We hope you enjoyed Part 1 of our GDPR Compliance Webinar wrap-up. If you haven’t already, make sure to read it for an overview of the GDPR regulation and your obligations under it. Then, come back for answers to these common (and some uncommon) GDPR questions. We’ve divided them into a few categories: consent, data, general and Gray Areas (there are a lot of those!).
Consent obtained will be valid and may be processed under GDPR only if provisions of the regulations are observed. Varieties include opt-in, informed consent and granular consent. Generally, a refresh of consent is a good idea.
BUT, if it’s personal data that’s processed in relation to a contract you already have in place, then consent is not needed again. Consent is as lawful as the contract you have in place. What you do with the data is another matter – that falls under “data” below.
Keep in mind that you could get fined for spamming everyone on your list to ask for consent. You do need to get consent again, say for a newsletter. But there are creative ways of doing this. Creative, compliant ways. For example, part of your current newsletter could say, “We are reinventing this newsletter with much better premium content: click here to opt-in/subscribe,” and then you have fresh consent. Don’t just ask, “Do you want to stay?” That could already be a breach.
The ePrivacy directive allows opt-out for existing customers. If you have a database with emails and send them a newsletter based on opt-out, that’s okay under current law. As mentioned, if you have an opt-out but you don’t have relationships and the person is not a customer, sending any type of mass marketing communication is punishable even under current laws.
These emails would not be considered personal, but keep in mind that if someone replies to one of these email addresses and you gather their name, that would be personal data. Pay attention to what happens at different points in the chain and how the information you hold gets updated.
It’s correct that you need to get consent only for EU citizens, but be careful: Australia, China, and other countries have similar legislation. Also, the meaning of data subjects “from the EU” is interpretable: Is it citizens, residents? This requires clarity, so it’s best to get consent from everyone and it’s easier to handle too.
Similar to age verification, where someone certifies “I’m at least 18 years old”, you could add something along the lines of “I’m an EU citizen”.
Processing “online identifier” personal data but in aggregate, and for the purpose of measuring, say, the completion rate on a form, or buttons clicked on a landing page does not profile or otherwise “directly” impact the user as long as the data is actually anonymized, in which case you are fine. The grey area here comes from inbound marketing tools that by definition profile users’ behavior on a website and need to identify them with a cookie. These tools would require consent for compliance.
Yes, if you are going to share a citizen’s data with a third party such as a marketing or mailing agency, then you need to have named them on the opt-in so that the citizen knows their data may be shared with that specific third party. Going further, you’ll need to check that your supplier is also GDPR compliant.
As an email with signature is sent voluntarily by the user with that data attached, with a good understanding that emails are kept and stored and forwarded, the user has given implied consent to that data for that specific use/purpose (i.e., being stored with the email). The user has NOT, however, given consent to now be marketed to or be added to a marketing database.
This area is slightly gray, but to comply you need to demonstrate that you have consent from an individual. Therefore you should maintain the following records:
If you can show consent and the required details, you cannot be held as noncompliant if someone fraudulently signed someone else up. In this instance, you would simply remove that data on request to be forgotten. The regulators are NOT going to fine companies for such singular small issues. They do not have the time or resources. GDPR in this case simply protects the citizen by putting the law behind them to fix any such instances.
We will also likely see flaunting of laws from foreign entities as we see today with phishing emails, scam phone calls from abroad etc. The GDPR game is to do what you can and follow best practices so that your house is in shape and you can prove it if asked.
When it comes to data portability, you have to be able to give all the data that was provided by or observed from the data subject.
As an individual, I’d want to know in what situation the logs are being recorded. Again, consent is not the only thing that allows you to process personal data. There’s also legitimate interest. If the logs are done because the data subject is a customer or you have another reason that qualifies as “legitimate interest”, then consent is not needed. If the login is to develop a profile and if you keep a classification of login/logout and send push notifications based on that, then that’s profiling. So why are you tracking logins?
Profiling has two parts: 1) automated processing that puts the user in a classification and 2) what the automated processing will be used for. Being able to see data subject interest or behavior will allow you to see the next behavior.
Cloud providers are usually considered data processors regardless of whether they can see or enter personal data. You’ll have to look into the case law and guidelines to see if you’re a data processor or controller, but most cases show that any cloud service provider is a data processor.
It depends who’s the data controller. If at the time of the processing, you were not under the orders of the person to which you transferred, this could be a relationship between data controllers. In this case, you would not be liable. However, if you are the data processor or controller, as you would be if the partner asked you for the data and you collected it for the partner, you would be jointly liable under GDPR.
Not if you do anonymization that can’t be reversed. If you are holding indexes that can link the geolocation data back to personal information, it’s personal data. If the personal data is deleted, then it’s actually anonymized and compliant.
There is no GDPR certificate. There are some guidelines that will allow some quality standards, like an ISO. Likewise, there is no certificate available at this point for a product or a cloud service. While there is no current GDPR certification, there are plans to include it in other certifications.
There is an alternative way to look at this, which is PCI compliance for payment providers. It isn’t exactly GDPR but has – at its foundation – the same mechanisms. It proves the partner is compliant as far as payment data is concerned and that the partner has a solid base for GDPR compliance.
It is key that HR reviews the employee handbook for any changes needed. Often much will already be covered due to prior data protection law needs anyway. Ideally, this is not in employee contracts, but you will have contracts that refer to the employee handbook, so simply updating the handbook and alerting employees to the central update would be enough. It is recommended, though, that all staff go through a training session on GDPR and their obligations and sign a form to go on file that they attended training, so as a business you have ticked that box.
GDPR mostly talks about electronic examples; however, it applies to all citizen or individually held data in any format. It is true that GDPR is harder to do with paper records, e.g., if someone asks to be forgotten, you need to find that data in files of paper records.
The maximum fine is defined as the larger of the two. If you are able to show a documented GDPR effort that you have done all you feasibly could to comply and protect data, then in the case of a breach, the authorities will look more favorably in the fine they apply. If you are negligent, have done nothing and hence caused the breach—i.e., the worst possible scenario—then the fine applied is likely to be on the higher side.
Don’t forget that under the new laws, citizens whose data has been affected can also take civil action for damages, which was not easy to do before!
That’s a gray area. What determines the use of data isn’t just consent—you have to have a good reason for using data. You have to be able to say, “I did the right thing based on everything I could have known to do. I didn’t knowingly breach anything”. As long as you can say that, you may be safe.
See section 2.5 (page 12) of the DPO guidelines. It may be that in different regions this varies as the GDPR is a legal foundation, and different countries are adding slight nuances to it. Also related to DPOs, a good example outline is here. Many smaller firms are using consultancy DPOs as external specialists, for example www.assuredata.eu.
In general, remember that showing that you have done all you possibly could to be GDPR compliant and applied best practices is the key. As mentioned in the webinar, no one can be perfect on GDPR. The goal is to have done what is feasibly possible and to have put processes and policies in place, so that anyone checking would say “makes sense” and “good enough”: you did what you could and what we would ask you to do.
We hope that the GDPR webinar and the answers to these questions have helped you understand GDPR a bit better as you journey toward compliance! If you still have questions, ask us in the comments.