The GDPR is effectively changing the way business is conducted around the world, with massive implications on global ecommerce. Our team of compliance experts have spent the year preparing for its May 2018 enforcement. Since the regulation was passed in 2016, we have received a lot of questions about how we are preparing and have been asked to pass on lessons we have learned along the way. So, we packaged up the most frequently asked questions to help companies in their data protection journey.
Be sure to listen to our on-demand GDPR webinar first, and then turn to this post for answers to your lingering questions.
Want to read the full regulation? You can find it here.
General questions
Q: What steps is Digital River taking to prepare for the GDPR?
A: At the start of our GDPR journey, we did our own internal risk assessment before engaging an outside law firm to provide a gap analysis of this assessment. Since this time, we are actively evaluating the requirements of the regulation. For example, we made sure to review all platforms and data segments to ensure basic privacy principles are met. In essence, we have a formal GDPR program, reaching all the way to our top leadership teams.
Q: How do you ensure the GDPR implementation at your company is not contained solely within legal and compliance teams but is a more company-wide initiative?
A: The GDPR implementation should be thought of as a global program that crosses every segment of your company. Relying on top leadership support can help ensure it’s given the attention needed. We use leadership teams to help coordinate work streams throughout Digital River, as needed.
Q: What steps can smaller businesses take if they don’t have resources to pay an expert to prepare for the GDPR?
A: There are a number of really useful resources that a company can refer to. For example, the European Commission’s website includes practical questions and answers for how to prepare for the GDPR (such as, “how should a company handle requests from individuals exercising their data protection rights?”). A company can complete its own assessment using a checklist approach, based on each GDPR Article. This site also outlines the GDPR in an easy-to-read, neatly arranged format. A company should feel confident that it has good data handling practices in place, not just to prepare for the GDPR but also to demonstrate its commitment to data protection, security and compliance generally.
Q: How will a company know if it’s ready for the GDPR?
A: Generally speaking, a company should read and understand each Article, including the Recitals, to confirm whether it meets its requirements. And any decisions made should be well-documented. As of the date this was published, there is no GDPR certification to demonstrate compliance. However, there are other compliance frameworks (such as, Privacy Shield, Binding Corporate Rules, ISO, etc.) that could demonstrate a company’s commitment to privacy, security and compliance. A company also could consider steps it would need to take to attain a certification once it becomes available.
Q: Does the U.S. federal government support or oppose the GDPR as potentially having a substantial impact on U.S. business?
A: It doesn’t seem like there’s any direct opposition to the GDPR. But, the U.S. Department of Commerce does have an interest in ensuring businesses operating in the U.S. can continue to do business in Europe. Certain states within the U.S. are trending towards giving greater protections to individuals (e.g., NY State Cybersecurity Regulation, which includes a number of security and privacy requirements to help protect individuals). There also are a number of statutes and regulations within the U.S. that are intended to protect individuals’ personal information (for example, FDA, FTC, SEC, DHHS OCR, HIPPA, GLBA, etc.). So, in this way, the U.S. isn’t necessarily opposing data protection legislation such as the GDPR, while remaining consistent in focusing on responsible use of personal information by businesses.
Enforceability date
Q: Is there any grace period for enforcement of the GDPR?
A: The GDPR was approved by the European Parliament in April 2016, and that was followed by a two year transition period that ends 25 May 2018. There’s no further grace period following this date. Additionally, the GDPR is a Regulation and not a Directive. A Directive must always be transferred into local law, but a Regulation applies directly across all member states.
Data subject rights
Q: How will I know whether my business touches data subjects that are protected under the GDPR?
A: The GDPR provides additional protections to all European citizens and residents. This includes individuals who are part of the European Economic Area (EEA) and may also include other regions that are strongly tied to Europe. It is important to have processes in place to understand how your company currently handles and processes customer data, such as working with your logistics group to understand where physical products or mailed content is sent. Similarly, from a digital perspective, you could identify the original GoIP to identify the location of your customers.
Q: How does the GDPR apply to periodic data based backups and the right to be erased? For example, if a company processes personal data and maintains a daily backup, and then in the future a customer makes a formal request to be deleted.
A: Companies need to make sure they have an active data retention policy with a defined data retention period (six months, twelve months, five years, ten years, etc.). If an individual requests their data be erased, companies need processes in place so the company can respond based on the retention period. If the company is technologically set-up to automatically delete data throughout the entire backups, including the recovery systems, the company needs to evaluate this with their internal legal and compliance teams to ensure it’s valid under applicable laws.
Q: What is the best way to ensure that users demanding personal data be deleted or changed are really the given subject of the personal data?
A: Generally, when a consumer requests their personal data be deleted or changed, a company should ask for at least three data points that are unique to that person. For ecommerce, this could be an order ID, last order number and physical address. It also would be a good approach to implement security questions or two-factor authentication to provide additional security.
Q: How quickly do companies need to respond to an end user’s data request?
A: The data controller must provide information on action taken to an end-user request without undue delay and in any event within one month of receipt of the request. This period may be extended by two further months where necessary, taking into account the complexity and number of requests. The controller should inform the data subject of any extensions within one month of receipt of the request, including the reasons for the delay.
Q: If a customer requests access to their data or requests that personal data be deleted, what process should be followed?
A: This process will vary based on whether a company is a data controller or a data processor. For data controllers, there is a requirement to honor the request, as appropriate, log the request, and forward the request to any other third party with whom the data was transferred (e.g, fulfillers, payment processors, etc.). Data processors need to assist the data controller as is possible to respond to such requests. Companies should evaluate each request on a case-by-case basis to understand the full extent of the request.
Q: If a user agrees to a privacy policy that states the company will store personal data for five years, is it acceptable to store the data for five years, even if the user demands the deletion of his/her personal data?
A: There are some exceptions within the GDPR to the “right to erasure” or the right to have a user’s personal data deleted. For example, where a company has a legal obligation to retain the data the company may not have to delete the data right away. A company should review these exceptions within the GDPR to confirm whether an exception may apply to the specific request.
Q: The GDPR applies to personal data based on the subjects’ EU presence, even temporary. Is it technically practical and reliable to figure out the subscriber’s location without specifically asking the question?
A: If the user is logging onto a website, the geolocation of that user is tracked. For example, if the user is temporarily in Düsseldorf (even if the user is a U.S. citizen) and logs onto a computer, the location would be known. If a company does not have processes to understand the location of the individual, this should be documented and defined in the company’s applicable policy.
Data localization requirements
Q: Will data controllers be forced to contain all European data within Europe and not allow for its transfer outside of Europe?
A: Currently, there is not a legal requirement to contain (and process) all data within Europe. Processing of European data can occur outside of Europe so long as the company has the required data transfer safeguards in place (for example, standard contractual clauses, binding corporate rules, privacy shield, etc.) and this is transparent to the individuals.
Data controller, data processor
Q: As the entity that takes online customer subscription orders and as the billing entity, does Digital River consider itself to be a data controller or data processor?
A: Digital River, including its various systems and platforms, considers itself to be an independent data controller. We use internal and external data processors to process data on our behalf. One thing to add is that data controller/data processor designations do not necessarily govern who owns the data. They are independent conversations of one another, and one does not necessarily tie to the other.
Consent requirements
Q: What are the consent requirements under the GDPR?
A: As a general rule, every use of personal data requires a lawful basis, which lawful bases are outlined in the regulation and include, for example, legitimate interest, contractual necessity, compliance with a legal obligation, and explicit consent, among others. The GDPR states that consent must be unambiguous, prominent, concise and easy to understand. This means there needs to be affirmative action taken by the consumer, which would require opt in consent. For Digital River, we have already relied on opt-in consent, in certain circumstances such as recieving of a newsletter. Right now we are reviewing our practices to validate whether it complies with the heightened requirements under the GDPR.
Contractual language
Q: Is there standard legal language to use for business contracts to reference the GDPR?
A: The contractual language will vary based on the relationship between the parties. For example, there is specific contractual requirements that a data controller needs to require of its data processors. These requirements are outlined in the GDPR (Art. 28 et. al.). Data processors need to impose certain contractual language on their sub-processors. There are also standard contractual clauses, which are required for organizations that transfer data from the EEA or Switzerland to any jurisdiction not recognized as having an adequate level of data protection by the European Commission.
Compromise of data
Q: The name and surname of the user is not necessarily personal data. Is there a need to notify individuals if those data elements are leaked during a data breach?
A: The name and surname are personal data. This needs to be communicated to the individuals if the “personal data breach is likely to result in a high risk to the rights and freedoms of natural persons”. In this case, the controller must communicate the personal data breach to the data subject without undue delay. Please refer to Art. 34 and Art. 33, which relates to the required communication.
Enforcement actions
Q: What do you expect the first GDPR enforcement action will look like? For example, will the European authorities levy fines or just send a warning?
A: For the most part under Directive 95/46/EC, member states first gave warnings before levying fines. However, under the GDPR, it’s possible that the authorities might try to make an example of one or two companies. It’s still a great unknown at this point. Also, as of the date of this document, errors and omissions insurance coverage (or professionaly liability insurance) does not necessarily protect a company in the case of non-compliance with the GDPR. So, it is important to have funding in your forecast in case your company is levied a fine that is not covered by your insurance.
Data protection officer
Q: In reference to the data protection officer, what threshold will the Commission use to interpret “systematic data monitoring on a large scale”? Is that 100 customers? One million? How do I know whether I’m required to designate a Data Protection Officer?
A: A company needs to appoint a DPO, whether a data processor or data controller, if certain conditions are met. Under Art. 37, there are three considerations to help determine when a DPO is required. The phrase “regular systematic monitoring of data subjects on a large scale” is the language used for one of these considersations. While the specific threshold isn’t necessarily defined in the GDPR, the European Commission website includes some examples that may be helpful (for example, a security company responsible for monitoring shopping centres and public spaces). Another approach would be to consider whether this would be good business practice even if not necessarily required. A company may still want to designate or appoint a DPO who is someone that the company can rely on to have expert knowledge of data protection law and practices, and can fulfill the tasks referred to in Art. 39 of the GDPR.
Disclaimer: This publication is not intended to convey or constitute any kind of legal advice, and is not a substitute for obtaining your own legal advice from a qualified attorney. Similarly, this document is not a legally-binding document and is not for execution. The foregoing answers are subject to change and might not reflect in its entirety the requirements under applicable legislation, including the General Data Protection Regulation. In providing this publication, Digital River makes no representation that it will execute any legally binding document and reserves the right to withdraw from discussions without incurring any kind of liability at any time.