A Common Sense Approach to GDPR Prep

“What are all these GDPR emails filling up your inbox?” -- The Guardian.

“GDPR. What It Is and How Might it Affect You?” -- The Wall Street Journal.

“Is There Life After GDPR?” -- Forbes

“GDPR: A boon for privacy or choking regulation?” -- ZDNet.

You’re forgiven if you feel a little overwhelmed when trying to figure out what you need to do about GDPR. But like any regulation -- and we’ve seen it with CASL and AODA compliance alone in this neck of the woods -- there is going to be confusion, panic, and, of course, more than a few vendors of snake oil who will perpetuate the “sky-is-falling-ness” of the situation to turn a profit.

So let us be the voice of reason. Yes, GDPR is something with which you need to concern yourself. No, it’s not new (the EU Parliament approved it in April 2016, and May 25, 2018 is the day it comes into effect).) Yes, you should be prepared. No, you’re probably not likely to face hefty fines or get sued (despite headlines that state you “could run the risk of fines of up to 4% of global revenue.” 

So what is GDPR? It’s the General Data Protection Regulation. Essentially, it’s a legislation that was designed to bring all European Union countries in alignment as it relates to data privacy. The thing is, even if you’re not based in the EU, GDPR applies to you if you:

• Offer goods and services to EU data subjects (a horrible way to refer to people, but…)
• Monitor behaviour of EU data subjects, and/or
• Process or hold personal data of data subjects residing in the EU -- regardless of your location.

Even if you’ve managed to completely avoid the EU, this type of legislation is coming. Australia and China are in the process of developing similar laws. And, realistically, it’s only a matter of time until we have something like this in North America.

There’s already been a lot of discussion about how companies should prepare. Much of it focuses on a couple of key areas:

• Revising legal wording, terms and conditions, or privacy policies; and
• Updating websites to ensure that users have a clear and distinct opt-in for every use of data.

But what’s often less talked about -- but equally, if not more imminently, important -- is the simple question of how do you reply to a request to access or remove personal information?

After all, while it’s ultimately your responsibility as a company, the fact is that you may not be holding that data. It could be your digital service provider has set that up for you. And you need to know what to do.

With GDPR, people are given right of access, which means that they can request from you:

• Confirmation that their data is being processed;
• Access to their personal data; and
• Other supplementary information (mostly the information provided in your privacy notice).

Regardless of the time frame (currently, you’ll have 30 days to reply), do you know how to gather that information? If you were asked today, would you be able to provide it?

The old adage states an ounce of prevention is worth a pound of cure, so I’d recommend working with your IT team and digital provider on coming up with a process -- and then ensuring everyone is aware of it!

And I’m not just talking about your tech-focused people, but you could receive a request through your customer service staff -- so they need to be aware of what to do.

The Drupal community is already working on helping with this solution with modules like this one. However, every organization will still need to decide who is responsible for installing and testing that module. And, if they do receive an SAR, what’s the process and who is responsible for acting upon it?

Realistically, you may not see a request for a while. But if you have significant interests in the EU you may run into a situation where you get multiple requests. So having that process is just one step -- ensuring that it’s scalable is another.

You’re not in this alone. As with most of these protocols, the goal is not to be punitive, but rather collaborative. Just like in the early CASL days there are those who are going to want to profit from panic. Take a moment, review your situation, and make positive change. If you need help or advice, feel free to reach out to us.

At the end of the day, this legislation is designed to put control of one’s information where it belongs -- in the hands of the users. And that’s a good thing.