GDPR For Dummies book cover

GDPR For Dummies

By: Suzanne Dibble Published: 12-24-2019

Don’t be afraid of the GDPR wolf!

How can your business easily comply with the new data protection and privacy laws and avoid fines of up to $27M? GDPR For Dummies sets out in simple steps how small business owners can comply with the complex General Data Protection Regulations (GDPR). These regulations apply to all businesses established in the EU and to businesses established outside of the EU insofar as they process personal data about people within the EU.

Inside, you’ll discover how GDPR applies to your business in the context of marketing, employment, providing your services, and using service providers. Learn how to avoid fines, regulatory investigations, customer complaints, and brand damage, while gaining a competitive advantage and increasing customer loyalty by putting privacy at the heart of your business. 

  • Find out what constitutes personal data and special category data
  • Gain consent for online and offline marketing
  • Put your Privacy Policy in place
  • Report a data breach before being fined

79% of U.S. businesses haven’t figured out how they’ll report breaches in a timely fashion, provide customers the right to be forgotten, conduct privacy impact assessments, and more. If you are one of those businesses that hasn't put a plan in place, then GDPR For Dummies is for you.

Articles From GDPR For Dummies

page 1
page 2
11 results
11 results
GDPR For Dummies Cheat Sheet

Cheat Sheet / Updated 03-15-2022

The General Data Protection Regulation (GDPR) was designed to streamline data protection laws across Europe as well as provide for some consistency across the European Union (EU). Although it's been in place since May 2018, it still causes a lot of confusion. This cheat sheet answers some questions about a few major misunderstandings: Does the GDPR apply to non-EU organizations? Can non-EU organizations be fined for non-compliance? Do you need an Article 27 representative?

View Cheat Sheet
The Fundamentals of GDPR and Data Protection

Article / Updated 12-29-2021

One aim of the General Data Protection Regulation (GDPR), which came into effect on May 25, 2018, was to harmonize data protection laws across Europe — so its legal form is a regulation (an order that must be executed) as opposed to a directive (a result to achieve, though the means to achieve aren’t dictated). The GDPR is the successor to the European Union's (EU) Data Protection Directive 1995 (Directive 95/46/EC). Unlike a directive, when the EU enacts a regulation, it becomes national legislation in each EU member state, with member states having no opportunity to change it via national legislation. However, EU member states are permitted to make certain derogations (a fancy term for exemptions) from the GDPR (such as in the case of the need to uphold a country’s security), so data protection laws across Europe aren’t quite as harmonized as may have been desired by some of the legislators. Although EU member states cannot change the GDPR, each member state requires national legislation to accompany the GDPR, for two reasons: The GDPR needs to fit into the member state’s legal framework. National legislation is needed to choose from the exemptions permitted by the GDPR. At the time this article was written, all but three member states had passed national legislation to sit alongside the GDPR. So, you need to familiarize yourself with not only the GDPR but also the legislation that was implemented in the EU member state(s) in which your organization is established. Data protection laws Data protection laws exist to balance the rights of individuals to privacy and the ability of organizations to use data for the purposes of their business. Data protection laws provide important rights for data subjects and for the enforcement of such rights. This list describes a handful of additional points about these laws to keep in mind. Data protection laws: Protect data subjects: A data subject is an individual whose personal data is collected, held, and/or processed. Apply to organizations that control the processing of personal data (known as data controllers) and also organizations that process personal data under the instructions of data controllers (known as data processors): These include companies (both private and public), charities (not-for-profit, political, and so on), and associations (such as churches, sports clubs, and professional leagues, to name only a few). Apply throughout the world: The concept of privacy originated in the United States in the 1890s. Although the EU has been a front-runner in establishing the laws protecting data and sees itself as setting the gold standard of data protections laws, the vast majority of countries around the world have some form of data protection laws. Do not prevent organizations from using personal data: Organizations can legitimately use personal data to their benefit as long as they comply with applicable data protection laws. Every organization is likely to process some personal data — of its clients, employees, suppliers, prospects, and so on. Prevent common misuses of personal data: Organizations often fail to (a) put in place appropriate measures to keep personal data secure (b) inform the data subject at the point of data collection about what it is intending to do with the personal data and where necessary to obtain consent and (c) transfer personal data to third parties without the knowledge of the data subject. Data protection laws generally prevent these common misuses. Countries hold to varying degrees of regulation and enforcement and some countries don’t have any data protection laws. The following table rates the strength of various countries’ efforts to protect data. Regulation/Enforcement Strength of Data Protection Laws Worldwide Type of Regulation/Enforcement Countries Tough Australia, Canada, Hong Kong, South Korea Strong Argentina, China, Estonia, Finland, Iceland, Japan, Latvia, Malaysia, Monaco, Morocco, New Zealand Light Angola, Belarus, Costa Rica, Egypt, Ghana, Lithuania, Mexico, Nigeria, Russia, Saudi Arabia/UAE, South Africa, Turkey, Ukraine Limited Honduras, India, Indonesia, Pakistan, Panama, Thailand, Uruguay The 10 most important obligations of the GDPR The obligations I refer to in this section’s heading are the ten most important actions you need to take to comply with the GDPR; I’ve only summarized these obligations in the following list because I discuss them further throughout this book: Prepare a data inventory to map your data flows so that you can understand exactly what personal data you’re processing and what you’re doing with it. Work out the lawful grounds for processing each type of personal data for each purpose for which you’re processing it. Ensure that your data security strategy is robust and that you have implemented appropriate technical and organizational measures to ensure a level of security appropriate to the risk of a data breach or other security incident. Ensure that an appropriate safeguard is in place whenever you transfer personal data outside of the European Economic Area (EEA). Update your Privacy Notice to ensure that you’re being transparent about the means and purposes of your data-processing. Update your Cookie Policy to ensure that you aren’t relying on implied consent, that browsers of your website are taking affirmative action to consent to non-essential cookies being used, and that the cookies are fired only after consent is obtained. Ensure that your staff are appropriately trained in relevant areas of the GDPR. Ensure that you have reviewed the grounds on which you process employee data, and issue a revised employee privacy notice where necessary. Determine whether you need to appoint a data protection officer (DPO). If you do, take the necessary steps to hire a suitable candidate. Review all of your processor and subprocessor arrangements and ensure that appropriate contracts are in place. Ensure that the data processors (and subprocessors) are compliant with the GDPR and that they have adequate security in place to protect the personal data. The consequences of non-compliance Think of this as a description of not only the consequences you face if you aren’t compliant with the GDPR but also the reasons you should care about being compliant. Increased fines and sanctions The GDPR has introduced significant increases in the maximum fines for breaches of its requirements. Under the GDPR, the fine for certain breaches of the GDPR have been increased to 20 million euros (about $24 million USD) or 4 percent of global turnover for the past financial year, whichever is higher. For “lesser” breaches, the maximum fines have increased to 10 million euros (about $12 million USD) or 2 percent of global turnover for the past financial year, whichever is higher. This significant increase in fines indicates the increasing importance of data protection within the EU as the value of personal data increases and the processing becomes even more sophisticated. This is not to say that you will be fined these amounts for any infringements of the GDPR. You would have to do something that significantly impacts on the rights and freedoms of a large number of data subjects to incur a maximum fine. Supervisory authorities are the regulatory authorities (often known as data protection authorities) within individual EU member states that are responsible for the enforcement of the GDPR. Civil claims Data subjects can now bring civil claims against data controllers for infringements of their data subject rights. So, if, for example, you don’t respond appropriately to a data subject right request (namely where the data subject can request details of the personal data you process for that data subject) or if you experience a data breach that affects the data subject’s personal data, you could find yourself on the receiving end of a civil claim. As you may have noticed in recent high-profile data breaches, such as the British Airways data breach in 2019, data protection lawyers are placing advertisements encouraging victims of data breaches to join group actions against the data controller. A civil claim against you would not only damage your reputation further but would also cost a significant amount of time and money to defend the claim. Data subject complaints The general public is much savvier about their data protection rights than they used to be, for these reasons: The introduction of the GDPR garnered a lot of publicity due to the increased sanctions. Supervisory authorities ran various awareness campaigns to ensure that data subjects were aware of their rights. Certain high-profile cases, such as the Facebook and Cambridge Analytica cases (where personal data was misused for political profiling), and the British Airways data breach case have received broad coverage in the media. This savviness has led to an increase in the number of complaints from data subjects whose personal data hasn’t been processed in accordance with the GDPR. Data subjects are lodging complaints both directly to the data controller and to supervisory authorities. The two situations require two different responses: If the data subject complains directly to you (the data controller): Although a complaint signals that an element of reputational damage has occurred, you have an opportunity to repair the relationship, which is particularly important if the data subject is a customer or a potential customer. If the data subject complains to the supervisory authority: Because the supervisory authority is bound to investigate that complaint, you might face more serious consequences. The supervisory authority will review all your data processing activities, policies and procedures in relation to that complaint. If it finds that the complaint is valid, the supervisory authority will use its corrective powers in relation to such complaints. These corrective powers include the ability to issue fines, to impose a temporary or definitive ban on the processing of personal data or to force you to respond to the data subject’s requests to exercise their rights. Brand damage When a data subject brings a claim against you, you risk not only sanctions from the relevant supervisory but also brand damage. A report by Axciom (a consulting firm providing marketers with data and technology assistance) entitled “Global data privacy: what the consumer really thinks” showed that individuals from around the world are, in the vast majority, quite concerned about how their personal data is used and protected. If you aren’t compliant with the GDPR, you’re showing your prospects, customers, and employees that you aren’t concerned about the protection of their personal data. Loss of trust If you don’t comply with the GDPR and, for example, you experience a data breach or don’t respond appropriately to data subject requests, you are likely to lose trust from your customers and prospects. When they don’t trust you, they don’t want to buy from you or otherwise do business with you. Similarly, when your employees don’t trust you, they no longer want to work for you. In unfortunate timing, British Airways sent an email to all of its customers to assure them that they could trust British Airways with their personal data. Just a couple of months later, British Airways suffered a large data breach that compromised the financial details of 185,000 customers, details that were sold on the dark web. As a result of this data breach, the share price of IAG (British Airways’ parent company) decreased by 5.8 percent (equivalent to a loss of £350m). In 2018, CompariTech carried out a report finding that, in the long term, organizations that have suffered data breaches financially underperformed. Be a market leader By embracing the GDPR and showing your customers, prospects, and employees that you care about the protection of their personal data, you gain a competitive advantage. Elizabeth Denham, the United Kingdom information commissioner, summed up this idea nicely: “Accountability encourages an upfront investment in privacy fundamentals, but it offers a payoff down the line, not just in better legal compliance, but a competitive edge. We believe there is a real opportunity for organisations to present themselves on the basis of how they respect the privacy of individuals and over time this can play more of a role in consumer choice.”

View Article
How to Create and Communicate Your Cookie Policy

Article / Updated 12-16-2021

The function of your cookie policy is to provide clear and comprehensive information to your website users about the cookies you’re using and what type of cookies they are (functional or session, for example). Assess your cookies To create your cookie policy, you need to know what cookies you’re using on your website and what their purpose is. A small-business owner may not know the answer, especially if a website developer set up their website. If you don’t know what cookies are on your website and what they’re for, ask your web developer or use a cookie audit tool, such as cookiechecker. Ghostery is another tool that can help with this — it's a free browser plugin that also categorizes the cookies, such as advertising, analytics and the like. For other options, search the internet using the term “tool to show cookies on websites." Resources such as cookiepedia can also be helpful to find out more about what different types of cookies do. In order to write your cookie policy, you need to know: What types of cookies are being used? What the cookie is used for? How long does the cookie last? For example, is it a session cookie that only lasts for the browsing session or a persistent cookie that lasts beyond the session; and if so, what is the expiry date? Who serves the cookie? Is it a first-party or third-party cookie, and if it is a third-party cookie, who serves it? How to refuse the cookie at a later date In addition, when you have the list of cookies your website uses, assess how intrusive the cookies are — how they follow users about for their online browsing, in other words. First- party cookies, such as shopping cart cookies are less intrusive, for example, than third-party persistent tracking cookies, which monitor your website users’ online behavior on a long-term basis. If you’re using more intrusive cookies, obtaining informed consent for the use of those cookies is all the more important for you. Guidance on the use of cookies from the United Kingdom's Information Commissioner's Office (ICO) is that “you should take particular care to ensure clear and specific consent for more privacy-intrusive cookies, such as those collecting sensitive personal data like health details, or used for behavioral tracking." Digital agencies and website publishers should take particular care when using cookies for Real Time Bidding (RTB). RTB is a system used by ad exchanges to broadcast the personal data (often of a sensitive nature) of the individual browsing the website or using the app to thousands of organizations in order to solicit potential advertisers’ bids to deliver their ads on the website or app. The ICO’s investigations into RTB have found that, in the vast majority of cases, cookies used for RTB do not comply with the ePrivacy Directive and the GDPR. The ICO highlighted the following deficiencies: Insufficient information provided to the data subject about the processing Data subject consent not obtained for the processing of non-special category data and instead relying on legitimate interests Explicit consent from the data subject not obtained for special category data (such as tracking online browsing about religious or health content) Failing to carry out a data protection impact assessment (DPIA) Sharing with large numbers of third parties the detailed profiles of individuals without their knowledge The French supervisory authority, CNIL, issued an enforcement notice in October 2018 to a French digital agency called Vectaury that had obtained personal data for hundreds of millions of people from the RTB system. The enforcement notice required Vectaury to cease processing geolocation data for advertising purposes without appropriate lawful grounds for processing. CNIL stated that “it is clear that Vectaury is unable to demonstrate that the data currently collected through real time bid requests are subject to informed, free, specific, and unambiguous consent.” Vectaury was non-compliant in: Bundling together a number of separate processing purposes under a single opt in Not checking that consent had actually been obtained from the individual and only relying on contractual clauses to this effect Using misleading and vague language on the first consent screen Using pre-ticked boxes for consent It is worth noting that Vectaury believed it was following the IAB framework, something that the IAB disputes by pointing out that Vectaury did not follow its policies correctly. However, in practical terms, for the majority of data controllers, the most important assessment is whether the cookie is “strictly necessary” or not. If it is strictly necessary, the cookie is exempt from consent. If the cookie is not strictly necessary, consent from the web user is required. You can also take this opportunity of auditing the cookies used on your website to tidy up your use of cookies and delete any you don’t really need. Write your cookie policy The General Data Protection Regulation (GDPR) requires data controllers to provide certain information to data subjects — via the privacy notice — about how they process personal data. You can provide information about cookies in your Privacy Notice. However, data controllers commonly have a separate cookie policy that specifies which cookies they’re using. The requirement to provide certain information about the cookies you use on your site comes mainly from the current ePrivacy Directive. To comply with this Directive, you must explain what the cookies are being used for and obtain the user’s consent to store a cookie on the device. The obligation under the ePrivacy Directive to obtain consent is only in relation to non-essential cookies. However, you should provide information for all cookies used, both essential and non-essential. Neither the GDPR nor the ePrivacy Directive specifies the information that needs to be contained in the cookie policy. However, you should include, as a minimum, the following information you learned from your cookie assessment: What types of cookies are used (such as, advertising or analytics) Who sets the cookie How a user can refuse the cookie According to the ePrivacy Directive, the language in your policy must be clear and comprehensive. The ICO says this means the “text should be sufficiently full and intelligible to allow individuals to clearly understand the potential consequences of allowing the cookies should they wish to do so.” In other words, make sure users understand what the cookies do and what that means for them — for example, their browsing and shopping habits will be tracked, and they’ll see ads that reflect the tracking. The ICO guidance also states that you must consider the general levels of understanding that website users hold about cookies. The understanding is still pretty low, so the cookie policy needs to be easy to understand, especially for people who have no technical background. Therefore, listing the types of cookies your website uses isn’t enough; you need to fully explain what each type of cookie is used for and how that affects the user. When using a banner or pop-up to link to provide the requisite information and to gain consent, consider the user experience. Many users find pop-ups annoying and even confusing, so you may want to use them sparingly, if at all, or as unobtrusively as possible. See the next section for more about ways to communicate your cookie policy to users. Post your cookie policy You can choose to have a straightforward cookie policy on a web page on your website with a prominent link to it on each page of your website (through a banner or pop-up on your website, for example) or you can use a more sophisticated tool to show the cookie policy and obtain the necessary consent (see the section below for potential tools). If the link to the cookie policy is in a banner that shows at the top or bottom of the web page, it must be easily viewable and above the fold (the section of the website page users can see without scrolling down). Many websites merely have a link to a cookie policy that is just a plain link in the footer of each page of the website (without a banner or a pop-up). This isn’t likely to be prominent enough to be compliant. In addition to the cookie policy, you need a separate cookie consent statement — either in a separately displayed cookie banner or a cookie pop up — that links back to the cookie notice, with a call to action to provide consent, such as “accept cookies” and “reject cookies” buttons. The ICO guidance on the use of cookies states that: Rather than just have a link that states “cookie policy,” you should make it clearer what the link is about by using words such as “Find out more about how our site works and how we put you in control.” You must not have boxes that emphasize "agree" or "allow" (or presumably "accept") cookies, as opposed to "block" or "reject" cookies, as this influences website users to consent to the use of cookies. There must be an option of similarly prominent boxes of accept and reject. The initial consent mechanism you use when people land on your landing page of your website must allow the user to make a choice about whether to accept the use of cookies or not; merely having a "more information" section where controls are located would not suffice. The following figure shows an example of how a banner might display a link to a cookie policy. The banner pops out at the left side of the web page and provides a link that users can click to read more about the website’s cookies. Consent under the GDPR must not be opt-out consent, where you must take some action — click a button or select a check box — in order to block cookies. The GDPR insists on opt-in consent, where the user must take affirmative action in order to allow cookies. As such, cookie policies that state that by continuing to browse the website, the user consents to the use of cookies, will not be compliant. Cookie walls Equally, the GDPR prohibits you from making consent a requirement of the service, so in stating that, in order to continue browsing, the website user has to accept cookies (known as a cookie wall), this would also be in breach of the GDPR. The Dutch supervisory authority issued guidance that cookie walls are not compliant with the GDPR. It stated that it had increased monitoring of organizations using cookie walls and was instructing them to make the necessary changes to ensure GDPR compliance. The ICO guidance is a little more permissive when it comes to cookie walls. The ICO refers to Recital 25 of the ePrivacy Directive that states that “access to specific website content may be made conditional on the well-informed acceptance of a cookie or similar device, if it is used for a legitimate purpose.” The ICO’s guidance is, therefore, that cookie walls are not permitted for "general access" to websites but that it is possible to restrict certain content if the user does not consent to the use of cookies. However, the ICO does go on to say that if the use of a cookie wall is “intended to require or influence users to agree to their personal data being used by [the data controller] or any third party as a condition of accessing your service, then it is unlikely that user consent is considered valid.” The ICO also notes, in a blog post published by it on the same day as their guidance on cookie walls, that “we recognize there are some differing opinions as well as practical considerations around the use of partial cookie walls and we will be seeking further submissions and opinions on this point from interested parties.” The Austrian supervisory authority, however, rejected a complaint that consent obtained through a cookie wall of an online newspaper was not freely given. The newspaper had provided a free online version of the newspaper and also a subscription version without advertising. It only allowed users of the free version to have access if they accepted cookies for advertising purposes. The European Data Protection Board is advocating for a complete ban on the use of any cookie walls as part of the amendments to the ePrivacy Directive. So, we may only receive clarity on the matter of cookie walls when the new ePrivacy regulations come into force. To ensure full compliance, you need a tool (discussed in the next section) that shows — before the cookies are fired — the cookies used on your site and allows website users to make granular choices regarding which cookies they’re happy to accept. Tools to communicate your cookie policy and obtain consent Some existing tools can enable you to be compliant to lesser or greater degrees. One such tool, Cookiebot, enables you to show the different types of cookies you use on your website and provides the website user with the option to continue to browse the website while using only necessary cookies (for which consent isn’t required). Cookiebot also appears to have the ability to prevent cookies from firing until consent is obtained, though you do have to add certain code to your other plugins. (Check out Cookiebot's website for more information.) The following figure shows the Cookiebot banner, which you can place at the top or bottom of your website. Users can click the Show Details tab to see the additional information shown here. Clicking the About Cookies tab shows more information about the different types of cookies — for example, cookies for statistics or marketing. With Cookiebot, users cannot accept and refuse individual cookies; rather, the choice is simply between Preferences, Statistics, and Marketing. With other, more expensive GDPR solutions, such as One Trust, you can allow your website users to make more granular choices about which cookies they’re happy to consent to. Another affordable Wordpress plugin can be used to prevent cookies firing prior to consent being obtained (without having to add any code). This plugin also enables data subjects to access basic personal data about themselves (and update it) satisfying Recital 63, which states that best practice is for organizations to provide remote access to a secure self-service system where the data subject can have direct access to his or her personal data. In addition, the plugin provides a privacy policy and cookie policy generator that automatically updates on your site for new guidance or amendments to regulations.

View Article
GDPR: Consent as Lawful Grounds for Processing Personal Data

Article / Updated 12-16-2021

To process personal data, you need to have lawful grounds for processing, as provided for in the General Data Protection Regulation (GDPR). Consent is likely to be the appropriate ground where you want to offer a real choice to people — for example, whether they want to receive your marketing emails. Many people think that GDPR is all about consent, but that isn’t true; consent is just one of six potential lawful grounds for processing personal data. Carefully consider consent as lawful grounds for processing: Consent can always be withdrawn, so if you need the data for the stated purposes, it’s always wise to rely on another lawful grounds for processing where possible. Or in other words, if the data subject withdraws their consent and you would try to continue processing the data under a different lawful ground, consent isn’t the appropriate grounds for processing. If the relationship has a power imbalance (such as during employment or during processing by a public authority), proving that consent is freely given (one of the elements of a valid consent) is difficult. Consent provides data subjects with stronger rights in relation to their data than other grounds for processing; the right to erasure and the right to data portability, for example. A valid consent has various elements. Consent must be Freely given Specific Informed An unambiguous indication of wishes Freely given consent Freely given means that the data subject is free to choose whether to give consent, without any detriment, and has genuine choice and control over what personal data they provide. Incentivizing consent is possible. If you offer money-off/discount vouchers for subscribing to an email marketing list, for example, this would still be valid consent. If, however, the data subject suffers a detriment or is unfairly penalized as a result of not providing consent, the consents that were obtained aren’t valid. An example of a detriment is charging higher prices for a service if the data subject refuses to consent to their data being shared with third parties. If consents are bundled so that a data subject can only consent to all of the processing, this consent isn’t valid because the consent hasn’t been freely given. Perhaps, the data subject wanted to sign up for one type of processing but was forced to sign up for another as well, because the consents were bundled. The consent needs to be granular, as shown in the following figure. You need to offer separate consents for one of these: Different types of processing: For example, to be contacted by email, phone, or postal mail Different purposes: For example, sending email marketing and sharing details with third parties Note that the preferences form in the figure requires opt-in consent for SMS (text) updates but opt-out consent for communications by postal mail or telephone. This is because the e-Privacy Directive (as implemented in the United Kingdom as the Privacy and Electronic Communications Regulations, known as PECR) requires consent for text marketing (amongst other electronic marketing) but not for postal or telephone marketing. Therefore, this organization is relying on consent (which must be the opt-in type to be valid under the GDPR) for text marketing and on the legitimate interests grounds for processing to send postal and telephone marketing; this is compliant with the GDPR. If you rely on the legitimate interests grounds for processing, you must provide the ability for data subjects to opt out at any time — and that’s what The Guardian web page is doing. The e-Privacy Directive (as implemented into European Union member states through their national legislation) requires consent for certain electronic direct marketing communications. If the relevant national legislation (such as the PECR in the UK) requires consent, then the GDPR will also require consent for such processing. If consent to a processing of personal data is a condition of service and the service provider will not provide the service without the consent to the processing being given, then the consent isn’t freely given. However, if the data is required in order to fulfil the service (for example, passing a customer’s name and address to a delivery company), then the appropriate lawful grounds for processing would be contractual necessity, and consent wouldn’t be required. It’s difficult for employers to show that consent by employees has been freely given, because of the imbalance of power in the working relationship. As such, employers should look at other grounds of lawful processing for key employee data and rely on consent only for processing of such personal data as responses to surveys, competitions, or similar matters. In addition, consent can always be withdrawn, so if you need to retain certain key employee data, relying on consent as lawful grounds for processing is unwise. Specific consent The consent must be given for a specific purpose, such as for sending marketing emails. In accordance with the transparency principle, you must clarify what the personal data is being used for, and you must be as specific as possible. If you’re processing personal data for multiple purposes, you must obtain consent for each purpose. Specificity is often problematic because you may not know what you want to use the data for at a later date after you have collected it. The GDPR provides for processing for compatible purposes. If your lawful grounds for processing is consent, however, then even if the new purpose is compatible, in order to comply with the principles of fairness and lawfulness, you need to obtain fresh consent for the new purpose. One exception to this rule relates to processing for scientific research purposes. The GDPR states that, where it is not possible to fully identify the purpose of data processing for scientific research purposes, data subjects can legally give their consent to certain areas of scientific research consistent with recognized ethical standards for scientific research. The specified purpose must be set out in your privacy notice as well as in any processing records you may be obliged to keep under Article 30 of the GDPR. You should regularly review your processing in consideration of your stated purpose and, if you notice any “purpose creep,” obtain fresh consent if the new purposes are not compatible with the original purposes. Note that the consent needs to be obtained before the commencement of the processing for the new purpose. Informed consent You must provide the data subject with all necessary information about the processing at the point that the person provides consent. The place for this information is in your privacy notice. This must be in a form and in a language that’s easy to understand. Language that’s likely to confuse (such as double negatives and inconsistent terminology) will invalidate consents. Recital 32 of the GDPR makes clear that if a consent is to be given by electronic means, such as ticking a box on an online form, the request for consent must be clear, concise, and not unnecessarily disruptive to the user experience. Suppose that a lengthy and confusing privacy notice pops up and blocks content until the user of the website clicks to make it disappear. Having to click the notice is disruptive to the user experience and falls afoul of this provision. A better strategy here is to use a layered privacy notice like the one shown in the following figure. Where possible, you should combine this type of notice with a just-in-time notice — a note on a web page that appears at the point where the data subject inputs personal data, as shown in the following figure. (Note how a just-in-time notice provides a brief message about how the submitted information will be used and a link to the longer privacy policy.) Some level of disruption may be necessary to obtain the consent, but you can minimize it as much as possible. For the data subject to be informed, the person must know at least the identity of the data controller and the purposes of the processing. If you’re sharing the data with any third parties who are relying on that consent, the identities of those third parties must also be named. You don't need to name all third parties to whom you disclose the data, because many are relying on other lawful grounds for processing to process the data (contractual necessity, for example). If you’re sharing data with a third party for the purposes of them marketing to the data subject, consent is the likely grounds for processing. In this case, the third party should be named in the consent from the original data controller, as it should be in any other cases where the third party will be relying on that consent in order to process the data. You should ensure that the consent is separate from other terms and conditions so that it isn’t buried in lots of legalese. Unambiguous indication of wishes In order for consent to be valid, there must be no doubt about the data subject’s wishes. If there is any uncertainty about whether the data subject has consented, the presumption is that they have not consented. Recital 32 to the GDPR states that a clear, affirmative act may include a written statement, including by electronic means or an oral statement. This might include having the user tick a box when visiting a website, choosing technical settings for online services, or by acting in a way that clearly indicates acceptance of the processing (for example, asking individuals to drop their business cards in a bowl if they want to receive your newsletter). In this context, a clear, affirmative act means that someone has taken deliberate and specific action to consent to the processing. Hence, pre-ticked boxes and opt-out actions aren’t ways of obtaining valid consent, because the data subject hasn’t had to take affirmative action. Therefore, this isn’t an unambiguous indication of the person’s wishes. They simply may not have seen the check box or the opportunity to opt out. Similarly, silence doesn’t constitute an effective consent. For example, if you ask someone by phone to say something specific in order to opt out of the processing of their data, the data subject’s silence isn’t a valid consent, because the person may not even be listening. To actively confirm consent over the telephone or in person, the data subject must speak certain words, such as “Yes, I consent.” Keeping records of this oral consent is vital. An element of implied consent can come with a positive act that makes it clear the data subject is consenting to the processing. For example, if you ask attendees of an event to drop their business cards into a bowl for a chance at winning a prize, that would imply consent for them to be entered into that prize drawing. However, the data can’t be used for marketing to those individuals without their further consent. Consent obtained by way of duress or coercion doesn’t constitute valid consent. Obtain fresh consent The GDPR has introduced a higher standard of consent than what existed under the previous regulations. If your existing consents don’t meet the new GDPR standard (you previously relied on pre-ticked boxes to indicate consent or you don’t have satisfactory records of your consents, for example), you must update those consents to meet the higher standard to be valid. Be wary of attempting to obtain fresh consent to marketing communications by emailing data subjects on your mailing list. To do so would be processing the data without valid lawful grounds for processing. Also, consent is generally required for email and text marketing communications under the e-Privacy Directive. You can have on your website a sign-up box to obtain fresh consent for email marketing communications (and use various advertising methods to direct people to it), but, obviously, it takes some time to obtain consents in this way, and people who have consented previously may invariably be “lost.” The e-Privacy Directive and consent Consent is required for communications covered by the e-Privacy Directive, such as for email and text marketing to individuals. Currently, the e-Privacy Directive (as implemented in EU member states national legislation) applies only to organizations that provide electronic communications services within that member state, but this is soon to be extended to have a similar global reach as the GDPR. Be mindful of these regulations when deciding your lawful grounds for processing. If you need to obtain consent under the e-Privacy Directive, this needs to be to the same standard of consent as the GDPR. Withdraw consent If you rely on consent as your lawful grounds for processing, you need to inform data subjects of their right to withdraw consent. The place to do this is in your privacy notice. You also need to offer data subjects easy and free ways to withdraw consent. You may want to consider using a preference management tool to do so, as shown here. You might also include an online form to withdraw consent at the bottom of each page of your website. The GDPR states that data subjects must be able to withdraw consent at any time. Arguably, merely having an unsubscribe option at the bottom of emails would not suffice, as an email is not available to a data subject at all times; they may have received one and deleted it and, therefore, have no link to unsubscribe when they want to do so. Keep the following points in mind as you consider how to enable data subjects to withdraw consent: Withdrawing consent must be as easy as providing it. If a data subject provided consent by ticking a box on an online form, specifying in your privacy notice that they have to call a telephone number or even write to an email address to withdraw consent isn’t compliant. If, however, consent was obtained over the telephone, it is compliant to provide a telephone number for the data subject to call to withdraw their consent. A data subject must not suffer any detriment by withdrawing their consent. If the data subject suffers, the consent is invalid. When consent is withdrawn, you must stop processing the data immediately. Where this isn’t possible, it must be stopped as soon as possible. If a data subject withdraws consent, you don’t necessarily need to delete all of their data. For example, if a data subject opts out of email marketing (effectively withdrawing consent to you for processing their data to send email marketing), you can properly keep this data on a suppression list (so that you have a record of the data subject’s opting out). Similarly, if you need to retain data for legal or auditing purposes, you can do so, but at the point of obtaining the consent you must be upfront with the data subject about your intentions to continue to process the data for certain purposes. The place to do this is, of course, in your privacy notice. A third party can withdraw consent on behalf of a data subject. You must, however, satisfy yourself that the third party has the authority to do so. This may cause difficulties where data subjects use automated software tools for unsubscribing. No set time limit dictates how long consents are valid. However, you need to monitor consents and refresh them where necessary depending on the context, including data subjects’ expectations and how often you email them. For example, if you haven’t emailed people for a long time, you may need to obtain fresh consents. If in doubt, the UK’s supervisory authority, the ICO, recommends refreshing consents every two years. You should also consider contacting data subjects regularly (every six months, for example), to remind them of their right to withdraw consent. Document consent You must be able to prove that consent has been provided and you must keep records of consents. If complaints are lodged or investigations begin down the line, you’ll need to produce this evidence. You should keep records of the following consent-related information: Who consented, such as name or another online identifier (username, for example) The date on which the consent was given Details that were provided at the time about the processing and the purposes How someone consented (for example, in writing or by submitting data into an online sign-up form for newsletter subscription) Whether the person has withdrawn consent and, if so, on what date You can accomplish documenting the details of the processing and the purposes that were provided at the time of the processing by referring to your privacy notice that was in force at the time. Keep notes of how privacy notices are amended over time so that you know which version was shown to each data subject. This can be as low tech as keeping a hard copy file of privacy notices and writing the dates on the top from when and to they were effective. Children’s consent for online services If a child is signing up to use online services (other than preventive or counseling services), such as online games or education platforms, and the lawful grounds you rely on to process their data is consent, then consent must be obtained from a parent or guardian if the child is under a certain age. This list includes matters that you need to consider when obtaining consent for children’s use of online services: The relevant age of consent for children differs from country to country. In the UK, it’s 13. The map shown in the following figure shows the relevant age for other countries. You might need to take age verification measures: For example, if you choose to rely on the child’s consent because they state that they’re older than the relevant age, you need to verify their age. For example, if you choose to rely on the child’s consent because they state that they are older than the age required for parental consent, you may need to take additional measures to verify their age — don’t just take their word for it. You might need to confirm a parent’s responsibility: If a parent’s consent is provided, you need to make reasonable efforts to verify the parent’s responsibility for the child. Parental consent doesn’t automatically expire when the child reaches the age of consent: You may need to refresh this consent more regularly. Third-party consent A third party may be able to provide consent on behalf of another person, but you need to ensure that they’re duly authorized to do so. If a third party is providing consent, the data subject still needs to be fully informed about the processing and the purposes by way of a privacy notice. In practice, a third party providing consent for the processing of personal data of adults is likely only in circumstances where the third party has power of attorney for the data subject and can act on their behalf. You can assume that adults have the capacity to consent, unless you have any reason to believe otherwise.

View Article
GDPR and Data Security

Article / Updated 12-14-2021

One of the key elements that underpins the General Data Protection Regulation (GDPR) is how you, as a data controller or a data processor, secure and protect the personal data you collect, store, and process. Data security isn’t just an IT issue — it affects every area of your operations, and it involves everyone at every level of your business. Data security, often also known as information security — and, in the case of securing electronic data, cybersecurity — concerns the protection of data and information assets that are used to store and process data. These assets can be paper-based, such as filing cabinets and hard copy documents, or they can be electronic systems, such as computers, databases, and software. The data we collect, store, and process is constantly increasing, as businesses capture more data about more people, topics, clients, or staff. At the same time, the threats to data security are constantly evolving, from cyberattacks, malware, theft, and competitors to environmental hazards such as fire or flood. To remain relevant and effective, your data security practices need to be part of an ongoing process of continuous improvement, as shown. If you’re reliant on third parties for data storage and/or processing functions, always check and verify their terms and conditions for the availability of their systems and services. This is particularly relevant when utilizing cloud- or Internet-based services that could impact your business operations. Data security is often broken down into these three key areas, discussed next: Confidentiality: Protecting data against unauthorized access, distribution, or publication Integrity: Protecting data against unauthorized modification, corruption, or tampering Availability: Protecting data against unplanned loss, destruction, or unavailability Confidentiality Confidentiality is about protecting data against unauthorized access, distribution, or publication. A key tenet of this concept is the need-to-know principle. Here’s a basic question to ask whenever you provide any individual or entity with access to data or data processing systems: Does this person have a genuine need to know? This question is particularly relevant when it comes to modern computing systems, where providing access to applications and databases to both internal and external parties must be carefully considered. One way to manage such access is through the use of appropriate access controls and user privileges that limit or restrict the level of access and visibility of data within your systems to only that are required to perform specific roles. Such access should be based around the concept of “least privilege,” ensuring that users are not given more access than they need to perform their specific role or function. Users with enhanced privileges, such as system administrators, should not use their privileged accounts for normal, day-to-day work Where you do need to provide access to data, it’s also worth asking whether the data needs to be provided complete and in its original form, whether you should cut it down by removing fields or elements or fields, or whether you need to consider pseudonymization, a technique that removes any part of the data that can directly identify specific individuals. Confidentiality is also a key driver in the classification of data and data assets. Many businesses, organizations, and public sector bodies have specific guidelines on how they classify their data assets to ensure that need-to-know is enforced. It can also be used as a way of valuing data assets in terms of the impact to your business should the data be compromised or made public. Integrity Data integrity is concerned with protecting data against unauthorized modification, corruption, or tampering. Essentially, this means ensuring that the data you store and process is correct, accurate, and consistent over its entire lifecycle. You need to be in a position in which you’re confident that the data hasn’t been tampered with or compromised in any way as it moves from one system or individual to another. In many areas of business, data integrity is as important, if not more so, than confidentiality. Imagine for a moment you were buying something online. You need to have complete confidence that the value of pounds, euros, or dollars you paid is the same that arrives with the seller at the other end of the transaction for your purchase to be completed. This is data integrity at work. Key approaches when considering data integrity include Validating data inputs and data outputs: This involves ensuring software and applications only accept, produce, or respond to known good inputs and have strong error handling and validation routines. Protecting against system or hardware failure: Calls for deploying systems on high-availability — resilient or cloud-based platforms that reduce single points of failure, in other words. Using encryption to protect data transfers: This involves using appropriate technologies such as Virtual Private Networks (VPN) to safeguard the data being transferred, and/or Transport Layer Security (TLS) to encrypt the traffic end to end. Implementing safeguards that reduce the likelihood of human error: Steps here could include having supervisors double check sensitive operations that staff are undertaking. For high-value and high-impact data processing, actively ensuring nonrepudiation for specific events or transactions is essential. (Non-repudiation means being able to provide proof, potentially legal in nature, of the origin and integrity of the data involved in the transaction.) Availability Availability entails ensuring that data and data processing systems are available when they’re needed. Imagine going to the bank to withdraw money. You reach the bank teller and are informed that, unfortunately, the bank systems are down and your request cannot be processed. That would be frustrating, wouldn’t it? If you need to withdraw cash from the bank, you don’t want to hear, “The systems are down and will be unavailable for the next 28 days. Sorry for the inconvenience.” You need your money now, not in a month’s time! Ensuring that access to data and data processing systems is there when users need the data is essential for most businesses. Some key elements for consideration include Backup and recovery solutions for data, files, systems, and applications Disaster recovery (DR) and business continuity planning (BCP) that detail how your business will handle a major issue that impacts operations High-availability and cloud-based solutions that show how you achieve resilience in data storage and processing systems How you will manage the impact of environmental factors (such as fire and flood) or other security incidents How resilient your systems are to disruption and can whether they can continue to operate under adverse conditions, such as those caused by a security incident or technical fault

View Article
How to Create and Communicate Your Opt-In Wording

Article / Updated 12-14-2021

You should include opt-in wording wherever you are collecting personal data and relying on consent as your lawful grounds for processing, unless it is clearly obvious from the circumstances that, by providing personal data, the data subject will be consenting. You will typically see opt-in wording presented within just-in-time notices. The dos and don’ts of opt-in wording The opt-in wording should be concise, easy to understand, and user-friendly. If the opt-in wording is difficult to understand or confusing — in particular, by the use of double negatives — the consent isn’t valid. For example, the opt-in shown here isn’t valid. The opt-in wording should be specific. If the consent is too vague and all-encompassing, it isn’t valid. For example, the opt-in wording shown here isn’t valid. The opt-in wording should be clear about the purposes of the processing and the type of processing. The following figure shows an example of concise, easy-to-understand, user friendly opt-in wording from luxury travel magazine Condé Naste Johansens. It clearly states the purposes of the processing (to send certain types of information to the data subjects) and the type of processing activity (to send emails and brochures). It should ideally state why the date of birth is requested, as under the data minimization principle, only personal data necessary for the stated purpose should be collected. The consent for data processing should be obvious, prominent, and not bundled with other terms and conditions. So, if you’re collecting personal data at the same time you’re selling a product or service or otherwise need to incorporate terms and conditions, you must have separate tick boxes for accepting terms and conditions for the sale and a separate tick box for giving consent to the data processing. This is an example of opt-in wording where consent is not bundled with the terms and conditions. You need to provide granular (more detailed) options for: Different purposes for the processing: You might have one purpose to send direct marketing emails yourself and a second purpose to share the data with third parties for their marketing purposes. Different types of processing: Examples are sending emails, sending postal marketing, and sending text marketing. The following figure shows an example of opt-in wording that provides granular options for different types of processing. You may see separate wording where certain types of processing, such as email and text, require opt-in consent and postal marketing asks for data subjects to opt out. This is because of the ePrivacy Directive, which provides that consent is required for email and text marketing. However, the ePrivacy Directive does not require consent for postal marketing, meaning you can generally rely on the lawful grounds of legitimate interests instead when it comes to processing of personal data for postal marketing. In such a case, processing for postal marketing will require an opt-out (as data subjects have the right to object to processing where legitimate interests is the lawful ground of processing). If a data subject opts out of postal marketing, you must cease the processing immediately. For an example of opt-in wording together with opt-out wording, see the following figure. Avoid consent fatigue Recital 32 of the GDPR also states that the consent must not be unnecessarily disruptive to the data subject’s experience. While you must adhere to the transparency principle and provide data subjects with sufficient information to make an informed choice, you must be wary of consent fatigue. This is when users provide consent without bothering to read the Privacy Notice or understanding the consequences of consenting, because they’re overburdened with information, presented with too many consent requests, or the process of providing consent is simply too cumbersome. To help data subjects avoid consent fatigue, be as specific and succinct as possible in the opt-in wording and use links within the opt-in wording to layered Privacy Notices. You shouldn’t try to obtain consent to (and therefore do not need opt-in wording for) the Privacy Notice itself. Consent is just one of your lawful grounds for processing. If you ask for consent to the Privacy Notice, you are effectively putting all of your processing on the grounds of consent. In any event, a Privacy Notice will be too long, and describe too many different processing activities, for anyone to be able to give valid consent to it in its entirety. Keep records of consent Finally, as a data controller, you must keep records of consent, including Who consented When they consented How they consented What they were told about the processing Whether they subsequently withdrew consent As such, any tick boxes or other consent mechanisms used to capture consent online should ideally be integrated with appropriate record-keeping systems so that evidence of these consent records are retained.

View Article
Data Protection: When to Use Opt-In Wording

Article / Updated 12-14-2021

If you are relying on the lawful grounds of consent to process personal data, you generally will need to use opt-in wording to obtain that consent. In some cases, you will need explicit consent opt-in wording (if you are processing special category data, for example). If, however, you are instead relying on legitimate interests to process personal data (checking always that the ePrivacy Directive does not require consent), then you do not need opt-in, but you must offer an opt-out. Consent is just one of the six lawful grounds for processing, so do ensure that consent is actually required or is the most appropriate grounds for processing before you obtain it. You will be unable to change the grounds for processing at a later date without a very good reason, and it is almost never possible to swap to a different ground if you initially relied upon consent. Opt-in particulars The General Data Protection Regulations (GDPR) standard of consent requires the data subject to perform an affirmative act to indicate their consent. This means that the data subject must choose to take a clear action, such as such as ticking a box, to indicate consent. You cannot obtain consent using pre-ticked opt-in boxes, opt-out boxes or other default settings that are pre-set to opt-in. Recital 32 of the GDPR states: “Consent should be given by a clear affirmative act . . . such as by a written statement, including by electronic means, or an oral statement. This could include ticking a box when visiting an Internet website, choosing technical settings for information society services or another statement or conduct which clearly indicates in this context the data subject’s acceptance of the proposed processing of his or her personal data. Silence, pre-ticked boxes, or inactivity should not therefore constitute consent.” This means that tick boxes are not the only way to obtain consent — you could, for example, collect consent through an oral statement such as someone saying “Yes, I agree." However, it may then be difficult for you to prove you had consent at a later date. Similarly, you do not always need to use opt-in wording. If it is obvious that people are consenting, then opt-in wording is not necessary. For example, if a website provides a box for data subjects to enter their email address to receive newsletter updates, with a button underneath saying “Subscribe” or “Sign-up,” then the act of entering an email address and clicking the button will suffice as the affirmative act. You do not also need to add opt-in wording saying “I consent to processing of my email address in order to send me newsletter updates” in this case. In the following figure, the user clearly knows that entering an email address and clicking Sign Up means consenting to being sent a daily email. You should also include a link to your Privacy Notice at the point that people enter their email address or other personal data. If, however, you are proposing to use the personal data for more than one purpose, such as sending a free report and then sending further follow up marketing emails or sharing the personal data with other organizations, then you should use opt-in wording and a tick box to enable the granular consent that is required by the GDPR. Opt-ins for lead magnets I am often asked about what opt-ins are required for lead magnets and follow-up marketing emails. Lead magnets are typically free pieces of valuable content, such as a special report or a training series that online marketers will advertise in order to obtain the name and email address of people who are interested in the particular subject matter covered by the free content. The online marketer emails the free lead magnet to the person who has signed up, but they also want to send such person follow-up marketing about a related product or service. My view is that in order to send the lead magnet, you do not need opt-in wording or a tick box for consent if it is clear what the person is signing up for (in the same way that it is clear that a person is signing up for the daily email). So, if, for example, my ad says “sign up for my free GDPR Checklist” and there is a box to provide the email address, I would not need a further tick box for people to signify their consent for their personal data to be processed in order for me to send them the GDPR Checklist. I would, however, need to link to my privacy notice with words such as “to see how we use your personal data, click here to read our privacy notice.” If, however I wanted to send follow-up marketing emails to those people who had signed up for the GDPR Checklist, I would require consent to send such emails to individual subscribers and would therefore need to add a tick box for people to provide their consent to receive the further marketing emails. The reason I would require consent to the follow-up marketing emails is because my organization is established in the European Union (EU) and therefore the ePrivacy Directive applies to me — this law (which is separate to, but sits alongside, the GDPR) requires prior consent for sending marketing emails to individual subscribers. As a result of the ePrivacy Directive requiring consent, the GDPR also requires consent. Hence, the tick box is required to obtain that consent. If, however, your organization is established outside of the EU, the ePrivacy Directive does not apply and you may seek to rely on legitimate interests as a ground for processing the personal data for the follow up emails. You would need to carry out a Legitimate Interests Assessment form, keep it on file and provide the right to opt out. Note that the ePrivacy Directive is soon to be amended to expand the territorial scope to match that of the GDPR, so that if the GDPR applies to you, the ePrivacy Directive will as well. Instead of advertising the free lead magnet, you may choose to advertise the follow-up marketing (such as the newsletter that includes details of special offers) and, as a thank you for signing up, provide people with the free content. It is possible to incentivize the opt-in, though not to the point where people are penalized for not opting in, such as by differential pricing or refusing to provide a service. When to use opt-out wording Opt-out wording is a message to data subjects explaining that they must take action — such as ticking a box — to object to their data from being used in a certain way, such as objecting to their email address being used to send marketing emails. You should use opt-out wording (rather than opt-in wording) if you’re proposing to process personal data under the lawful grounds of legitimate interests, as opposed to consent. As an example, if you are established outside of the EU and therefore the ePrivacy Directive does not currently apply to you, you can use the legitimate-interests grounds for processing to send existing customers emails about similar products or services. In this case, you may use opt-out wording and ask people to tick the box if they want to opt-out of receiving future emails. You should advise the person signing up of their right to object to the processing at any time, so that if they don’t want to opt out immediately, they can do so at any time in the future — for example, by adding the following words underneath your opt out wording: “you may unsubscribe at any time by clicking the link at the bottom of our emails." If you are established in the EU, you need to consider the application of the ePrivacy Directive and the soft opt-in. The following figure shows an example of opt-out wording for marketing communications that’s used whenever a new customer is providing personal data for a holiday they have just purchased. If this organization is relying on legitimate interests as lawful grounds for processing the personal data (and if established in the EU, the soft opt in applies), this opt-out wording is compliant. The ePrivacy Directive and the soft opt-in The ePrivacy Directive is a separate law to the GDPR and it has additional rules that apply on top of those set out in the GDPR. Specifically, it covers unsolicited electronic marketing, use of cookies, and confidentiality of electronic communications. The ePrivacy Directive was implemented into each member state law with certain variations. In the United Kingdom (UK), it was implemented as the Privacy and Electronic Communications Regulations (PECR). The PECR requires consent for unsolicited marketing by email, fax, or text to individual subscribers. An individual subscriber is a natural person as opposed to a corporate subscriber which is a separate legal entity (such as a limited company, LLP, Scottish partnership, or a government body). You may send unsolicited direct marketing emails and texts to corporate subscribers without consent. Note that corporate subscribers do not include businesses that trade as sole traders or partnerships. Consent is required for unsolicited marketing by email, fax, or text to individual subscribers. If consent is required under PECR then, even if you think you have other potential grounds for processing under the GDPR, your lawful grounds under the GDPR should also be consent. In these cases, you will therefore need to use opt-in wording to obtain that consent, rather than relying on opt-out wording. However, there is one instance when such consent is not required and this is known as the “soft opt-in” rule. In this case, you can instead rely on opt-out. The soft opt-in rule applies where: You have obtained the data subject's contact details in the course of the sale or negotiations for the sale of a product or service to that data subject. The email marketing you send relates to similar products and services only. The data subject is given the option to opt-out at the time that its contact details are collected, and in each subsequent communication. As such, if you want to rely on the soft opt-in (a slightly confusing name, since it actually refers to opt-out based email marketing), you need to provide opt-out wording at the point of collecting that personal data. Explicit-consent opt-in wording If you are relying on explicit consent when processing special-category data, you need to consider your opt-in wording even more carefully. The main difference between normal consent and explicit consent is that explicit consent wording must contain an express statement of consent. Put another way, you should explicitly use the word “consent,” rather than assume consent is obvious from the context (unlike the example of the “Subscribe” or “Sign-up” button above, these would not be sufficient for explicit consent). This means that, unlike normal consent, you cannot infer consent from a data subject’s actions, even if those actions make it apparent that the data subject is consenting. Explicit consent opt-in wording needs to state expressly those elements of the processing that require explicit consent, such as the fact that automated decision-making is being used or that special category data (such as health data) will be processed for clearly specified purposes. An electronic signature would be equally as compliant as a hand written signature. If, for example, you were running a health spa and collecting personal data about health matters in case a user needs urgent medical treatment or to check that they are not allergic to any of the health treatments they will take, you would require explicit consent and would need to state the element of processing that requires the explicit consent. Your opt-in wording would therefore need to look something like the example shown. The explicit element of the opt-in wording should be separate from any other consent you’re seeking, so in the example here, you would not be able to have one signature to consent both to the processing of the health data and to direct marketing. The processing for sending direct marketing from related third parties would require further opt-in wording and tick boxes, as shown here: If you are proposing to share personal data with third parties and those third parties need consent for their processing (for example, they plan on sending direct marketing emails to the data subjects), those third parties should be specifically named in the consent, as they are in the preceding figure. Consent isn’t valid if you ask data subjects to agree to receive direct marketing from “carefully selected partners” or another, similar generic description. Nor is consent valid where data subjects are provided with a long list of general categories of organizations. Opt-outs and suppression lists The GDPR provides in Article 13 that you, as a data controller, must notify data subjects about their right to withdraw consent (where consent is the lawful grounds for processing) and to object to the processing (where legitimate interest is the lawful grounds for processing). This notification is typically included within the Privacy Notice. In addition, Recital 70 states: “Where personal data are processed for the purposes of direct marketing, the data subject should have the right to object to such processing, including profiling to the extent that it’s related to such direct marketing, whether with regard to initial or further processing, at any time and free of charge. That right should be explicitly brought to the attention of the data subject and presented clearly and separately from any other information.” This means that the right to object (or, as it’s more commonly referred to, the right to opt out) should be set out at the point where you obtain the data subject’s details. You cannot merely include it within your Privacy Notice or your terms and conditions, where it would be easier to miss. In practice, you could do something similar to what you see here. Here are a few other points to keep in mind regarding opt-outs: You must allow the data subject to opt out from all marketing activities. This includes postal marketing, email marketing, text marketing and any other marketing you send. You must comply with the request to opt out as soon as possible and without charge to the data subject. You cannot, for example, insist on a data subject calling a premium-rate phone number to opt out. Incidental costs, such as the cost of an Internet provider to send an email, aren’t considered as charging for the opt-out. If a data subject chooses to opt out, you should add the data subject to a data suppression list. Do this rather than delete all of the data subject’s details, in order to ensure that if the data subject ends up on your marketing list again, you know not to email them. This suppression list is typically provided and facilitated by your email marketing software. A suppression list is a list of personal data about data subjects who have opted out of marketing where, rather than deleting the data subject’s personal data entirely, you retain just enough information to ensure that their preferences are adhered to in the future. If a data subject opts out from receiving direct marketing messages, you must not email them any direct marketing messages or ask them by email to opt in. Numerous large fines have been levied on data controllers who have sent direct marketing emails to data subjects who have previously opted out. (One example, among many, is EE Limited, a UK telecommunications provider that was fined £100,000 — approximately $122,000 USD — for sending promotional email messages to customers who had previously opted out of marketing communications.) If a data subject has opted out in a national list of preferences for direct marketing (held by some EU member states), don’t send direct marketing messages to that data subject. Screen these lists and cleanse your own lists of the data subjects who have opted out, before sending direct marketing communications. If you have a specific opt-in from a data subject, it takes priority over their having opted out on a national list of preferences.

View Article
10 Must-Have Skills for the Data Protection Officer

Article / Updated 12-08-2021

If you’re looking to hire a data protection officer or you’re considering a new career in data protection as a DPO, this list of ten must-have skills for DPOs may prove helpful. Many company executives believe that they can hire a fairly junior IT specialist or assign the office manager (or another existing generalist staff) to fulfill the role of DPO. This is not the case. The DPO needs to be appropriately qualified, or else you could be in breach of the General Data Protection Regulation (GDPR). The DPO doesn’t necessarily need to be a salaried employee; the position can, in fact, be outsourced. A group of companies might appoint a single DPO, provided that the person is easily accessible from each establishment. The DPO’s tasks, as defined in Article 39 of the GDPR, are listed here: Inform and advise you and your employees about your obligations to comply with the GDPR and other data protection laws. Monitor compliance with the GDPR and other data protection laws, as well as with your data protection polices, including assigning responsibilities, raising awareness, training staff involved in processing personal data, and conducting (or being consulted on) internal audits. Provide advice on data protection impact assessments (DPIA) and monitor performance of the project to which the DPIA relates. Co-operate with your supervisory authority. Act as the contact point for your supervisory authority on issues related to data processing. Experience in privacy and security risk assessment Article 39.2 of the GDPR requires DPOs to “have due regard to the risk associated with processing operations.” This reflects other risk-based provisions of the GDPR, such as the requirement under Article 24 to implement “appropriate technical and organizational measures” in order to demonstrate compliance and to maintain security of processing. In both cases, the GDPR says the “appropriate” measures should “take into account the nature, scope, context and purposes of processing as well as the risks” to data subjects. This obligation is likely to require DPOs to provide guidance on risk assessments, DPIAs, and best practices to mitigate risks. For these reasons, it’s helpful if your DPO has a strong background in privacy and security risk assessment. A background in IT programming, IT infrastructure, and Information System audits would also be useful in order for the DPO to provide meaningful and useful guidance in risk mitigation. Knowledge of data protection law and practices Article 37.5 requires the DPO to be a person with “expert knowledge of data protection law and practices.” A DPO should certainly be very familiar with the GDPR and its application in practice, as well as other relevant data protection law and practice. This includes overseas data protection laws in any country where the organization has any presence. Recital 97 provides some guidance around how to determine the necessary level of expert knowledge according to: The data processing operations that are carried out The protection required for the personal data processed by the data controller or the data processor So, for example, if your organization processes health data, your DPO would need to have knowledge of processing health data and any specific laws or regulations relating to that type of processing. The GDPR doesn’t require the DPO to be a qualified lawyer or have any formal legal qualifications. Ability to work independently Recital 97 states that the DPO should not have any conflicts of interest and be able to perform their duties and tasks in an independent manner — the DPO should be able to carry out their duties as they see fit, with no influence from the board of directors or other people within the organization. This necessitates a level of seniority, independence, and the ability to assert themselves. The DPO is allowed to perform other functions within the organization, but cannot perform roles that conflict with the DPO role — such as when determining the purposes and means of data processing. An example of this would be where an Information Systems manager may want to scan everyone’s email for data loss prevention purposes, but the DPO may consider that this is not appropriate from a GDPR perspective. If you combined the Information Systems manager and the DPO into a single role, there would be an obvious conflict. The DPO must be able to be completely independent within the role. The DPO is also bound by secrecy and/or confidentiality considerations concerning the performance of their task, in accordance with applicable law. Ability to work autonomously Article 38.3 of the GDPR requires the data controller and data processor to “ensure that the DPO does not receive any instructions regarding the exercise of those tasks” and goes on to say, “[T]he DPO shall directly report to the highest management level of the controller or the processor.” The GDPR provides no guidance in defining “the highest management level,” but presumably the DPO should report to the board of directors, and directly to a board member. The European Data Protection Board guidance on DPOs states that: “If the controller or processor makes decisions that are incompatible with the GDPR and the DPO's advice, the DPO should be given the possibility to make his or her dissenting opinion clear to the highest management level and to those making the decisions. In this respect, Article 38(3) provides that the DPO ‘shall directly report to the highest management level of the controller or the processor’. Such direct reporting ensures that senior management (e.g. board of directors) is aware of the DPO’s advice and recommendations as part of the DPO’s mission to inform and advise the controller or the processor. Another example of direct reporting is the drafting of an annual report of the DPO’s activities provided to the highest management level.” Because the DPO cannot receive instructions regarding the exercise of their tasks, the person must operate entirely autonomously, which, again, requires seniority and a high level of expertise. Ability to communicate effectively Article 39.1 requires the DPO to cooperate with the supervisory authority and act as the contact point for the supervisory authority on issues relating to processing. The DPO must therefore be able to communicate effectively with regulatory authorities. A DPO of a group of companies or otherwise covering multiple jurisdictions may not be able to speak the language of each supervisory authority it needs to deal with. In this case, having a DPO who speaks the language of the main market(s) is at least recommended. In addition, the DPO can, ideally speak the language of the data subjects in order to handle requests and complaints from data subjects. Because Article 39 requires the DPO to train staff within their organization, the person also must have good communication skills in this regard. Ability to negotiate adeptly The DPO may be in charge of negotiating data processor agreements with suppliers and — because you want the person to achieve the best outcome for you without souring the relationship with the supplier — must therefore be a skilled negotiator. Maintain cultural awareness and sensitivity Because the DPO is likely to deal with data controllers, data processors, and, potentially, data subjects from different countries around the world, the person needs to have cultural awareness and sensitivity in these dealings. Demonstrate leadership Because the DPO is likely to be in a senior position within the organization, and because the position necessitates leading (or influencing) a diverse set of stakeholders, the DPO is likely to need solid leadership skills. Ability to embrace change Because risks are always changing and technology is ever evolving, a good DPO should be aware of the changing environment. Additionally, the DPO should be prepared to take quick action in embracing the changes that are necessary to respond to those risks. Display business and interpersonal acumen The DPO should have broad business experience and a good understanding of the industry of the data controller and processors so that they can understand how data protection can be integrated into the organization’s business functions as smoothly as possible. In addition, the DPO will likely benefit from having these personal skills: Integrity Initiative Organization Perseverance Discretion Assertiveness in difficult circumstances Able to resolve conflicts Able to build working relationships

View Article
10 Ways to Train Employees to Be Good Stewards of Data

Article / Updated 12-08-2021

Human error causes the vast majority of data breaches. This makes it absolutely essential that you, as a data controller or processor, provide all relevant staff with suitable training on data protection matters. In fact, Article 39 of the General Data Protection Regulation (GDPR) provides that the data protection officer (DPO) shall provide staff involved in processing operations with training in data protection matters. And, the Information Commissioner’s Office (ICO), the United Kingtom’s supervisory authority, makes it clear that you must train your staff and continually refresh the training. The UK’s supervisory authority, the ICO, states: “The GDPR requires you to ensure that anyone acting under your authority with access to personal data does not process that data unless you have instructed them to do so. It is therefore vital that your staff understand the importance of protecting personal data, are familiar with your security policy and put its procedures into practice. You should provide appropriate initial and refresher training.” You should train all staff who have any connection with personal data, such as in these jobs or areas: Receptionist Mail clerk IT engineer Marketer or social media consultant Customer service representative Product developer Assistant or anyone else who sends external emails to more than one person Member of board of directors Not all staff need to have detailed knowledge of the GDPR, but they should have knowledge relevant to their function within the organization. Staff who open the mail, make social media posts, or answer the phones, for example, need proper training to recognize a data subject access request (DSAR). Following are ten tips for training your staff and helping them be good stewards of personal data. 1. Understand that one size doesn’t fit all Every organization is different, and standardized online courses are unlikely to offer the scope of training that an organization requires. What makes more sense is to have training customized for your organization and then further customized for individual staff functions within the organization. If customized training is out of budget for you, then you may want to start with standardized training and then supplement with bespoke training relevant to particular functions within your organization (such as marketing or IT). 2. Assess individual learning styles Assess the learning styles of each area of your workforce and decide the most appropriate medium for learning. Millennials might prefer customized digital training, for example. The board of directors, however, may benefit from face-to-face training as part of a board away day (annual sessions with training and team building exercises tailored for a company’s board members). 3. Develop engaging training Workshop style training in small groups is likely to engage staff much more than lecturing to them. In workshops, you can group different staff functions (such as HR, IT, customer service, and marketing, for example) so that they can discuss the issues relevant to their function. This enables each group to process deeper questions and concerns before sharing with the wider workshop any issues that are relevant to the whole organization. Some elements of face-to-face training are useful to gain the buy-in of individual staff. You want to help them appreciate the importance of data protection within the organization. What you don’t want is staff who view the training as a tick box exercise without an understanding of the consequences of non-compliance with the GDPR and the role that they can play in that non-compliance. Staff generally have differing levels of knowledge and experience in relation to data protection matters. The ability for them to be able to ask questions and have them answered individually is invaluable. If the budget in your small organization doesn’t permit customization of training or face-to-face training, more affordable standardized online courses are, of course, better than nothing. 4. Teach the basics to all staff All staff need to know the basics when it comes to the GDPR and data protection. This basic level of training should include an overview of these types of information: The necessity of the GDPR in protecting personal data The consequences, such as fines and reputational damage, that can result if staff don’t comply with data protection laws The ways in which the principles of the GDPR apply to your particular organization Your organization’s data protection policies and the location of hard copy or online documents The basic training also should include: Practical tips on securing personal information (such as creating strong passwords, locking computers, and safely opening emails from unknown senders), sharing personal data, and recognizing and respecting data subject rights Information on where to obtain additional information and answers to questions 5. Provide detailed training per function After staff understand the basics of data protection, you should offer more detailed training for different staff functions. For example, you may want to consider training in these areas: Customer services: These employees need to recognize DSARs and know who to pass them to within the organization for the DSAR to be responded to appropriately. Marketing: Employees in this department need to understand the rules around direct marketing, lawful grounds for processing (such as consent and legitimate interests), and profiling/automated decision-making. Product/service development: Everyone in this area must understand the principle of privacy by design and the need for data protection impact assessments (DPIAs). Senior leadership: Everyone “up the ladder” must understand the importance of embedding a culture of privacy in the organization and the risks of not being compliant. Procurement personnel: Employees who are responsible for engaging data processors must understand the GDPR’s due diligence requirements and the need for a Data Processing Agreement with data processors Human resources: The HR staff need to understand the lawful grounds for processing for employee data, be able to recognize and deal with DSARs, and know the privacy rules about job applicants. 6. Train on internal systems and procedures If employees know what the GDPR says but don’t know how to deal with it in practice, the organization is open to risk. To mitigate this risk, you must train employees on your internal systems and procedures for complying with the GDPR. Here are a couple of examples to illustrate this point: A staff member who opens the mail and receives a DSAR must know who to pass it to in order to ensure that it’s dealt with properly. If a data breach occurs, the staff member who discovered the data breach should know exactly who to contact within the organization to ensure (among other issues) that employees who are appropriately trained are: Containing the breach Dealing with the affected data subjects Making any necessary notifications 7. Reinforce training with reminders around the workplace In addition to holding regular refresher training, anything you can do to regularly reinforce the message of GDPR compliance with employees is a good thing. Here are a few examples: Provide reminders about past training. Pin a poster in the staff break room, for example. Appoint data protection champions within different staff functions. Champions are responsible for answering questions from other staff and demonstrating best practices within that function. Offer rewards. Give refresher quizzes (both online and in person) and awards for individual or team compliance. 8. Spread out training across multiple sessions The GDPR is a large and complex area for employees to comprehend. Rather than try to cram all the information into one session, hold a series of shorter sessions. Studies have shown that people learn, retain, and act on information in a more effective way when they receive it in smaller chunks. Having more than one training session also allows staff to attempt, between sessions, to implement what they have learned in their working environments. And, they have time to formulate meaningful follow-up questions. You also need to build GDPR training into new-employee onboarding courses. 9. Encourage a culture of openness Employees must feel comfortable, and without fear of retribution, about reporting data breaches and any other circumstances that aren’t GDPR-compliant. When employees are tempted to hide data breaches, it leads to larger repercussions for the organization, such as fines for failing to notify within the prescribed time limit. Or, if an employee is tempted to hide a DSAR after not dealing with it as quickly as required, the organization may also face larger repercussions: The data subject who sent the DSAR may complain to the supervisory authority. If the organization is investigated, it could be fined. 10. Adopt a culture of privacy Why train your staff to consider data protection matters if a culture of privacy doesn’t exist throughout the entire organization? If you tell your staff to do one thing but senior managers dismiss the need for data protection or the board of directors shows noncompliance (for example, by failing to appoint a data protection officer (DPO) when required or to let the DPO operate independently), your staff won’t adopt data protection in practice. As Elizabeth Denham, the UK Information Commissioner, said: "Arguably the biggest change is around accountability. The new legislation creates an onus on companies to understand the risks that they create for others, and to mitigate those risks. It’s about moving away from seeing the law as a box ticking exercise, and instead to work on a framework that can be used to build a culture of privacy that pervades an entire organisation. It means a change to the culture of an organisation. That isn’t an easy thing to do, and it’s certainly true that accountability cannot be bolted on; it needs to be a part of the company’s overall systems approach to how it manages and processes personal data. But this shift in approach is what is needed. It is what consumers expect. The benefit for organisations is not just compliance but also providing an opportunity to develop the trust of its consumers in a sustained way.”

View Article
The GDPR and Data Subject Access Rights (DSARs)

Article / Updated 07-20-2021

A Data Subject Access Request, or DSAR, is a written request made by the data subject for information they’re entitled to ask for under the General Data Protection Regulation (GDPR). Don’t confuse a DSAR with a request under the Freedom of Information Act (FOIA) or similar legislation in other jurisdictions where data can be requested from a public authority. Key changes to DSARs under GDPR European Union (EU) data subjects were able to submit DSARs to data controllers under previous data protection legislation, but the GDPR introduces three notable differences to the DSAR process: You aren’t allowed to charge a fee except in limited circumstances. You must respond to the DSAR within 30 days. (The pre-GDPR time limit in the United Kingdom was 40 days.) You must provide the data in electronic form wherever possible. Data subjects may request the following items from the data controller: Confirmation that you’re processing their personal data Copies of their personal data but not of data relating to other people Other mandatory information as specified at Article 15(1) of the GDPR, such as the purposes of the processing, the categories of personal data being processed, the recipients (or categories of recipients) to whom you disclose their personal data, and how long you will store their data Regarding the “other information” mentioned in the last bullet in the list, you may have already provided this information in your Privacy Notice. Amending the data Data is often transient and is being updated continuously. So, what do you do if the data has changed from when you receive the request to when you’re ready to send out your response to the request? Generally, the relevant time point from which to send data is the time the request was received. If the personal data is being amended or deleted while you’re dealing with the request, however, you may send the data that you hold at the point you send the response. What you absolutely must not do is delete data that you don’t want to supply to the data subject. Under the United Kingdom's Data Protection Act 2018 (and other, similar European legislation), it’s an offense to amend requested data to prevent its disclosure, punishable by an unlimited fine. Section 173(3) of the UK’s Data Protection Act 2018 states, “It is an offence to alter, deface, block, erase, destroy or conceal information with the intention of preventing disclosure of all or part of the information that the person making the request would have been entitled to receive.” However, section 173(5) goes on to say: “It is a defence for a person charged with an offence under subsection (3) to prove that (a) the alteration, defacing, blocking, erasure, destruction or concealment of the information would have occurred in the absence of a request made in exercise of a data subject access right, or (b) the person acted in the reasonable belief that the person making the request was not entitled to receive the information in response to the request.” Responding to a DSAR In your response, you must provide the data in concise, clear language that the average adult person (or average child, if the request relates to a child) can understand. If the data is in some way encoded, you must provide a key to the code so that the data subject can interpret the data. However, if the data subject doesn’t understand the language you respond in, you aren’t obliged to provide a translation. If a request for a DSAR is made electronically, you should make the requested data available in a commonly used electronic format, unless the data subject has requested otherwise. Recital 63 of the GDPR recommends that you should, where possible, provide remote access to a secure, self-service system providing direct access to the relevant data, as long as this doesn’t adversely affect the rights and freedoms of others, such as trade secrets or intellectual property. The UK’s Data Protection Act 2018 has special provisions relating to data held by credit reference agencies. Unless otherwise specified, a DSAR to a credit reference agency applies only to information relating to the individual’s financial standing. Credit reference agencies must also inform individuals of their rights under section159 of the UK's Consumer Credit Act 2006. Disclosing data that includes information about other people Under the UK’s Data Protection Act 2018, you don’t have to comply with the DSAR if you would have to disclose information about another identifiable person, except if that other identifiable person has agreed to the disclosure or you can reasonably comply with the request without that person’s agreement. Similar legislation applies in other EU jurisdictions. Concerning whether it’s reasonable, you need to think about these factors: The type of data you would be disclosing Any duty of confidentiality owed to the other person Whether you have sought the agreement of the other person Whether the other person is capable of giving agreement Any express refusal of agreement by the other person The crux here is to balance the rights of the data subject making the request with the rights of the other person — often, a difficult exercise. In these instances, I highly recommend that you carefully document your decision and your decision-making process and keep it on file. You cannot refuse to provide data merely because it was obtained from another person. Only when the data inextricably involves the data of another person can you refuse to disclose it on this ground. Regarding processors and DSARs A data processor is a third party who processes personal data for you under your instructions. If one of your data processors receives a DSAR relating to personal data for which you’re the data controller, the data processor must pass that DSAR to you as soon as possible. Your Data Processor Agreement should include provisions obliging the processor to pass the DSAR to you as soon as possible. See Chapter 5 for details about data processors, and Chapter 10 for more on Data Processor Agreements. I advise also having suitable contractual provisions between you and your processors obliging them to assist you with a DSAR (or any other data protection rights). You cannot fail to respond to, or request, a time extension due to data not being available because a data processor failed to act in a timely manner. Exemptions to data being provided as part of a DSAR Specific EU member state legislation provides for certain exemptions to the data you need to disclose in response to an DSAR. Schedule 2 of the UK’s Data Protection Act 2018 provides a number of exemptions, including Legal professional privilege during legal proceedings or confidentiality between a legal advisor and a client. Self-incrimination. Corporate finance where compliance is likely to affect the price of corporate finance instruments or would adversely affect a person's decision in relation to corporate finance. Management forecasting or management planning of an organization to the extent that disclosure would be prejudicial to such forecasting or planning. Negotiations with the data subject if such disclosure would be likely to prejudice negotiations with the data subject. This relates only to the negotiations themselves and not to the underlying claims that are the subject of the negotiations. After the negotiations are complete, this exemption no longer applies. References for education, training, or employment of the data subject, the placement of the data subject as a volunteer, the appointment of the data subject to any office, or the provision by the data subject of any service. Copies of written exams/exam scripts and exam marks. Journalistic, academic, artistic, and literary purposes. Other EU member states may have different exemptions. If you can’t determine whether you need to comply with a DSAR (or any other request from a data subject), consider contacting your supervisory authority for guidance or even a GDPR lawyer or consultant. Responses to a Data Subject Access Request Though a DSAR can be quite legitimate, many are used as fishing expeditions or to uncover confidential HR procedures regarding redundancy and discipline. You, therefore, must be able to respond to an DSAR in accordance with the law but also in a sensitive manner. If you have employees within your organization, I recommend that you Identify one person within your organization who will be responsible for handling DSARs. This is a job for the Data Protection Officer, if you have one; if you don’t, choose another suitable employee. Put in place a DSAR handling policy for all staff, and train relevant staff how to respond to DSARs. Remember to include the receptionist, the mail carrier, and the social media team. Train all staff on how to recognize an DSAR. Emphasize the importance of forwarding the DSAR to the employee who has DSAR responsibility. The flowchart shown here has steps for dealing with an DSAR. Search for relevant personal data If you have not yet conducted a data mapping exercise, you must carefully consider where all the personal data is that you hold on the data subject. The data may be stored electronically, on a central server, on a memory stick, in the cloud, or on a hard drive. It might also be in hard-copy paper records. If paper records are in a filing system, the GDPR applies to them. Personal data may be included within emails, word processing systems, telephone records, payroll systems, or CCTV.

View Article
page 1
page 2