CCPA/CPRA Data Mapping: The Why, What, and How
How often does the word “right” show up in the text of the CCPA/CPRA?Read Now
The GDPR is a massive law that reformed the data protection landscape globally. Here, we take you through the basics so your organization can aim for compliance.
The EU General Data Protection Regulation changed the world of privacy law. It obligated companies to make sweeping changes to their data protection and privacy practices to comply or face potentially massive fines.
It was technically "adopted" in 2016, but lawmakers gave organizations a two-year grace period to revamp whatever policies necessary to come into compliance. It finally went into effect in May 2018.
Europe has always been ahead of the game on data protection. Its laws date back 70 years. Before the GDPR, the European Convention on Human Rights of 1950 granted European's a right to privacy. The Convention served as the impetus for codifying the right to privacy into law.
Before the GDPR, the EU Data Protection Directive regulated data privacy. But it became effective in 1995, long before companies were collecting data at the scale they are now, and long before digital commerce created end-user data trails that advertisers could track across the web.
But by 2012, the European Parliament realized that the Directive wasn't enough. Websites were vacuuming up user data at an unprecedented rate, and the existing hodgepodge of privacy laws across the (then-28) member states was confusing and insufficient. They decided to draft a regulation, the strongest form of legal enforcement in the EU.
It comes down to this: If your organization collects, uses, or stores EU citizens' personal data, regardless of where it's processed, you're covered by this law.
The GDPR went into effect on May 25, 2018. Regulators gave organizations a two-year grace period before enforcement began.
Though the GDPR is an EU-based law, it doesn't apply to only EU companies. It has what's called extraterritorial reach. That means that even if a company doesn't operate within the EU -- say it's U.S.-based -- but has customers in the EU, it must comply with the GDPR. In addition, the GDPR required EU member states to pass national laws that closely mapped to the GDPR's provisions.
The GDPR aims to give individuals — which the legislation calls "data subjects" — privacy protections but also allow businesses relying on data to survive or thrive. To strike this balance, the GDPR introduced new concepts for protecting data. Those include:
In addition, companies' partners are on the hook. If you process data on behalf of a company with EU citizens, you must comply with the GDPR.
Understanding the GDPR requires working definitions of the vocabulary it uses. Here is a list of some of the most important terms.
The GDPR grants specific rights to data subjects to increase transparency and give them control over their data and how it's used. It's essential to know these data rights so you can responsibly comply when they want to exercise their privacy rights.
The right to be informed that you've collected and used personal data. If you collected it from the subject yourself, you have to notify the data subject at the time of collection. Suppose you're a third-party vendor, for example, and obtained the data secondarily. In that case, the data subject must be informed within a "reasonable period of time," no later than 30 days, and in an easily accessible form.
The right to access personal data and how it's processed. A data subject can ask for a copy of all the data being processed about them. It's called a Data Subject Access Request (DSAR). It's essential to have a mechanism to intake DSARs because a data subject can request a copy of the data, an overview of the categories of data you're processing, why you're doing so, and any parties with whom you're sharing the data.
The right to rectify inaccurate or incomplete personal data. If an individual requests rectification (verbally or in writing), you have one month to comply. If the request is "excessive or "manifestly unfounded," you can refuse.
The right to erase data. Under this rule, a data subject has the right to request that you erase their personal data within 30 days. Certain conditions must exist for the request to be legitimate, of course. These include: if the data is no longer relevant, the original purpose for collection has been satisfied, or if a data subject withdraws consent. If any of those apply, you have to stop processing their data and further disseminating that data.
The right to restrict the processing of personal data. If a data subject requests this, you have to stop processing their data, but you can still store it. Requests can be made verbally or in writing, and you have 30 days to respond.
The right to data portability. Data subjects must be allowed to take their data from one platform to another and do so easily, safely, and securely. Data controllers must allow it without disrupting its useability. You must provide data subjects with the entirety of their data in a standard, machine-readable format.
The right to object. Data subjects can object to how their information is used for marketing, sales or non-service-related purposes. An organization must inform individuals of their right to object within the first communication. Organizations must examine each objection, but it can refuse to validate the objection if one of the following is true:
An organization can also refuse a request if the objection request is "excessive" or "manifestly unfounded."
Automated decision-making and profiling. Data subjects have the right to say no to solely automated decisions — including profiling — being made about their data that could have a legal or similarly significant effect on them. For instance, a website that automatically approves or denies people loans or makes hiring decisions would have a "significant effect" on their lives. Data subjects can opt-out of these practices.
As mentioned in the above section, data subjects have the right to request that organizations delete personal data about them "without undue delay." The requirements that must apply for a deletion request to be valid are:
Data subjects can't request deletion if the data is a matter of freedom of expression or information, if the processing is a matter of public health, or if the data is archived for scientific or historical research purposes.
The GDPR comprises seven principles with which organizations must comply. They are as follows:
The GDPR mandates that organizations only collect, store, process or sell data under one of the following lawful bases apply:
To legally process data, the reason for doing so must fall under one of the GDPR's six legal bases, as listed above. Consent is one of them, and it's one of the most significant changes the GDPR ushered in, requiring organizations to acquire permission, explicitly, from any data subject before collecting their data. Not only must organizations gain consent, but they must use language that's easy to understand when asking the data subject for it.
The GDPR says a data subject consent means: "any freely given, specific, informed and unambiguous indication of the data subject's wishes by [them], by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her."
So, if you're processing based on consent, you must:
If the data subject doesn't grant consent, you must still allow them the same experience and access to your site as the data subjects who consented.
If you seek to process children's data, you may never ask a person age 13 or under to give you consent. If you're asking for consent for children ages 13-15, you must also ask their parent or guardian. Children age 16 and up may give consent for themselves.
The GDPR grants specific rights to data subjects to increase transparency and give them control over their data and how it's used. In marketing, of course, the more you know about a customer, the better the sales. Determining insights about consumer interests and preferences is key to delivering relevant ads and offers. That can put the marketing tactics of younger days in conflict with the GDPR's rules. It's essential to check your practices against some of the data rights mentioned in our earlier section so you can be sure you're collecting data legally and to enable you to comply if a data subject wants to exercise their privacy rights.
The most important aspect of the GDPR to marketers are its data collection provisions, profiling data subjects, and targeted ads. The GDPR requires organizations to be transparent with data subjects about how their data will be used.
You must notify customers at your first interaction that you're collecting their data. And remember, if you're a third-party vendor, you must inform the data subject within 30 days in an easy-to-read format.
It's essential to determine where your data lives in order to comply with data subject's rights under the GDPR. This is called data discovery or data mapping. That will allow you to correct inaccurate or incomplete personal data if a data subject requests you do so, and you will be able to respond to data subject access requests (DSARs) promptly. DSARs, as mentioned above, allow the data subject to request a copy of all the data you've collected on them. It can be complicated to find, categorize, and report back if you don't know where the information lives across the organization.
It's also essential to check your records to ensure you've asked the data subjects for explicit opt-in consent to process their data (no pre-ticked checkboxes!), and you've only used the data for the purpose it was collected.
If the data subject said you could collect their data to process a bill, it's not appropriate to automatically add that information onto a mailing list.
In addition, you must ensure you've given data subjects the ability to opt out of targeted advertising. And that brings us to the conversation about cookies.
Marketers depend on cookies — small text files that store data— to follow users around the web to glean insights on users' preferences and locations, among other details. Under the GDPR, cookies can be considered personal data. If a cookie can identify a person based on their device, that's deemed personal data. Cookies considered personal data under the GDPR can include "a name, an identification number, location data or an online identifier." A special mention should be made for biometric data, such as fingerprints, which can also work as identifiers. These get a bit tricky. For help on this, the GDPR provides several examples of online identifiers in Recital 30. They include:
It's essential to look at the types of cookies your organization is deploying. If they're "strictly necessary" cookies, meaning they're required for the site to function, consent is not required. Otherwise, it is. Be sure to collect consent for marketing cookies, record that consent and allow it easy for data subjects to revoke consent as it was for them to say yes.
Individual data protection authorities (DPAs) from the 27 EU member states enforce the GDPR. DPAs are independent of the government. They investigate complaints, provide advice on data protection issues and determine when the GDPR has been breached. They also have fining powers.
DPAs are independent public authorities that supervise the application of the data protection law through investigative and corrective powers. They provide expert advice on data protection issues and handle complaints lodged against the General Data Protection Regulation violations and the relevant national laws.
All DPAs work together as a group on the European Data Protection Board. The European Data Protection Supervisor leads the board. The EDPB aims to harmonize GDPR enforcement across the EU. The board is responsible for guiding member states on complicated topics or the application of the law. It also issues opinions to the European Commission when it considers data protection and privacy legislation or issues.
The EDPB does not, however, enforce data protection law.
The cost of noncompliance with the GDPR can be high. Organizations that violate the law can be fined up to 4% of annual global revenue or 20 million euros, whichever is greater.
You've probably seen some of the media headlines reporting on DPAs taking action against various companies for GDPR violations. Some of the more hefty fines include:
While it's often the big technology firms that have faced the most significant fines thus far, reading the enforcement actions will give you an indication of how the DPAs are thinking and in which areas they're most strict on enforcing.
While the GDPR is a massive piece of legislation and can be challenging to interpret, it serves as the basis for many international laws that have passed since its inception, so it's a vital regulation to understand. For example, the terms may change from the GDPR to Brazil's privacy law, but the concepts are the same. The trend is toward increased data subject rights, transparency, and accountability.
How often does the word “right” show up in the text of the CCPA/CPRA?