transfers remain a question mark. GDPR doesn't set new rules for international transfer of business data. While waiting on a new Safe Harbor agreement, U.S.-based companies should evaluate this situation on a nation-by-nation basis.
10. Set procedures for disclosing data to law enforcement. GDPR has a rule stating that data controllers cannot disclose data in its entirety and must notify the relevant data protection authority when a request is made. Concerned companies can use encryption and data masking to make data unusable, but it's essential that they manage their encryption keys accurately.