GDPR is a hot topic on everyone’s minds these days. As the May deadline for compliance approaches, many companies still have a lot to do to get in compliance with new requirements to give consumers greater control over their data.
To help companies make progress on GDPR and achieve compliance as quickly as possible, we recently hosted a webinar with GDPR and legal experts Bianca Naghi, Managing Associate at David & Baias, connected law firm of PWC, Ian Moyse, Board Advisor for Assuredata, Tudor Galos, Consultant for Advisera, and Eugen Marinescu, Senior Legal Counsel at 2Checkout (formerly Avangate). This blog post summarizes key points of the webinar, but you’ll want to watch the whole event for the full nuance on these detailed topics.
One of the key messages of the webinar was … if you haven’t done much yet, it’s not too late— but get started now. Reading this article is a good start, but make sure to take action as soon as you’re done—and involve others in your company as well.
GDPR is a new data privacy law that affects all types of companies operating in the EU or processing data of EU nationals. Companies are required to get consent and have a legitimate interest to process this personal data. It doesn’t matter what type of business the company is in, if it sells to businesses or consumers or if it has a physical presence in the EU: if the company deals with EU resident data, it must be GDPR compliant.
Companies that are not compliant with GDPR are subject to fines of up to 10-20 million Euro or 2-4% of your company’s annual turnover (these are maximum fines and nuances apply depending on the infringement and other aspects). For companies with thin margins or high turnover, these fines could have a serious impact on business, so it’s worth avoiding them.
When seeking GDPR compliance, it’s important to understand what data counts as personally identifiable information or PII. There are three categories of PII: general personal data, sensitive personal data or criminal activity data.
Most companies will be dealing with general PII like name and surname, address (which includes physical address or IP address), job and similar information. While obtaining consent is enough to gather and use general personal data, additional measures are required for sensitive personal data and criminal activity data.
Under GDPR, data subjects—people whose data you (want to) hold—have eight specific rights:
Bold items are new under GDPR. These rights require you to keep track of the data you have (so it can be ported somewhere else) and may require you to have a DPO.
A DPO is mandatory only if processing personal data is a core activity of your business, if you do large-scale data processing or if you engage in regular and systematic monitoring of data subjects. Your DPO or other data controller needs to report certain data breaches, so make sure you understand what breaches must be reported, what should be included in the notification and who should be notified—including whether data subjects themselves need to know – and how quickly.
If you are a U.S.-based company, and you have customers in the EU, you need to be GDPR compliant—and so do your suppliers. It’s not enough to just trust your cloud service providers to be GDPR compliant. You need a statement of commitment from them (no certificate of compliance is available yet), no matter where they’re located, because they will be handling your customer data that’s subject to GDPR. You need to understand not only where they physically store data, but also how they plan to transfer, back up or destroy data as necessary. If you end your contract, you need to verify that the company can destroy the data it held, if required. If your supplier breaches GPDR, it can mean you’ve been negligent as well to some degree, so make sure to audit your upstream and downstream suppliers and ask good, detailed questions. When it comes to moving data outside of the EU, ensure that every company involved is committed to protecting it in line with EU laws. In the U.S., this can be addressed by a program called Privacy Shield.
Every department has data subject to GDPR and a role to play in compliance. IT needs to secure data. HR needs to train employees on their GDPR responsibilities and holds employment-related personal data. Marketing needs to rethink how it buys, collect, uses and markets with data, including getting opt-in confirmation and developing clear policies. If your sales team uses a CRM system to store customer or prospect data, you need to be GDPR compliant. The image below shows GDPR considerations for the marketing department alone:
Every ecommerce business should begin its GDPR compliance journey by assessing existing processes (which includes interactions with supply chain partners), engaging in privacy-by-design, ensuring access to and transparency over data and deactivating default opt-ins. Privacy by design encompasses collecting sensitive information and providing a clear statement on what happens to that data: where it goes, who’s responsible for it and so on. This information should be made clear to the customer at the time they provide data and consent to you using it.
When it comes to payments, companies selling online have two models to choose from: merchant of record (MOR) or payment service provider (PSP). Under the MOR model, the digital commerce vendor is the merchant of record and liable for processing customer payments. The MOR is primarily responsible for GDPR compliance, but the company must still use data as defined by the data controller (the MOR) and by customer consent, as well as verify that the MOR is GDPR compliant. In the PSP model, both the provider and the company must be GDPR compliant: even if the PSP is, your company must achieve compliance as well.
While the MOR is easier and faster to work with and gives you no headaches regarding PCI compliance or payment information, keep in mind it doesn’t free companies entirely from the need to think about GDPR.
Just a quick recap of the key points that are important for Software & SaaS companies selling their products online to the EU or EU nationals:
GDPR Myths: A myth to watch out for is that you can become 100% fully compliant. The law is very vast and personal data is very vast. Don’t think of GDPR compliance as simply checking a box once; think of it as changing how you handle data and consent.
GDPR compliance is complex enough that it requires a clear plan. Begin by establishing the project and involving the right stakeholders across departments.
Organize your existing data protection process so you protect what you already have as well as what you collect.
Throughout, keep in mind that personal data is never your property: it remains the property of the data subjects. Think of yourself like a “bank” that holds data instead of money. You have to be able to give that data back and let subjects examine it at any time. As you prepare, build up your data inventory: identify all the data you have in the company and make sure you understand how and where it’s held, and whether it’s in compliance. If not, figure out how to achieve compliance. Finally, go after third-party compliance with your supply chain and partners.
For help with the process, consider Advisera’s GDPR Documentation Toolkit or the more in-depth Conformio resource. You can also check the official EU GDPR site, Advisera’s EU GDPR Academy and Assuredata training.
We hope that this webinar wrap-up provides enough detail for your company to get started with GDPR compliance. Stay tuned for part two of the summary, where we dive into questions that came up during and after the webinar. Goes without saying, you can always watch the replay of the webinar at any time.