There's a reason that there are so many blogs and resources circulating around as people try to make sense of the new EU GDPR requirements – it's a substantive regulation with many demands and nuances.
With the financial penalties of failing to correctly comply with the GDPR —fines of up to €20 million or 4 percent of global annual turnover— you don't want to be on the wrong end of the learning curve. We've already explored that there may be financially debilitating consequences for those businesses that make big mistakes in how they approach GDPR – or who just do nothing and expect that they'll be able to fly under the radar.
So let's take a look at a few more things you need to know about the new requirements you'll be facing as you pursue GDPR compliance.
In a post-GDPR business landscape, there will be specific criteria for what you can and can't do with the data of EU citizens based around the concept of consent. In order to collect and manage certain types of data, different levels of consent are required. For non-sensitive personal data, "unambiguous consent" is required, and for sensitive data (like medical or mental health data), "explicit consent" is required.
What is the difference? There have been ongoing debates about exactly where the line is drawn between "unambiguous" and "explicit," with some experts teasing out the subtle but important distinction which may determine how a business builds out a form on its website in order to confirm consent.
But whether the type of consent you need to get from a user is "unambiguous" or "explicit," you're going to need to really get it. That is to say, the practice of burying consent in an extensive list of terms (which will most likely go unread by a layperson) is not allowed under the GDPR. The form used to get consent from a customer must be clear and easy to understand.
Two of the major principles of GDPR – and two places where companies run the risk of getting things wrong – are Privacy By Design and Privacy By Default.
Privacy By Design means that a system must be built out at every step of its implementation and deployment with issues of data privacy taken into consideration. And Privacy By Default means that when a user logs on, their data is protected, by default, at the highest level possible (rather than their having to go in and change a setting to benefit from full privacy protections).
Tracking and being able to demonstrate these concepts will emerge as a big part of GDPR compliance, so auditing your systems and seeing where they might fall short – or making certain that third-party vendors you work with are doing so – is a critical step to take, sooner rather than later.
Our dependence on enterprise technology has gotten us accustomed to a certain level of automated decision-making. We don't think too much about having decisions pertaining to the kind of marketing materials we receive, our chances of getting a job interview and so on being made by algorithms. And from the business end, sometimes we run these sorts of automated assessments as a matter of routine. I talk a bit more about this, and how we're handling it here at SpringCM, in the video below.
As I mentioned in the video, under GDPR, EU citizens have a right not to be subjected to automated decision making unless it is required for mutually entering into a contract, if it is necessary to prevent fraud or tax evasion or if the user explicitly consents to their data being used in that fashion.
The basis of this requirement is the idea that no EU citizen should have a potentially significant decision with a negative impact made without human eyes on it. This extends to many areas such as judging work performance and financial situations.
So if any of your business operations depend on this kind of automation, it will be necessary to determine a way to excuse EU citizens from the automated elements of the process.
With such substantial changes – and such significant penalties – coming down the pike, U.S. businesses doing even tangential business in the EU may already be feeling confusion and uncertainty.
But being prepared, and working with vendors who are likewise making GDPR readiness a top priority, can make doing business under GDPR with full compliance feel like business-as-usual by the time the May 25, 2018, deadline rolls around.
Editor's Note: This post was originally published in August 2017. It has been updated for accuracy and comprehensiveness.