What Procrastinating Publishers Need to do to Get GDPR Compliant Before May 25
It's not surprising that GDPR articles are hot on our site right now. We wanted to surface this post again for those still working on their GDPR game plan. Also check out A Guide to GDPR Compliance for Marketers by our sister publication Target Marketing, as well as How To Prevent a Customer Data Breach Disaster ... and What To Do When You Fail.
On May 25, 2018, more than 500 million citizens of the European Union will come under the protection of the General Data Protection Regulation (GDPR). But you’re a North American publisher, so why should you care what they get up to on the other side of the pond?
Mainly because the G in GDPR might as well stand for “global.”
The new law applies to European citizens wherever they are and do any business — that means you — holding their data. Mishandle the personal information of any European citizen and the EU’s data cops can come knocking at your door threatening business-busting fines.
A month is not a long time to get yourself ready for a complex set of rules that have been heading your way for a full two years. Now really is the time to stop procrastinating and get yourself on the right side of GDPR.
What is the Point of GDPR?
The new regulations were approved by the EU Parliament in April 2016 after four years of debates, negotiations and drafts. They replace out-dated non-binding directives drawn up in the 1990s with a binding legislative act, harmonizing data privacy laws across Europe and making them legally enforceable.
In an increasingly data-driven world, the aim of ‘the most important change in data privacy regulation in 20 years’ is to protect EU citizens from privacy and data breaches.
The biggest revisions include:
GDPR extends the scope of European data protection regulation, bringing in all companies processing the personal data of European citizens, regardless of whether data processing takes place in the EU or not. It’s not just subscriber data you need to worry about; if you have Europeans registered for free email newsletters or e-book downloads, that counts too.
Raising the Bar for Consent
GDPR forces companies be clear about what they are asking to do with customer data in simplified user agreements. And it must be as easy to withdraw consent as it is to give it. The Facebook user agreement, said to ‘suck’ by Senator John Kennedy earlier this month, probably wouldn’t cut it.
Scope of Data Covered
GDPR covers any information related to a “data subject” (a person to you and me) that can be used to directly or indirectly identify them. That includes names, a photo, an email address, bank details, posts on social platforms, medical information, computer IPs, cookies or ad identifiers. Basically, any data associated with an individual.
For the most serious infringements against GDPR, not having sufficient customer consent for example, the maximum fine is 4% of annual global turnover or $24 million. Lesser infringements, not having records in order or failing to notify authorities and customers about a data breach can still bring fines at 2% of revenues. Those are definitely significant penalties.
Is Everyone Else Ready for GDPR?
If you haven’t even looked at GDPR yet, don’t feel too bad — you’re absolutely not alone.
We might be fast approaching two minutes to midnight on the GDPR Countdown Clock, but mid-March, two-thirds of brands around the world were still not compliant, according to the Irish Development Agency.
Regulatory news and comment website GDPR Report says it’s worse than that. It reported in January that almost 90% of UK businesses are confused about GDPR, 75% of Irish firms are not ready, only 2% of German companies are ready and French CIOs are ‘far from ready’.
In this context, the EU is going to focus on compliance at big European or multinational companies with sizeable European operations first.
Earlier this month, the UK's information commissioner, Elizabeth Denham, told Wired her organization will be more lenient on companies that have shown awareness of the GDPR and tried to implement it, when compared to those that haven't made any effort.
But just because you’re not alone and the EU is unlikely to come after every Midwest B2B publisher right out the gate, ignoring GDPR is not a great option. Even if you don’t prepare perfectly and you don’t get your collar felt right away, being able to show that you have made a real effort to become compliant will help your defense if they authorities ever do come knocking.
What You Need to Do
Any publisher that already complies with the broadly accepted principles of data protection — and that really should be everyone — is likely to be pretty close to meeting many of the GDPR principles.
But this is the biggest data legislation change in 20 years, and it does run to 99 separate Articles, so there are some things that you should definitely double check.
Before I suggest those, I need to tell you I’m no GDPR legal expert (I’d be making way more money if I was). What follows is a common-sense summary of what I’ve read about GDPR. If you’re worried, consult your legal counsel.
1. Make GDPR Someone’s Problem
It’s a good idea to make sure that anyone that handles data in your organization is aware of GDPR and its implications. It’s more important to designate someone to own your GDPR compliance efforts. Only organizations of a certain size need to formally appoint a data protection officer, but every business should have someone that takes responsibility for making sure you follow best practices for GDPR compliance.
2. Document Your Data
You can’t get compliant if you don’t know what data you’ve got, how it’s stored and who you share it with. GDPR requires you to maintain records of your processing activities and effective documentation is evidence that you have made the effort to comply with the GDPR’s accountability principle, with effective policies and procedures in place.
3. Update Your Small Print
Review your current privacy notices, make sure your organization is clearly identified and state how you intend to use any personal information collected and how long you will hold it for. GDPR says the wording of these statements must be concise and easy to understand. You also need to explain your “lawful basis” for processing user data; for example, that they have given you consent. Saying you have someone’s data because you want to do business with them is probably not a valid lawful basis.
4. Prepare for Personal Requests
You need to put procedures in place to protect individual rights, including the right to access, amend and delete data held. Figure out how you are going to handle a request from someone to erase their data or supply a copy of the personal information you hold on them. You need to provide this free of charge within a month, and in a commonly used format.
5. Get Consent
Under GDPR, consent to process personal information must be freely given, specific, informed and unambiguous. Consent cannot be inferred from silence, pre-ticked boxes or inactivity. Requests for consent must also be separate from other terms and conditions, and it must be easy for people to withdraw it. You don’t automatically need to refresh all existing consents, but if they don’t meet the GDPR standards you should review your forms and seek fresh GDPR-compliant consent.
6. Be ready for breaches
GDPR introduces a duty upon all organizations to report certain types of data breaches to the authorities and, in some instances, to the individuals if their rights are affected. You must have procedures in place to detect, report and investigate personal data breaches. Failure to report a breach could result in a double fine — one for the breach and one for the failure to report.
If you want a good, comprehensive list of things to focus on, have a look at The GDPR Checklist from Belgium. It’s a good, no-frills GDPR list of things to do to get complaint with some useful explanations of terms. As the site says, it’s far from a legally exhaustive document, but it does try to help you overcome the GDPR struggle.
Embrace the GDPR Opportunity
GDPR is a scary prospect when you view it through the lense of fines and enforcement. But you can also see it as a real opportunity to build trust in your publishing brands.
It’s a chance to get in touch with your customer base and let them know you care about their data at a time when lots of people are thinking about it. And you can use the customer contact to restate the importance of the value exchange between you and your audiences — your quality content for their precious personal information.
Longer term, publishers should acknowledge that GDPR is merely a stepping stone into a larger trend where consumer consent and user-controlled data are the norm. This is just the first step in proving you are responsible, secure and ethical custodians of user data.
Peter Houston runs Flipping Pages Media, an independent consultancy and training firm, helping publishers build multi-platform success. He has run Guardian Masterclasses, spoken at Google’s ThinkPublishing and was formerly Editor-at-large for The Media Briefing. He now co-hosts the Media Voices Podcast, delivering a weekly take on the media news and guest interviews with senior players at a leading media organizations, from Facebook to Nieman Lab, The Economist to CNN.