200 likes | 208 Views
Learn how the General Data Protection Regulation (GDPR) affects your blog, including the definition of personal data, responsibilities under GDPR, and steps to ensure compliance.
E N D
GDPR: How Does “Privacy” Impact My Blog? Mitchell Williams
What is GDPR? • General Data Protection Regulation (effective May 25, 2018) • Unlike the US, which prioritizes the business benefit, the EU treats privacy as an individual’s fundamental right • EU approach to privacy places the burden on business to ensure individual privacy is protected • GDPR implemented in response to EU citizens’ desire to have more control over their data • Harmonizes 28 national data protection regulations in a unified code across the European Union • Applies to all organizations holding and processing EU resident’s personal data, regardless of geographic location
Who Are the Players? • Data Subject: the natural person the personal data is about (the individual reader or follower) • Data Controller: the entity that determines what personal data is collected and why and how it is processed (the blogger) • Data Processor: the entity that processes the data on behalf of the Data Controller (blogger’s business partners or vendors)
What is “Personal Data”?: Part 1 • GDPR broadens the scope of personal data to include any information relating to an identified natural person, directly or indirectly by reference to an identification number, location data, an online identifier or a factor specific to his or her physical physiological, mental, economic, cultural or social identify • Name, address or email address, DOB, location data from browser history • Now incorporates online identifiers and device IDs • Cell phone IDs, IP addresses, cookie information, photos, audio/visual formats, financial transaction information, login credentials, browsing history, social media platform posts and user names • Your tools or website host may collect and store location data or online identifiers even if you do not hold this information directly
What is “Personal Data”?: Part 2 • Blog post comments (name, email, IP) • Traffic statistic plugins and tools (e.g. Google Analytics) • When cookies can identify an individual via their device, it is considered personal data under GDPR • Aggregated traffic statistics do not impact personal information because the reader is not identified • Third party hosted services • Even if data is stored externally with a third part (egMailChimp), data still runs through your site and requires GDPR compliance • Email signup forms • Contact forms
What is Processing? • Applies to all organizations holding and processing EU resident’s personal data • For Controllers/Processors not established in EU, processing personal data of EU residents includes activities related to • “monitoring” the “behavior” of EU data subjects • Offering goods or services to “data subjects in the Union,” even when the goods and services are offered for free • EU regulators have strongly implied that blogging is an information “service”
What Personal Data Do You Have and What Happens to It? To adequately protect and use personal data in compliance with GDPR, you need know • What personal data do you have? • What do you do with the personal data? • Where or to whom does the personal data go? • How is the personal data being protected (by you and others)? • How long is the personal being kept (by you and others)? GDPR requires data controllers to have a data inventory and a map of data flow along the information life cycle
Data Mapping Track personal data from beginning to end • Identify all the types of personal data collected (name, email, etc) • Identify all the ways information is being collected on site visitors (the information you ask for in forms, etc. AND the information that be collected by your systems) • Create a list of apps, software and plugins that are currently collecting information about readers (eg email list, comments software, security plugins, etc) • Each plugin needs to establish and communicate its own data flow regarding the processing of personal data • Identify internal data flow regarding processing of personal data
What Are Your Responsibilities Under GDPR? • Ensure the processing of personal data is lawful • Collect only the minimum amount of personal data needed to accomplish the stated purposes • Take reasonable steps to make sure the personal data collected is accurate and up to date • Ensure all personal data is processed securely • Hold personal data only as long as needed to accomplish the stated purpose • Ensure the processing of personal data is transparent
Creation and Collection of Personal Data Under GDPR: Part 1 Ensure the processing of personal data is lawful there are five ways lawful basis exists under GDPR- if lawful basis doesn’t exist, requires express consent Consent must be “freely given, specific, informed and unambiguous” • Require an affirmative action (no pre-checked boxes, inactivity or links to a long “terms and conditions” document) • Clearly identify the purpose of processing • Data collected for one purpose cannot be repurposed without further consent • Language should clear and plain and easy to find (don’t bury it in a notice) • Avoid making consent to processing a precondition of service Evidence of consent must be maintained for compliance purposes • Double opt-in options within management tools will also usually give you a means of demonstating when consent was given If you can’t prove your previous consent was freely given, specific, informed and unambiguous, then you may want to reconfirm your consents
Creation and Collection of Personal Data Under GDPR: Part 2 Collect only the minimum amount of personal data needed to accomplish the stated purposes • GDPR requires businesses to communicate the purposes of processing to data subjects (typically, in a privacy notice) • Companies must limit personal data collection, storage and usage to the data that is relevant, adequate and necessary to carry out the stated purpose • If you are collecting information for an email subscription, is it necessary to collect information other than name and email address? • If you are analyzing purchasing trends, is it necessary to keep a credit card number? • Stop collecting data when it is not necessary Data minimization reduces the risk to a business in the event of a breach- you cannot be responsible for information you do not hold
Maintenance and Destruction Under GDPR: Part 1 Take reasonable steps to make sure the personal data collected is accurate and up to date • Risks to individuals’ data privacy increasing when information is inaccurate • Obligation to address inaccuracies without delay • Have a process in place to manage opt outs and for data subjects to access their own information • This means all their comments, form entries, review requests, etc • Email service provider may be able to help you manage opt outs • Email address that remit regular bounce backs from your mailing list should be removed
Maintenance and Destruction Under GDPR: Part 2 Ensure all personal data is processed securely • Protect against unauthorized or unlawful processing and against unauthorized access or disclosure • “Appropriate technical and organizational measures” should be proportionate to the sensitivity of data you call and the risk to individuals in the event the data is disclosed • Use encrypted connections for your blog • Password protect any files that contain persona data • Keep plugins up to date and delete those not used • Security software • Don’t store personal data on a portable device • Don’t share system login details
Maintenance and Destruction Under GDPR: Part 3 Hold personal data only as long as needed to accomplish the stated purpose • “Right to be Forgotten” data controllers must erase personal data “without undue delay” if the data is no longer needed • Investigate any legal obligations you may be subject to in regards to retention of information • Create a retention policy and STICK TO IT • The value of data often stems from the timelines and accuracy of the information- there is no need to hang on it forever
Transparency Under GDPR Ensure the processing of personal data is transparent Privacy Notice • If you are collecting data from someone, you have to provide them notice at collection • Must be easy to understand and accessible • Use active tense • Bullet specific points • Avoid technical terminology • Should not be subject to a purchase
What Should My Privacy Notice Include? • Name and contact details of your organization, including your Data Protection Officer • Why you are processing personal data and the legal basis you have to do so • The legitimate interests of the organization (or third party, where applicable) • Recipients of any personal data • Details regarding transfer of personal data to another country and the safeguards used • Retention period • Identify the data subjects’ rights • Right to withdraw consent at any time • Right to file a complaint with a supervisory authority • Existing and information regarding any automated decision-making system
Privacy Notice Checklist • What data do we collect? • How do we collect your data? (Or what other sources do we collect data from?) • How will we use your data? (And how will we share your data?) • How do we store/protect your data? • How long do we keep your data? • What are your data protection rights? • What are cookies? • How do we use cookies? • What types of cookies do we use? • How can you manage your cookies? • Privacy policies of other websites • Changes to our privacy policy • How to contact us • How to contact the appropriate authorities
Cookies Policy Requires consent- provide notice to user as soon as they land on your site. Policy can be included in privacy notice- include a link in your consent Take into account your own use of cookies and those set by third parties on your website Read your third party services’ cookie policies to find out what cookies they may be using on your site Include • What are cookies? • How do we use cookies? • What data they track • For what purpose (functionality, performance, statistics, marketing, etc) • Where the data is sent and with whom it is shared • What types of cookies do we use? • What types of cookies are set • How long they persist on your user’s browser • How can you manage your cookies? • How to reject cookies, and how to subsequently change the status regarding the cookies
Consequences of Non-Compliance • GDPR authorizes regulators to levy hefty fines and penalties in a two-tiered approach • Higher tier fines: GREATER of 20 million pounds or 4% of worldwide annual revenue for prior financial year • Lower tier fines: GREATER of 10 million pounds or 2% of worldwide annual revenue for prior financial year • Fines are not compounded for multiple violations arising from the same incident- the total fine cannot exceed the fine for the gravest violation
Sample Privacy Notice • The international Association of Privacy Professionals has a sample privacy notice builder available at https://iapp.org/resources/article/consumer-privacy-notice-template/